wannacry | f31ffc12e2212bd27a5e636aa3667451fe1772bea79cf411eea54b84ac31f107

Analysis

max time kernel
322s
max time network
319s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yfga_game.exe
Size

10.9MB
MD5

f24b9a4537d2cf5cd04db5ef80453dd8
SHA1

69b201dd4b919afbb4bbe3a19e3e80097e2813bc
SHA256

f31ffc12e2212bd27a5e636aa3667451fe1772bea79cf411eea54b84ac31f107
SHA512

84936e358accff1767411b019639741ed051e7102a2ebde8bc6e74f87adc3e3f36495538ff53edd181eb9e48256a373f0e06da65ce0824680ff631fe09db90f1
SSDEEP

196608:Zw81jWusNrPGC0ePjqHbUjHicQskqPe1Cxcxk3ZAEUadzR8yc4ghrl:O8tWhTr0eqgDiDjqG1Fxk3mEUadzRURH

Score

10^/10

wannacry aspackv2 defense_evasion discovery evasion execution exploit impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

WbVhxCIDDK.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WbVhxCIDDK.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Blocklisted process makes network request 7 IoCs

Processes:

walliant.exe

flow pid process

9 2920 walliant.exe
12 2920 walliant.exe
14 2920 walliant.exe
15 2920 walliant.exe
19 2920 walliant.exe
22 2920 walliant.exe
23 2920 walliant.exe

flow	pid	process
9	2920	walliant.exe
12	2920	walliant.exe
14	2920	walliant.exe
15	2920	walliant.exe
19	2920	walliant.exe
22	2920	walliant.exe
23	2920	walliant.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 52 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	attrib.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	attrib.exe

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

400 takeown.exe
2680 icacls.exe
2720 takeown.exe
2724 icacls.exe
5760 icacls.exe

pid	process
400	takeown.exe
2680	icacls.exe
2720	takeown.exe
2724	icacls.exe
5760	icacls.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\screenscrew.exe	aspack_v212_v242
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\flasher.exe	aspack_v212_v242

Drops startup file 2 IoCs

Processes:

wannacryptor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA2B3.tmp	wannacryptor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA2C8.tmp	wannacryptor.exe

Executes dropped EXE 26 IoCs

Processes:

screenscrew.exeflasher.exewalliant.exejokewarehydra.exewalliant.tmpwalliant.exewin7recovery.exeWbVhxCIDDK.exeprogramoverflow.exeuseroverflow.exewannacryptor.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]taskdl.exetaskse.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
2128	screenscrew.exe
2864	flasher.exe
2788	walliant.exe
2952	jokewarehydra.exe
2580	walliant.tmp
2920	walliant.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
2112	programoverflow.exe
2364	useroverflow.exe
5480	wannacryptor.exe
5668	taskdl.exe
5840	@[email protected]
5816	@[email protected]
6040	taskhsvc.exe
1476	@[email protected]
4756	taskdl.exe
4312	taskse.exe
5888	@[email protected]
4416	@[email protected]
1228	@[email protected]
5920	@[email protected]
2568	@[email protected]
6484	@[email protected]
2176	@[email protected]
5016	@[email protected]

Loads dropped DLL 64 IoCs

Processes:

cmd.execmd.exewalliant.exewalliant.tmpwalliant.exewin7recovery.exewannacryptor.execscript.execmd.exe@[email protected]taskhsvc.exemmc.exeexplorer.exe

pid	process
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
2700	cmd.exe
2788	walliant.exe
2580	walliant.tmp
2580	walliant.tmp
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2096	cmd.exe
2096	cmd.exe
2432	win7recovery.exe
2432	win7recovery.exe
2920	walliant.exe
2920	walliant.exe
2920	walliant.exe
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
6128	cscript.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5644	cmd.exe
5840	@[email protected]
5840	@[email protected]
6040	taskhsvc.exe
6040	taskhsvc.exe
6040	taskhsvc.exe
6040	taskhsvc.exe
6040	taskhsvc.exe
6040	taskhsvc.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
3092	mmc.exe
3092	mmc.exe
5480	wannacryptor.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
5480	wannacryptor.exe
5480	wannacryptor.exe
5480	wannacryptor.exe

Modifies file permissions 1 TTPs 5 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5760 icacls.exe
400 takeown.exe
2680 icacls.exe
2720 takeown.exe
2724 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5760	icacls.exe
400	takeown.exe
2680	icacls.exe
2720	takeown.exe
2724	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2432-1697-0x0000000000600000-0x0000000000678000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

walliant.tmpwin7recovery.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe"	walliant.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\WbVhxCIDDK = "C:\\ProgramData\\WbVhxCIDDK.exe"	win7recovery.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\loxtqdbrvjwnha527 = "\"C:\\Users\\Admin\\Desktop\\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 53 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	attrib.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\it-IT\diskcopy.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\vdswmi.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ntlanman.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NM40J.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\Amd64\LXX852e.gpd	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKML280E.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\Brmf3wia.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\onex.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WWanAPI.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\rshx32.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\msclmd.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\arc.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\prnts003.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Special_Characters.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Dism\TransmogProvider.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\mdmetech.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpn5150t.exp	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\faxcn002.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\DriverStore\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\NetworkExplorer.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\BRDP669W.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\MMDevAPI.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\els.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dhcpsapi.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDSG.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1D.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR4110N.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\DevicePairingProxy.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wecsvc.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYKC3920.PPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\mchgr.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dpnsvr.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rasphone.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDGR1.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\dc21x4vm.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\fdc.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\OnLineIDCPL.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\netiohlp.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremium\license.rtf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\qasf.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.sys	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cfgbkend.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\LogProvider.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssessions.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0003.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\termmgr.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPMCPDP5.XML	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\bthprint.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wiaacmgr.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\extrac32.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\comdlg32.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\KYLJ2050.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXL.INI	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\Amd64\OK84SU2.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\hiddigi.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\l2gpstore.mfl	attrib.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exewannacryptor.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\System32\\FeatureToastBulldogImg.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wannacryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02024_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale	attrib.exe
File opened for modification	C:\Program Files\Windows Journal\jnwdui.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239079.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCESS12.ACC	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	attrib.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.7601.17514_none_b4855976cd77e0e5\iedvtool.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..ssprotection-common_31bf3856ad364e35_6.1.7601.17514_none_b66cf384dd65af18.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-p..onhandler.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8484c57513d9ec1f.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_iirsp.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d129177908bdbdbb	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a2020e67811e5799	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.de.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_de-de_232511ce36fb2453\radardt.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_27477f891e9578c7.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-ieframe-optional_31bf3856ad364e35_8.0.7601.17514_none_6868230067ee389f.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d1240af48795ef12\service.js	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_24ed79dc1fb87ac6\WinSyncMetastore.rll.mui	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.reg	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..otewriter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e98bf0d67ffe614b\PDIALOG.exe.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_ac9edb6e6b20299f_comdlg32.dll.mui_ac8e62f4	attrib.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_microsoft.net_framework_v2.0.50727_1033_7994eb100abd5435.cdf-ms	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_it-it_06d5ccbade1bb344.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_en-us_6bee5650fc70848c	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7972be107f211c50.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.1.7601.17514_none_cc8e3aee0e6a74a7\eappprxy.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-15.htm	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2772236176fd0992\powercfg.cpl.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp005.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2c43d5d021a1f82a\hp6000nt.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..rformance.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_382db345a4640804.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1387da270600234\nci.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..style-layeredtitles_31bf3856ad364e35_6.1.7600.16385_none_4ad2978b8b3ac8b2\203x8subpicture.png	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_6.1.7600.16385_none_70cb731d72554e78\wshext.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\wmiutils.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_msclmd.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cca864bace44c96e	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-healthcenter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4b12ec4d108bbd33\ActionCenter.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_wialx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eb2ce7e34f312d8e\wialx002.inf_loc	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75a5d492b9d7cd2f_mfc42.dll.mui_66106d85	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a17bed893abd659b\tracerpt.exe.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dc94954b35ae06a.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d4183db432a5f29d.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..component.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c120864275ad1b7e.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1385d2118223fb.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a0087dbe94df0997	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8f806b09c12909ee	attrib.exe
File opened for modification	C:\Windows\inf\prnlx00c.inf	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010439_31bf3856ad364e35_6.1.7601.17514_none_ec1262db6b20d21f\KBDINHIN.DLL	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_umpass.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_545819bf547411fd\umpass.inf_loc	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f1407637cb533c29_certcli.dll.mui_1b6822cf	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_ql40xx2.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_cf93bc3f25521604.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ctl3d32_31bf3856ad364e35_6.1.7600.16385_none_c9ff3c8bb5743542	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_wiasa002.inf_31bf3856ad364e35_6.1.7600.16385_none_bfa404db77af1a41\SA4x26.icc	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-diskmgt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_26c619b7a86aeeca\diskmgt.h1s	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f359d9cdd377c00c\mstask.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Catalogs\961f8dadf7d3436cacbdea9d0bbcf09741f47167ab1a73b257b5cc42157cbc7b.cat	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-smbserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dcc7a7bfada520d0	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_264375172c48afbe	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-bowser.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_72e81a7d2434568c.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f60f2fdd00cfdcbd.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-deviceux.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fa414d71841d3215	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df232de45e87f7d4	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c7b6802cf89cd43	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\highDpiImageSwap.js	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.web.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_373063ebeb6077fa.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-mail-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2910e5c8d6515930.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit-mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_67c9f83eb489d9da.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7601.17514_none_d7553e5fcf6b6373\ReAgentc.exe	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9fd175b2c5dc3ae9	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5492 timeout.exe
2876 timeout.exe
2752 timeout.exe
2164 timeout.exe
1100 timeout.exe
2184 timeout.exe
2344 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

