badrabbit | 792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738

Analysis

max time kernel
117s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
Size

149KB
MD5

e8583ee36603531bcf5001346c7474a7
SHA1

4a740bc0de76cf7597d001f5cb659b220de6dccd
SHA256

792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
SHA512

fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13
SSDEEP

3072:p+OvuAoccS2sTQMMBXZ+YSuwydCcGmDceCd4aMc9KDouBIOQ:p+OvujS2sTFOXZ+YKmADd4alwJN

Score

10^/10

badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exeEndermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 40 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@AntivirusPlatinum.exeEndermanch@AntivirusPro2017.exeEndermanch@AnViPC2009.exeEndermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeEndermanch@FakeAdwCleaner.exeEndermanch@HappyAntivirus.exeEndermanch@InfinityCrypt.exeEndermanch@Krotten.exeEndermanch@LPS2019.exeEndermanch@Movie.mpeg.exeEndermanch@NoMoreRansom.exeEndermanch@PCDefender.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@RegistrySmart.exe6AdwCleaner.exeEndermanch@SE2011.exeis-8P6QP.tmpEndermanch@SecurityCentral.exekeUowsok.exeaIQowQoU.exeEndermanch@SecurityDefender.exeEndermanch@SecurityDefener2015.exeEndermanch@SecurityScanner.exeEndermanch@SmartDefragmenter.exeEndermanch@VAV2008.exeEndermanch@ViraLock.exeEndermanch@WannaCrypt0r.exeEndermanch@Xyeta.exeFantom.exeEndermanch@PolyRansom.exe302746537.exeEndermanch@ViraLock.exelpsprt.exeA593.tmpqabsbnuj.exe

pid	process
2032	Endermanch@Antivirus.exe
944	Endermanch@AntivirusPlatinum.exe
696	Endermanch@AntivirusPro2017.exe
1740	Endermanch@AnViPC2009.exe
456	Endermanch@BadRabbit.exe
320	Endermanch@Birele.exe
1460	Endermanch@Cerber5.exe
1572	Endermanch@DeriaLock.exe
2040	Endermanch@FakeAdwCleaner.exe
1692	Endermanch@HappyAntivirus.exe
1676	Endermanch@InfinityCrypt.exe
1952	Endermanch@Krotten.exe
1492	Endermanch@LPS2019.exe
1908	Endermanch@Movie.mpeg.exe
1472	Endermanch@NoMoreRansom.exe
1064	Endermanch@PCDefender.exe
1668	Endermanch@Petya.A.exe
1812	Endermanch@PolyRansom.exe
1940	Endermanch@RegistrySmart.exe
1648	6AdwCleaner.exe
524	Endermanch@SE2011.exe
860	is-8P6QP.tmp
804	Endermanch@SecurityCentral.exe
996	keUowsok.exe
976	aIQowQoU.exe
548	Endermanch@SecurityDefender.exe
268	Endermanch@SecurityDefener2015.exe
568	Endermanch@SecurityScanner.exe
2116	Endermanch@SmartDefragmenter.exe
2148	Endermanch@VAV2008.exe
2176	Endermanch@ViraLock.exe
2192	Endermanch@WannaCrypt0r.exe
2212	Endermanch@Xyeta.exe
2224	Fantom.exe
2620	Endermanch@PolyRansom.exe
2820	302746537.exe
2912	Endermanch@ViraLock.exe
2832	lpsprt.exe
1192	A593.tmp
3016	qabsbnuj.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe"	Endermanch@Xyeta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Endermanch@Xyeta.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe	upx
behavioral1/memory/320-89-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/320-105-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/320-110-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1472-132-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1472-138-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
behavioral1/memory/2148-221-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2212-224-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2820-272-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/320-280-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1472-282-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Endermanch@SE2011.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine Endermanch@SE2011.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	Endermanch@SE2011.exe

Loads dropped DLL 29 IoCs

Processes:

Endermanch@FakeAdwCleaner.exeEndermanch@RegistrySmart.exeEndermanch@PolyRansom.exeis-8P6QP.tmpcmd.exeEndermanch@LPS2019.exeEndermanch@VAV2008.execmd.exeEndermanch@AnViPC2009.execmd.exeWerFault.exeEndermanch@SecurityDefender.exekeUowsok.exe

pid	process
2040	Endermanch@FakeAdwCleaner.exe
1940	Endermanch@RegistrySmart.exe
1812	Endermanch@PolyRansom.exe
860	is-8P6QP.tmp
860	is-8P6QP.tmp
1812	Endermanch@PolyRansom.exe
1812	Endermanch@PolyRansom.exe
1812	Endermanch@PolyRansom.exe
556	cmd.exe
556	cmd