6176 vssadmin.exe

pid	process
5492	timeout.exe
2876	timeout.exe
2752	timeout.exe
2164	timeout.exe
1100	timeout.exe
2184	timeout.exe
2344	timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
6176	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1700	taskkill.exe
1476	taskkill.exe
1616	taskkill.exe
4664	taskkill.exe
4308	taskkill.exe
2772	taskkill.exe
2524	taskkill.exe
1388	taskkill.exe
3752	taskkill.exe
3100	taskkill.exe
3508	taskkill.exe
5028	taskkill.exe
5568	taskkill.exe
2272	taskkill.exe
2248	taskkill.exe
1768	taskkill.exe
3276	taskkill.exe
2248	taskkill.exe
3664	taskkill.exe
4088	taskkill.exe
568	taskkill.exe
4448	taskkill.exe
4508	taskkill.exe
2040	taskkill.exe
2648	taskkill.exe
4960	taskkill.exe
1180	taskkill.exe
1716	taskkill.exe
3188	taskkill.exe
3192	taskkill.exe
5060	taskkill.exe
5844	taskkill.exe
1388	taskkill.exe
3712	taskkill.exe
3728	taskkill.exe
4164	taskkill.exe
5524	taskkill.exe
2892	taskkill.exe
2148	taskkill.exe
3864	taskkill.exe
1764	taskkill.exe
4260	taskkill.exe
5380	taskkill.exe
448	taskkill.exe
5136	taskkill.exe
2684	taskkill.exe
284	taskkill.exe
3712	taskkill.exe
2428	taskkill.exe
3976	taskkill.exe
5800	taskkill.exe
2804	taskkill.exe
3924	taskkill.exe
4100	taskkill.exe
5132	taskkill.exe
1876	taskkill.exe
1792	taskkill.exe
1476	taskkill.exe
4976	taskkill.exe
4192	taskkill.exe
1600	taskkill.exe
2816	taskkill.exe
3660	taskkill.exe
3884	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeexplorer.exeIEXPLORE.EXEwin7recovery.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b00000000020000000000106600000001000020000000959d1f14fd8453acf9127034c96444790d7cc0bebf6b6628b32371ed560c00bd000000000e8000000002000020000000f60eaa239478a40a5dccc673d7d99e17705473004e8864afe7f0375334e5db5c20000000bf0c8a3ee02619d5385ee007b684540ec16346b29b928f248df6a133bd8dd49240000000e3b7a5e553e96af5bfd3895e295d611d88115dd1865d7f435b345502b462e77f99cc318e939d75bb75438b77f7e1a7e72099c89f41644df74d82abca137920e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	win7recovery.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427196101"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\International\CNum_CpCache = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ff56f295d6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\International	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b000000000200000000001066000000010000200000006e335652d0c4606f9ca890a8898dd49b4b08bf92b9b0d6a89cfa8c82b7437204000000000e800000000200002000000092799f4ae89dc5cb23629bf209c76ad3d4b6151d27d6812e506bd0e6b3413fa390000000a5c1151382d58929867216e22b1957bbdd0593f73cf7e099253963b71be2be0d743c2a1470779752af2b74c1e2d3c681a3a02a10d33fb343ed3d60604316c6fe7d6f79e84b62fa648609961cb9064f9fb8e5cb1d1b53ca7f26236f0bbe736745ce0b5ff738557d3852d5769aa35a04bc0234bcf27a9131e1df464ccee2f4d05b74c43679f6915ca70717216bc1ad7eea40000000fbb1e8087e78f7d39b462340a3cb62e336e0b916a9a4238ee1239b608193de6aa5d06b0e85ae914b530cfa0b04b1b58592aea2298e52049a74805a22e4161edf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29410331-4289-11EF-86AA-DE81EF03C4D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Download	win7recovery.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\International\CpCache = e9fd0000	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

explorer.exemmc.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5200310000000000e558806b100057696e646f7773003c0008000400efbeee3a851ae558806b2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6068 reg.exe

pid	process
6068	reg.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

walliant.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	walliant.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3536 NOTEPAD.EXE
6464 NOTEPAD.EXE
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2116 regedit.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3536	NOTEPAD.EXE
6464	NOTEPAD.EXE

pid	process
2116	regedit.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

walliant.tmpwin7recovery.exeWbVhxCIDDK.exe

pid	process
2580	walliant.tmp
2580	walliant.tmp
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe
2432	win7recovery.exe
2432	win7recovery.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
3056	WbVhxCIDDK.exe
2432	win7recovery.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

cmd.exeexplorer.exeexplorer.exewin7recovery.exemmc.exe

pid process

3008 cmd.exe
5704 explorer.exe
6880 explorer.exe
2432 win7recovery.exe
3092 mmc.exe

pid	process
3008	cmd.exe
5704	explorer.exe
6880	explorer.exe
2432	win7recovery.exe
3092	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeShutdownPrivilege	2916	shutdown.exe
Token: SeRemoteShutdownPrivilege	2916	shutdown.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeShutdownPrivilege	2036	shutdown.exe
Token: SeRemoteShutdownPrivilege	2036	shutdown.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

walliant.tmpjokewarehydra.exeWScript.exeWScript.exeWScript.exeexplorer.exe@[email protected]mmc.exeiexplore.exe

pid	process
2580	walliant.tmp
2952	jokewarehydra.exe
2100	WScript.exe
3660	WScript.exe
2816	WScript.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
1476	@[email protected]
6880	explorer.exe
6880	explorer.exe
3092	mmc.exe
1832	iexplore.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
2952	jokewarehydra.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe
6880	explorer.exe

Suspicious use of SetWindowsHookEx 47 IoCs

Processes:

mspaint.exe@[email protected]@[email protected]explorer.exe@[email protected]@[email protected]explorer.exe@[email protected]mmc.exe@[email protected]@[email protected]@[email protected]@[email protected]iexplore.exeIEXPLORE.EXE@[email protected]@[email protected]

pid	process
1668	mspaint.exe
1668	mspaint.exe
1668	mspaint.exe
1668	mspaint.exe
5840	@[email protected]
5840	@[email protected]
5816	@[email protected]
5816	@[email protected]
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
1476	@[email protected]
1476	@[email protected]
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe
5888	@[email protected]
6880	explorer.exe
4416	@[email protected]
6880	explorer.exe
3092	mmc.exe
3092	mmc.exe
3092	mmc.exe
1228	@[email protected]
5920	@[email protected]
3092	mmc.exe
3092	mmc.exe
3092	mmc.exe
3092	mmc.exe
3092	mmc.exe
2568	@[email protected]
6484	@[email protected]
1832	iexplore.exe
1832	iexplore.exe
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
5824	IEXPLORE.EXE
2176	@[email protected]
5016	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

yfga_game.execmd.execmd.exewalliant.exe

description	pid	process	target process
PID 2024 wrote to memory of 2096	2024	yfga_game.exe	cmd.exe
PID 2024 wrote to memory of 2096	2024	yfga_game.exe	cmd.exe
PID 2024 wrote to memory of 2096	2024	yfga_game.exe	cmd.exe
PID 2024 wrote to memory of 2096	2024	yfga_game.exe	cmd.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	screenscrew.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	screenscrew.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	screenscrew.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	screenscrew.exe
PID 2096 wrote to memory of 2864	2096	cmd.exe	flasher.exe
PID 2096 wrote to memory of 2864	2096	cmd.exe	flasher.exe
PID 2096 wrote to memory of 2864	2096	cmd.exe	flasher.exe
PID 2096 wrote to memory of 2864	2096	cmd.exe	flasher.exe
PID 2096 wrote to memory of 400	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 400	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 400	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 400	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 2680	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2680	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2680	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2680	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2700	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 2700	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 2700	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 2700	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 2720	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 2720	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 2720	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 2720	2096	cmd.exe	takeown.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2788	2096	cmd.exe	walliant.exe
PID 2096 wrote to memory of 2724	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2724	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2724	2096	cmd.exe	icacls.exe
PID 2096 wrote to memory of 2724	2096	cmd.exe	icacls.exe
PID 2700 wrote to memory of 2952	2700	cmd.exe	jokewarehydra.exe
PID 2700 wrote to memory of 2952	2700	cmd.exe	jokewarehydra.exe
PID 2700 wrote to memory of 2952	2700	cmd.exe	jokewarehydra.exe
PID 2700 wrote to memory of 2952	2700	cmd.exe	jokewarehydra.exe
PID 2096 wrote to memory of 2696	2096	cmd.exe	xcopy.exe
PID 2096 wrote to memory of 2696	2096	cmd.exe	xcopy.exe
PID 2096 wrote to memory of 2696	2096	cmd.exe	xcopy.exe
PID 2096 wrote to memory of 2696	2096	cmd.exe	xcopy.exe
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2788 wrote to memory of 2580	2788	walliant.exe	walliant.tmp
PID 2700 wrote to memory of 2572	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2572	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2572	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2572	2700	cmd.exe	WScript.exe
PID 2096 wrote to memory of 1672	2096	cmd.exe	reg.exe
PID 2096 wrote to memory of 1672	2096	cmd.exe	reg.exe
PID 2096 wrote to memory of 1672	2096	cmd.exe	reg.exe
PID 2096 wrote to memory of 1672	2096	cmd.exe	reg.exe
PID 2096 wrote to memory of 1364	2096	cmd.exe	taskkill.exe
PID 2096 wrote to memory of 1364	2096	cmd.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

win7recovery.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	win7recovery.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	win7recovery.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

5788 attrib.exe
5176 attrib.exe
6036 attrib.exe
2792 attrib.exe
3796 attrib.exe
1896 attrib.exe

pid	process
5788	attrib.exe
5176	attrib.exe
6036	attrib.exe
2792	attrib.exe
3796	attrib.exe
1896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\yfga_game.exe
"C:\Users\Admin\AppData\Local\Temp\yfga_game.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\YFGA.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\screenscrew.exe
screenscrew.exe
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\flasher.exe
flasher.exe
3⤵
- Executes dropped EXE
PID:2864

C:\Windows\SysWOW64\takeown.exe
takeown C:\Windows\System32\logonui.exe Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:400

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\logonui.exe Grant:\Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K hydra.cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\jokewarehydra.exe
jokewarehydra.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy3.vbs"
4⤵
PID:2572

C:\Windows\SysWOW64\takeown.exe
takeown C:\Windows\Boot\Fonts\* Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\walliant.exe
walliant.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Temp\is-LUDN7.tmp\walliant.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LUDN7.tmp\walliant.tmp" /SL5="$3015C,4511977,830464,C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\walliant.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2580

C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe
"C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"
5⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2920

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Boot\Fonts\* Grant:\Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724

C:\Windows\SysWOW64\xcopy.exe
xcopy C:\Windows\Fonts\seguisym.ttf C:\Windows\Boot\Fonts\segoe_slboot.ttf /y
3⤵
- Enumerates system info in registry
PID:2696

C:\Windows\SysWOW64\reg.exe
reg import reg.reg
3⤵
- Sets desktop wallpaper using registry
PID:1672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im fontdrvhost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im TextInputhost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:2876

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 30000 /c "HAHA I HACKED YOU AYFGA ROCKS YOU"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K spam.bat "forkbomb" /min
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1864

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1944

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2540

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
- Suspicious use of FindShellTrayWindow
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1348

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:2148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2248

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:1716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2648

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:2648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:3752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3352

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:3660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
- Suspicious use of FindShellTrayWindow
PID:3660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3864

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3620

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:3712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3420

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
- Suspicious use of FindShellTrayWindow
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:340

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3972

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2792

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:3664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3128

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2640

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3848

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3188

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1128

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3124

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3404

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2132

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2248

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:3256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2320

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:3344

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:3344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:3360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:4448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:4664

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5072

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:4308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:1380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4452

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4812

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:4276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:1592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4620

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:5028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:5060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:4192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:1064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:4384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:2312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:5136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5208

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5288

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5504

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:5524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:5568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5760

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:6016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:6088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:2312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:5380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:5800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:6052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:6136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:5132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:5608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5648

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:5436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs"
4⤵
PID:5632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs"
4⤵
PID:6120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
PID:5172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:5844

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:2752

C:\Windows\SysWOW64\shutdown.exe
shutdown /a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2164

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\win7recovery.exe
win7recovery.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2432

C:\ProgramData\WbVhxCIDDK.exe
"C:\ProgramData\WbVhxCIDDK.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Users\Admin\*.* " /s /d
5⤵
- Views/modifies file attributes
PID:6036

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d
5⤵
- Views/modifies file attributes
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\*.*" /s /d
5⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Views/modifies file attributes
PID:3796

C:\Windows\SysWOW64\attrib.exe
attrib +h "F:\*.*" /s /d
5⤵
- Views/modifies file attributes
PID:1896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout 12
3⤵
- Delays execution with timeout.exe
PID:1100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
PID:3420

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
PID:3156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
PID:3248

C:\Windows\SysWOW64\shutdown.exe
shutdown /a
3⤵
PID:3152

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\useroverflow.exe
useroverflow.exe
3⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\programoverflow.exe
programoverflow.exe
3⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1708

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:2116

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
3⤵
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\charmap.exe
charmap.exe
3⤵
PID:2756

C:\Windows\SysWOW64\timeout.exe
timeout 21
3⤵
- Delays execution with timeout.exe
PID:2344

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:5468

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\wannacryptor.exe
wannacryptor.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:5480

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:5788

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5760

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\taskdl.exe
taskdl.exe
4⤵
- Executes dropped EXE
PID:5668

C:\Windows\SysWOW64\cmd.exe
cmd /c 286151721034051.bat
4⤵
PID:5936

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
5⤵
- Loads dropped DLL
PID:6128

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
4⤵
- Views/modifies file attributes
PID:5176

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected] co
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5840

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
4⤵
- Loads dropped DLL
PID:5644

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected] vs
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
6⤵
PID:6156

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:6176

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
7⤵
PID:6236

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\taskdl.exe
taskdl.exe
4⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\taskse.exe
taskse.exe C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
4⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "loxtqdbrvjwnha527" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\tasksche.exe\"" /f
4⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "loxtqdbrvjwnha527" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\tasksche.exe\"" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:6068

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5920

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6484

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\SysWOW64\timeout.exe
timeout 72
3⤵
- Delays execution with timeout.exe
PID:5492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5704

C:\@[email protected]
"C:\@[email protected]"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
3⤵
PID:2912

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
3⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
3⤵
PID:1396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=104288
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\d.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\d.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:6464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
681B

MD5
260e5f2634374b75705faa198a9c3bad

SHA1
e1b43f2ae94fb1f7d2239374240ea39e1aee9c4f

SHA256
f33946c48b38635c9dd4ce2e47dc5646921e8453a189a458bda1ed215a1ef91e

SHA512
94c9e260c58f1ab42a71921b83a6ff197d3d72a9765c879aecc0d872c0a7aa91cea33c7d81c8957c3e678430bc21c51c7fe8029c841824e4ca9cf8d283bcb9d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7572d23f4a95bb0015860ae7aedff0f

SHA1
2527ce1e9bc36e7ff64a81065a335975f33f217b

SHA256
fb1177158b14f32047969f474b75265008978228b78c912faaf03587f872022a

SHA512
b593d39b5ba71f0136f41b1c46832d82f2e39bf23daefc89676693d815adcef029a08b7a58ca14a0e701bca8a495530c6890f93c226561e5757a5996c62f45b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b508aa4fa87852bc08d6029f16411a21

SHA1
6b98368fa9e7dccd376b1bd3b96cc27d05652845

SHA256
9a1144095cf415879a9fd2ed0fbdd25fd5865dd63ad7c03e0f94434a09d0c9c3

SHA512
e0306279c48e165b862a74a81de14e13c072820522766559ff2bd2cfc30f94ce08298f787c8b8ad2c83a74c9274dc89f5f402557dbf3561c85afdb97565ccd7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e538424e50eedba7596d3571e9bda9b5

SHA1
a7f04155d557916ff2f3236f7bd9a4b88e76fe39

SHA256
86553abec7d7cb277df69449d939571c03c7cbb8b239b99f0f89970251b8d0e5

SHA512
30a0beb34b40004288231b6ccabfd9a10ceb85c38105c371d52d26a6fa4fadc1236e4dc2624ca2e7cadd83f4e0f72974a4b539edd45391325cd55f8f5eb8f8a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c86b5e31eb8ca483cc7cd2043c58ad7

SHA1
38f89d86b94e91ebb369300244317ffa5bd1090b

SHA256
0e85ca243af04fd5d71521d0c80204b32239b933d076f2099c3b6378e65f0531

SHA512
e8aac186eae5b9b1035e4b9ed5e38becfc9b280bc56cb860d4473901785609e4628aff379cadb5809e8a85dd3b1e240d67c676a7cdbb8a0beb305ada4eb8cf3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64b266bfb921823ce34f55bfa52fdcae

SHA1
7352b61e4fdcdc0c9dec267ef785c3b7dd279d58

SHA256
2cb5ec46ef17b5518f6f2f570c56c420f1fa963f8b42edcf21f442ef6168253a

SHA512
74776d552739b437ff1e94100cdf8b7aafa6cd04837d8093ed6909b52db4b0cacdace73b22458f601888e953bc7276c324671f0c515ec0407825152c1b99276f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76ce1ea22c5bd747881742696362dec7

SHA1
3313353328bc3fdbe3998fd3129f2af817fbfbf2

SHA256
77a1b4a19bea7a2deb29537eddcd0354cdf8e28e81d0ad32a7696927947bd8c3

SHA512
5a18df027248ef776c21064e7ceed6560a06a7f6b3c9c363747f0dab483928af1f234e354db20d37134bf2126aadfe8bcfbfdf3aa69a91c1c42a11380f03595f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09c3225e4ced015e3623cbfea9a3dd2

SHA1
716bad78a282616604e25aa67de05342e767097d

SHA256
e66ad59098257c073935b3e391f4c7c8c494a2475e339de97dd3d7fecc3b7a24

SHA512
89b5dec1c97d95db77c9d64204d90e010161edb05d81d74e20bd1b5dbbed19f63e5c8fe3da2799a70d53d19798f500e19146e33279329947a1d811e92b57ec67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2175d030b58d5dfcbd776bf46624228e

SHA1
f6835e3baaaca749d12e9d1776340f7d635a6433

SHA256
65a4eadf8c5310ee55ab07013a625d164511553f02b754a0acd9bda116f6e78e

SHA512
9c39334b2b56dedcc2e313cb608a14d72c88821cb2fb6eeed23a8e83dd0968f8ac84a24ddc81aa6c39829938df358ca08cd8b31ce68d26164da55d74fe35c250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5e4fdda66b38fc927e2fb30e1fa5e80

SHA1
71c676c8ca65f9a480ee232aff225bb5dcfc568a

SHA256
102c1e9d298a7431ed28e026b8bd6a6fafe66f5ee05fcac3bc807ea0822f1cfb

SHA512
e6ad6e4f856f3d70a9c7254d528be63c72a95efe482ef05eb0d85a58e2c6d0f053fcd54ca4356f105dfaec78f25df3cbde214b86a7cdbd789888cf6ffa3c105c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58b1186528260a5dc3c7870eb5f06d6d

SHA1
24cb314f1b23bb378f5e79453446875d62d138be

SHA256
d1273a3721a3393552f1ae2ede5e1801af98a79efb7d90c1e37452a434c6f856

SHA512
5c330d349dcf7844280585f28b34e10b60e9fd5a25e77fd2e182268d5427b9f85b415c02c3a3ad0d8b35bf97568d2a6f155e506721f3c2628304e0811252bb3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d4a7b4c9e00efc884c7e126acf1cbf2

SHA1
e388569a6ef896ed3a4b6e403a9b8c8fa13e3388

SHA256
889dcc7eb1050214c7b4c8ce9a9572a5de9f6fc16012f694faa2b31374212c8f

SHA512
90a22d7539c66e589a38c8c3b0d3ee8e237e46eb7c669db32353092bbbfd40e9a3c88fa9346142b99bc2189a1be65549e660ad9a94c42a22c4d8ff970f4abab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ffde780c63b5cf1fe71fa8050f21b76

SHA1
232f3f1c9583f787c7f6421243ff21986b149376

SHA256
c5d679e4d2415eadaabc807cf9bf616f2b2677db1354c2bb0fd3174439f2f217

SHA512
3194a550e6b2e17e9c2d5dc03b6aab32a70ac60e740f1da6ee1337f3c684847aceaece8aeb572e84935cb86a495466cbe45f262340e4a1f008ba3a9f49f9b7a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d226a2963d6ad0d9ebe2bcba416854f6

SHA1
510b4b4d2aee958488b93758a7a92f9ea95a05e4

SHA256
8e172ca6a8b51f590054cdb5a367f505a9a93d5371a6410527b723b467843e8f

SHA512
c61a002372bda126c18be4392ea7a8778a60c03585906766790e33126746bf76ad65b40ec9b71645e7647e722057bdc79252e25bec81e316ba444610f0f2da53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80dd7fdb7157a2203fe260717c287ca2

SHA1
ebe0d0873fa48eadcc1f712ae7e0287bf54a1e70

SHA256
8aa4e15a595ecea4b1a41670052ca64183b8a86786ba5a947683275a1e253741

SHA512
763f5b6d24892722d1bd9bb2ea12cbc91261b410a24f152884e39c88273e83716af427fe35953f82694b230610661f400ccb42789a86b4b5c09dbc01e9141c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b164d76fa9387e8aa352942566244a1a

SHA1
d7d09e31c8c50ae6997765e1011640df4f4da388

SHA256
8cc0730f6b7635749cbba36e4986a87788dd9809d0a9cbc6bade7535f5b14bb5

SHA512
04940bc9d70a2d1d347750ed742b062bc5b1a5fc6a43c5ad6fc6ee49e393c02ec65716ddaf5910b85dfabe4b6a8b9184361c877e60c96889c1df52a7fba6423a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82a9ee7d1cba12086b0a3d0038e5c32e

SHA1
14b58f4b89469f420b04b0ed65ce2e733f82f93c

SHA256
b8cd9fc9d42fb9655be16e50f935a93c44718156ba4f1976942a15745276dd12

SHA512
e8be4df31d64e08c0ebb06171099a7b53d5f79ef86a7e0e2e3be7c208cca3f97614950f0696756f2f11ca0026f1bed1ccf7f33702edec6d3d8df3c276726d262

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
741e712446342749c588ab5cb59cf74e

SHA1
6b4ed0310360b8fde0592e92aa2e4367774098c2

SHA256
c006b889fc883370c6119926b4f9b14774f02fc51ceecaaf8ffb6890f41ebbbb

SHA512
521790f3dedceef40cc3e927cadd9853c26df19d09026ba7ae6316502ab2a848bff3d8b2fc95cbef49f3ba66536bb2e2aad96538050cd09b6eb21e35f81199f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36ef4d6bcbdce09c7f57090a7e56f171

SHA1
d674fa36d4581c3b68fc1ac4d61b0745f226f9e3

SHA256
38fd8374d12f82e62d9b12ac7947291952f85a06ce1a316e35ce8f0a5661940b

SHA512
66e88c822b053843b44a4bb3d845a8074f4a61be68edd526f06eb0b147d1c67d1029300e1f2a8c1ee19534df39df9373dad9d1e0fc5c378878d65211fd4edfbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b910018a230b5723bea3cd40292ea38

SHA1
450a61b8462a763ab30c9731f1038e9d282bcc00

SHA256
08dd74fe4505dbbeefa1115a4f3324e48cbac6fa3e72c05dc09c4596fe005e9f

SHA512
d4f8eb2ce360c52c94640a108e4b9cbb25a951e193b0361d40e37fcd4fd2692398429efa276f20e8ac9a1af65b142000066fbfaa9a1603a5dc4b9548412ce16d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae4c2e231fe55971bfb15f01dd7d8d57

SHA1
fbf40d2477c9c760a98791b0b8ae87a3ec783e1b

SHA256
201ac7c02f82a708aaf33070e0b17c3f7acdc3343ca656252c99e7bb0dfd52fb

SHA512
094b95e24b86a11f38a2f0549a7e7731da64ee47cde5a8151eb3915233f5178928abd086a1ea559c8e8ec95121261aa9f3c5ef276446f3fcd0a9eb77a12b08ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b5f0e43b5bbb4eb26167cd2b1455781

SHA1
0505ee2a4e6a632f38df9676e10c3879b57ad3ba

SHA256
f8a7e91519a33db126e3199b32399647faa4f67da11ce36d3e3318c0941b0c01

SHA512
e70e73f14e03b4720666f7bdf69ce1c5a4ae24c6eb79025b35757b2b1cc1d231d1d97328fef18c72676c5b03a5ee0c518aa02a304dabe25e394548acff44188d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7152164fc2f2c15422a9c74c7952072b

SHA1
b323fd955cb77044df4c078d127aa71ad6d805f5

SHA256
15cf2fdc9e98b2b27eb21d7474274c3dc25c59dd1461e297cc910b7fbd569a1e

SHA512
791f42705f657cb40b203f43d7a42de80dde5c8b30d7e7d4fa2e40917ae977176698d81b6dd349065c34ecfe4c5ae3add05fbafba0160cd4eda8d7e20204badc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5dfaed53dc3f972abb4f7178c00e37f

SHA1
98f5e3894fa9e61b7729a7a4fcd4351ff3d45cc3

SHA256
b35ab47aab993f5fe00aca58df7492b220bc9ebc212686d49268760ad161eab4

SHA512
0cbee37347d799ade956871cd509e9ecb1764abef2008728450c8248787b3f8d60f3556d9aecd0132b1867af5c95b1eb0208768ba47eebbe9c14251cf449c7fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b865937a68614fca7c5b2525a3980bd9

SHA1
1313a0a9ee011eb842fdfca93cead20c1814670f

SHA256
445390e20f0642d5fafef529c67e92d557c585eb89e982bf803235fd0378db03

SHA512
9af98cf994efb21b6c343af123f2b504b06804502f0e3a4dc499057e5e15b95afcae9b8337c1b5c316d4f7812ca84889d62cc4089f1cdc6617e6934daae94e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25ac276b5c989a961c0ffd12ad1ba398

SHA1
98682ca46a5a88b4b2778e6780062422f4654ead

SHA256
7f94ea534d29e6ed7a4b94f1d4d6928b0fbc0a370f05dcf2d3527ff17408204f

SHA512
9c2c826ae4504259d4be0a35d9debd15e6e7b11354903a1ef15076e53f1aa1af7af008377d3c0297121f154ee3ce145e23614f328ea224e07bffebd5f7c3ca11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea613ec38df495f5b21108050a20e461

SHA1
5add5553c0ed351cf182b3c21874ad350ea45909

SHA256
a61a7e3c49bb46454915bbd174eb292e886fc2008af358fa0177d6b0af5aef06

SHA512
1dfe0d6cb20fe0e126f993eef802db7b20f93a08241766d0f0484af113e1788b8ec67d86b7fee4ddc92bb09f23a510d971bf71fdb72eb8e7e57fc7c00eb3e971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
350c4405da29214226b6643b3e917334

SHA1
8bf24535c28138e291380f648c01195ba25cecc2

SHA256
00deb5c153d695a420bff23cf00fc219b0dfcfd8fa554610f63ecf3fdc527f12

SHA512
55b9efe4f2fac960e11f817c1609b15ecad1c0fd78ded3105a4622089504d087a335d320c21a339e942b020f9877c965cd9be2539182d8dfcfaaa6f5c76d1996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb2d5ed335be7fff547046e84f52c74f

SHA1
7555fdd4aa5e886ad2c89dbf5588f428c200a324

SHA256
02d0a4a4e459328eb44fa8e28330d4b94ad77bb2a06baef9ba5b84a2cea87b86

SHA512
4501b892492cfd3fd096e626a506b6c30cafb94a00c1073bc686401196dbd5a09fc54fdb739f0747970dbf7bce7beb0fb79dbe3e206c7982db519e464e8885bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
245a83b7cae5d06991505db420ce0f60

SHA1
d0f0a9402f1dff4b2d504ccb5866bc2f06c99d79

SHA256
5c59291cfc1ca0cd27aaedbb0639d7e4ec3998b1f9c8d52a787a93aea341bec9

SHA512
9f84bdd3cc8f14db4a28889a36a09830404f00441f31979f492143434fab623b76c0453c501635ec71f71b3535ea72c035ef5cd7533eac1fb106d607d4e03b6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11d6eb5d161e84c556e30657eb28345e

SHA1
6403f3ba7a9020304f78ef2db486b7a552f8a53f

SHA256
f6975128dd651c8786450ac3480964234a0f6f9552b47478af70865650b42cbc

SHA512
711e364b2b0889d4f0074d13b736a9678a1511c2c26fe09373b64d24b623b2a47956808860cdc54e33f7a4f0404b97d57dc13ead1f96f32353bd517e340d6ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d03202c7911cf947d58ecd6d49f740e1

SHA1
ba0d777402298dca1858474d8f62f1dc64195d58

SHA256
9be1f4195afe49eabba213721048643103c00db0d741fe5579a86202fa8b2003

SHA512
d4de1621840a544f8e88e1e85f7eb8d270dafa641ee8dae2a0bf41b66a42037744848b5e5125f6fee73450cfb5dd3fd7a8e22eed7558124fb76a8033c0b788d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53468cac39a8ce40af1397a6c6d1947b

SHA1
afb0cfeeb3d0ddf85384a60e68afbb8715cec58c

SHA256
12c5edaa0ef8940ea9eead3afcb566e3972053756d379b901d2a5068e0053877

SHA512
996d9e4be3b730048db35a2b60b1dd83080e833537ddfc689a9e9bc799108a4c9722f4b86774f7eacfe7c96c1d63dddb11394fba4d99abcb0066da33d0c62188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afccb6c092d196c4b357e47479406283

SHA1
7e5f6069b09d8ab985136f1570a192c799be6784

SHA256
4b111f5a1b291cdbf3afc3cce13170ed6ea613e035b58e09e018c52a9bac55a0

SHA512
ea1a4aa63f0256c18781c926a3372250ce17b4523a55dede1488218d633380a8a59bfb5c2154e2fc826205bcbf8594fe8976245cbe4071066486c058d316ab84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348d363ba6ca107b3202f460a73047c5

SHA1
5947686c0015675e2276b1e3e62272fef166ec9b

SHA256
3f46a5b417fb3541e592dcbd6cb8c65d90aa19ad99583a232d90709e1da6ba50

SHA512
9ae8756a0b843cc934f5eb56e3feb36f3175ee3834dec5fd3bf1afd72cbc34c150e3fbd4005e4d7d9a16017a06b56e6b47b58fa0953d7eea6668fb9c61008a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff075624ee8659f76386968cedc67b93

SHA1
1a4141a686bafda80916c0cb521f69b256bd8e3a

SHA256
93118b82896d21520a8aad41b810ab10ffc3df3bb0f74e42a75926a2601293d8

SHA512
3fb84147336ec651bd4359f4a75e46c1c7686ba3cb56caffd3aa4988893877164b77b51b0e98088858e3debd49c0982acc0c1ac782ade8f285e85fa71be45386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8278ea94cc59bffa9089e5cdddd69597

SHA1
322d6229e528b62422c0f28dc3ebd816abc3c224

SHA256
a1e07293b56b94f3a763551a32686439c0dd2c10f1dddecd4f201718bf0bc029

SHA512
f7a8cfe7513493d6296be6a9cde8b8357035fc52ac8e44ed18e662f39d93627c8082e49506a78c3444b7c204f2e42a95c527f2b2b25f7d46ddfc73b54be98c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45a9375e8d4d1475668968556a61a429

SHA1
827b2abeefc9c739324a61c0ff692e7f1dafcd1c

SHA256
f15cc1629bf89157cb52474c6c6cf791b0fdff1ed93e913cf8ca7540ba2a1034

SHA512
1a1e48dbda0390dc35c7a7d841a8524f09688b9280967c43d7cb1a6ede2b592dcdfac58bb84bcf01b1aa1d7132a7adb9467a131c3bffb322af3960491d705254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1662c75f055b2657e663138273238542

SHA1
07bcb62fc2b15c303173c5476664bd660a48b0b5

SHA256
7e28c7180482c6b2cdbbd1b40b8997cc915d9b34f1a117d250060244f729e011

SHA512
baa1360901e4bbb8b13e61727f4e527c3bb4557472a5a270a911183a832681178650f3311ee2b6874d860768986a3d3cb36af9b04a817c0d4f70b8da82d0a35c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2f83ba829e8e00a2ec2c3bbb20b701

SHA1
3546811071aad3831084b468b9fe158d1d4bc224

SHA256
05e28040f0330f99b7cf0ddab0eb9250be2351506539d9ab70dae29dbbeeccda

SHA512
4f771e5175cf32d44e0d3d4c65abf3e5307b29d18abd9a305280fdfdde8f112bcf2fc3005a657da2bb55c41c65a2c96b13e464cfb741d8631f81077c64171e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b2225b0c3dd34f1adb25013ef089b8c

SHA1
ad75c3b99061617283db572fa9c0b76a0f254f45

SHA256
ff23ade831f3b8aed497bcd302920a7933fcaff10dacfe68704a9e2c3b39b7ae

SHA512
693bb59f410c175d4b0b28fac1596a948a21ac815fddebd550476510e6b885918a564b2f62a5311cd5b3d3a6d4f5e97df929025286db367df3f93a4495762201

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb02250a77f93041236091d8862d176d

SHA1
911153815ac55eec5d1f049d62ca87725427aba5

SHA256
61f5d5323d55406e5955081e505abd96d28e7370f9cd197b98aba8e1d8628e26

SHA512
d1273931856ecec46b91bcbb62aee78320f7db4830bab0039c90d8a854ddfd77cbeb1867981be88e4c0db6aa4ca40cf26678867630a7c18460322db95be17ce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fefe85534e23818b299fedbddeea0a05

SHA1
dd494f1a3077ba85e1764681d48da13e7612ecb5

SHA256
e392784ae8ab6566999b55434072b22d12f7b91d5a9ad264466212970adbaa8a

SHA512
c6c12c1b099258930e09bb72eda80fae7a7ab3d7ee3ce21e390a73bd790a991a5170211e64ca3d7d01bdb063d859d84ea5b5f90127200cda9683273522e78dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c44e9986bb0a5025b2a8aebc691729a

SHA1
9d7a328a2406b6b038a67fe0e9af7399e263ab93

SHA256
c4d0e604c6a189fc8226ac5486e6083341d77ddd97eb05d5eb66c513304e373a

SHA512
95f1e99fd2133e076b41be09877bbda2859f0f09922bdff941f73014021d1c2ae32ae9e6724d91a1e0d3dc210f3b3b04add78da084be9862e4c394cb52933e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361e4eb3d31e7a38640d3ec77bfe1bb7

SHA1
244b3472dd0006a22091d18ca1da148a7309da39

SHA256
bc8b4d76377ce9aaf28360c7dafb220c8acb1c1b7de545183a57b2419cb4d65e

SHA512
f1dedbd9f928739ef330d2d0cb3c65065e49374035d6365f6849bd7684c34deee682cee50f1ff30390ad2cd06352a86a12c0cb497d67d8388359263896df0cc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3411b6aaf7e3490898be0e58f8abc04

SHA1
cac8b30e909eed5f241a3198f95f438c8723a0dc

SHA256
4eb9ddb213fdffc81acd8aebbf166254c9c35b898da50f49d964ca7e0829545a

SHA512
c90c44097a8d8c1971043b57485ffe46cd4a27c687bf308f91a287383426787db6215194f4f6be63122fa26a7d66f08d89c11e614a9a8cb1b3e0ffcd1c934b8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d14e83b2726d0bcf3dfcb4633d0d0ee

SHA1
9d3c4d0ae262f9e1fb78679b7cd526aee1f269d5

SHA256
3d3690d5bad2b636219d2b97d22b1e848aaa2170aa30274e980c102a80f6249e

SHA512
38829ca720c8432aaf06b3f0ce9d8c53f009172a28b893117139c2ad12afd20a4b1ecdd1f2e8783b71b6d68d6ebb5011f0134277d3626d414cae8b9a12b530bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf517670a6ea085a61e27938c37c1992

SHA1
396358a24126823e949963990bcdf1ef80ee61f3

SHA256
90841ea13811ae991345eed87feef81e097e3ed4836042983a50e471c793796c

SHA512
5caf025e1f9cac61815d5f31ca38458a56dd78508e152b3f43b52abb112af84b17041a16d8ddaf9ddb9cfb0f3bcde7aa7d25aafc9b84420201fe8218d0a4d75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af743a4c218d6f61fc20b09037786129

SHA1
8f08ba50c6eff4ce0ea94115618175a9b23eee5d

SHA256
3efbfdf91863497733d0a11fdbd5b84edccc9ef966f535f534a717b58c80584f

SHA512
58e0d3dae8bec4d643965ea0ee597cb71424bab37bfe1793d1340f8cb3937f7f3c43a04a049cb66ce37509520f3c6bcdfdd713586897298e87a02c6be28429ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91e047df187035604994ca2e16fe2255

SHA1
b16a652cb51d54bb9656ce3b2437437a7a01b842

SHA256
e9bd7bf1fcb8b332edfe33bae37031fc096b773f0ec65ad84209a304ab5a6ba9

SHA512
4252be03b1db9c25cfde4528f6c15f29d35848409b805522fee1c7d807536655576f36736b00006b3c91f5577a8b51938fe511f0264ebe17450576a8c4a6c5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a21f8633cb926ab3113822c385497dee

SHA1
7ff6b3fc4f2cd1a0a5a643985272ae3ec290559d

SHA256
3e03c74ca1609e7acaa51ac242df04e4b120f92d81aab34924c383c4be98f2ea

SHA512
3d15826ba934002f9519c1398c0a840e9b786ffad64c7a00e16697cb0c5bb1d5a7174ebfdc1f67e8f3c6585b579c6a86802115979adeb839907ee20bf89af5ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51520a7b52347d279fc15f134002e776

SHA1
1e67d810c2a26cdf8ac40bb1fdbb850dadbc236d

SHA256
dbce65a9075cbf09c1bcd9a50721635f6219c6f6069f3ec79940184d7f1a5c82

SHA512
50385f883111fcc905b04045ce59aacf12b33212e026b54073832eeefdd6402965de654f8ad39a698fc9204601c011b67af9ca3360ae0dc57ea5e369e93299e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1fd11c50c2cb45270922c17e2fdd349

SHA1
cdd8bbfce2d1fe21f251cee11669b4e6b6d48f36

SHA256
0b5692976a50cf21b35d0294119fb047e3bf6ad54b40af642d449840a44bb42e

SHA512
6b75404447aa52581429e7a361e04d8acf21698cc8aa8c12ea69907519dbcc417487aaf1d537d079d148415660c4620ef06607706bf878948cc617c2b9011717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b4135c3492625d3a789701e469d022

SHA1
9901ec626ae8836aa96716bca87fc3e10470216a

SHA256
6996e1740ad9ffeaf81e6050ae3b446508de8e5f666a4d20533462fe3e04948d

SHA512
b2c6eca306c290dea91b1c47c46c63f20b507aae6309d569b2bbffdefed3e2911cac01a0ad119727ad4ceed05a3cccc07f63767951647e52862baf61c9e3b9af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ff5b303000fdad2508a2e97d552774a

SHA1
d7ba4d0415e5c93cc9944aa66cd13585d340791a

SHA256
e0f1d3da7257a550088145a889790ad4abc7325b8a9808188b602280ca9484bd

SHA512
f8fbbef9feb15644c292c7f6c77f211e80be0e2c588ffb4a1c0725af7ea4531a08a2f1c84f547d02e3411b06c1b2c0eab52a7c1d418644ad8903c8fd9ae5b83b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c28d725ed8b60f45e92af110f619f04

SHA1
222ec55dd3f1b45e9d581703f3d845edc361f7a3

SHA256
1d1c215db60c604e562dafd9290e20a976210982b561a9b51650f11adc437b7a

SHA512
20ccdac5fc709000a5f911c2d4de2ba92aa2d2bb7b6081cc6d7f80905e77a3c7d85652ed57f4b750e6af6a8c6f67b79dbb29b9edee374445ba8249713909e8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mr225z1\imagestore.dat

Filesize
17KB

MD5
ba574f2cece69f94d58989e92451ba9e

SHA1
50ab264e267f74135b90988f571460ead9ad5839

SHA256
459f2efc65da53f8c68be18d30cd0a440f7ef863581c10742b1f7046a242a9d2

SHA512
75d71a4e02fa126f7a65c501fea2a55b7c02a7b7cfaf244c1e36ab5db25b2809926814d4943632335efda066cb4114e6c79e4fc4a78548ff9e1bf83c64850638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NIUC9X25\favicon[1].ico

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll

Filesize
11.3MB

MD5
fddc7534f3281feb4419da7404d89b4c

SHA1
19bdefc2c9e0abd03fe5ee4fad9c813a837f844f

SHA256
f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e

SHA512
c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe.config

Filesize
1KB

MD5
b492287271363085810ef581a1be0fa3

SHA1
4b27b7d87e2fdbdda530afcda73784877cc1a691

SHA256
a5fcca5b80f200e9a3ff358d9cac56a0ffabb6f26d97da7f850de14f0fb2709e

SHA512
859fa454d8a72771038dc2ff9e7ec3905f83a6a828cc4fc78107b309bdcd45724c749357011af978163f93e7096eb9e9419e3258ea9bd6b652154fe6dd01d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe_Flash_Player.exe

Filesize
114B

MD5
d725d85cc5f30c0f695b03a9e7d0c4c0

SHA1
131b68adcddb7ff3b3ce9c34c5277eb5d673f610

SHA256
4d4588c42fa8df0ea45ad48aca4511bb4286f0deaa41fdf188c3b7ab9e1b698a

SHA512
01f270a15aa10e60e14ac140ccb54e38cf8e57833ef1c0db7d36688a93ecdc0a59ecf9ead9366a5920faac7e28a2e0ee03759eb0fa92d455abc72f406fe8775b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF981.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUDN7.tmp\walliant.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\286151721034051.bat

Filesize
412B

MD5
73bdacc4d7fce44b2f333f8c60127b14

SHA1
229403f9156128fd035a5d439845ec4d6a971d32

SHA256
bc9015ebea56190449b0cc4add6256a7446d9ab1d1ab203ea076bca00de7736b

SHA512
004df99c4ec7d0ab2dfc074e8d47a1e37fa1d64fc079d895c46b7a4980f0bc7454d082640e1c1d52398c4be3728cb8c3471373d571f2901b546c66631d640daf

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\YFGA.bat

Filesize
1KB

MD5
05c6af7c741e910e0546a8067f5c0c91

SHA1
84c99161e17a02d9db44f7bc77bdaf992025a561

SHA256
2d815d2e59574acfb023f2a5dcf03c01ab65f0a8b72ed372ef88b836b10e211f

SHA512
dc40eda66933d8743fd54e6f694dac3716d7cf7a332016b472a27f093f414e4e47ff0035c29b8db8dafa1e963c75b748f270f940fc082f1e3d7b2fb242eba423

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy.vbs

Filesize
50B

MD5
3167d161336cbd296dc579d2295b0f22

SHA1
53253e5841e6a7a7a1b8bd08378af0a96b2f9a98

SHA256
307879bf0d9bec07bab240b5010434801fbee520c99c5a617e8ac630f42dde80

SHA512
62af8fa0c9a30ec6aa9b552fcac1879af1f00f5ceb48a77718b2a8e042e3524e2cd299f26fcde31ad8abf2dcb94d15cf45ecbce0bd5f9f93f44aca6327aa53ea

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy2.vbs

Filesize
44B

MD5
9a2ccbd3e2f1a2382fed7674c28dd086

SHA1
b466bdd2079575c938de65285f02739143ecb170

SHA256
4519cd5997afce27129ef943f121972f7b0b34aa018e4dd408892fc5c39bb59e

SHA512
8929493211c17a8e99b908a8305dbebe2d96e1b54426e89ddba84c2010a86d7f6d0983080f29fa1ab7a0687d536c0546278b9fffe4560d84e4012f243f344d78

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\annoy3.vbs

Filesize
56B

MD5
19cf22e8d63e787913b6617542211e19

SHA1
8c3d2f43025e5c4ef70e0c4d1f36692361f51b1f

SHA256
dbec312d736f8a56f94ace99986d95d4355ef644a2fd908da1ff4c8b0a003979

SHA512
8b9d192dd7f175e63aebcdfc8426876fa8bf3ae00d3cf10bb8fcf0d0c262b906de28784f5b97141f656e87bb548d343b8d5a127c06ecb407289e91f3fc199608

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\hydra.cmd

Filesize
47B

MD5
5e578014c7017a85ca32f0b7e5d7df7f

SHA1
c88d8e7179fcc070d4419be9f4d8647354c2f6ed

SHA256
a964a717e3c47cb7d274e98928ca1271377d0d76a8908448e1b70e63af4082ad

SHA512
7eb206b0cbc2a9b744246d8a83b2fccc70204c6e777b0fcbb838e63d477fe047d8827f3c0de823d55b9ab5cba2ab572ff3f543f76a3451fa81b31584cc767106

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\jokewarehydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\programoverflow.exe

Filesize
566KB

MD5
c4aab3b24b159148d6d47a9e5897e593

SHA1
7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

SHA256
03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

SHA512
9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\reg.reg

Filesize
25KB

MD5
aebe09cd7095ec201dc8acc350443242

SHA1
df7337e051bd02e1fdd4005b63ed45b8ca3d9726

SHA256
405d47dca73a5d6180db42e90c35931047c666ed1f1d6fab5ead6110c2356cc7

SHA512
ffc658faf04fee47c1284d439a4c5b3931d2f9bcac9b40e36f59ad0ed4917f0252e639284f817ca84a6da57552f8e0fdf96936987c3f5cf689a537e42b47288d

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\spam.bat

Filesize
158B

MD5
4af4ab45205580fecf659dd857522f6b

SHA1
78ec5ff7647ca56d8c8d72b4da551efa86e53675

SHA256
b997f3a0d79493418f3e9da03dd95aea6b45b8a8c454e8e7d1f06de3ad3e1111

SHA512
f77c7b4d034def85c363805fe625aefb4e461770418f9015d4d5241fb8d09707b9918d54e9b2cc35d06008097174cdda0bee9702466fe7e097014794fe4d77cb

Download Submit
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\useroverflow.exe

Filesize
578KB

MD5
533d78fdd538bbeee31fb0b72a8cfb7c

SHA1
cb0e46804e784525f5bece40d51772bbdd9a5dc4

SHA256
b7a4fcc7f474c091edc09349af5e53915d23f14071d78a3026c92c49d2467989

SHA512
85e393cbdd2b20da8892173c7951ddf8e75dbfa29cf81fa725a2da56e606b848ea8a6636528d4fe26eca5e6b251406ec870242fe0d44e7863bf22c739d7759d5

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe

Filesize
257KB

MD5
60d3737a1f84758238483d865a3056dc

SHA1
17b13048c1db4e56120fed53abc4056ecb4c56ed

SHA256
3436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9

SHA512
d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe

Download Submit
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\flasher.exe

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\walliant.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\win7recovery.exe

Filesize
467KB

MD5
ab65e866abc51f841465d19aba35fb14

SHA1
ec79f1f511a199291b0893bc866a788ceac19f6e

SHA256
2ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755

SHA512
2474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e

Download Submit
memory/316-1953-0x00000000779A0000-0x0000000077A9A000-memory.dmp

Filesize
1000KB

Download
memory/316-1952-0x0000000077880000-0x000000007799F000-memory.dmp

Filesize
1.1MB

Download
memory/2024-841-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/2024-1072-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-1-0x0000000000B40000-0x0000000000BCC000-memory.dmp

Filesize
560KB

Download
memory/2024-4978-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-2-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2024-3-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/2096-3266-0x00000000026A0000-0x00000000028F0000-memory.dmp

Filesize
2.3MB

Download
memory/2096-1947-0x00000000026A0000-0x00000000028F0000-memory.dmp

Filesize
2.3MB

Download
memory/2096-3449-0x00000000026A0000-0x00000000028E9000-memory.dmp

Filesize
2.3MB

Download
memory/2096-1948-0x00000000026A0000-0x00000000028E9000-memory.dmp

Filesize
2.3MB

Download
memory/2112-3159-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2112-2897-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2112-1949-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2128-2063-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-4917-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-2894-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-1243-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2128-4926-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-3642-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-389-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-4931-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2364-3644-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2364-4933-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2364-1951-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2364-2896-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2364-4976-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2432-1697-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/2432-765-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/2580-493-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2580-392-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2788-43-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2788-504-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2788-391-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2864-4932-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2864-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2864-3643-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2864-390-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2920-1086-0x000000006D680000-0x000000006E17A000-memory.dmp

Filesize
11.0MB

Download
memory/2952-46-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/3092-5034-0x000000001D3C0000-0x000000001D706000-memory.dmp

Filesize
3.3MB

Download
memory/3092-5033-0x0000000002870000-0x000000000288E000-memory.dmp

Filesize
120KB

Download
memory/5480-3951-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5704-3956-0x0000000003D90000-0x0000000003DA0000-memory.dmp

Filesize
64KB

Download
memory/6040-4913-0x0000000070420000-0x0000000070442000-memory.dmp

Filesize
136KB

Download
memory/6040-4943-0x000000006FA60000-0x000000006FC7C000-memory.dmp

Filesize
2.1MB

Download
memory/6040-4940-0x000000006FD00000-0x000000006FD82000-memory.dmp

Filesize
520KB

Download
memory/6040-4941-0x00000000741C0000-0x00000000741DC000-memory.dmp

Filesize
112KB

Download
memory/6040-4942-0x000000006FC80000-0x000000006FCF7000-memory.dmp

Filesize
476KB

Download
memory/6040-4914-0x0000000000D00000-0x0000000000FFE000-memory.dmp

Filesize
3.0MB

Download
memory/6040-4911-0x000000006FA60000-0x000000006FC7C000-memory.dmp

Filesize
2.1MB

Download
memory/6040-4939-0x0000000000D00000-0x0000000000FFE000-memory.dmp

Filesize
3.0MB

Download
memory/6040-4910-0x000000006FD00000-0x000000006FD82000-memory.dmp

Filesize
520KB

Download
memory/6040-4944-0x000000006F9D0000-0x000000006FA52000-memory.dmp

Filesize
520KB

Download
memory/6040-4912-0x000000006F9D0000-0x000000006FA52000-memory.dmp

Filesize
520KB

Download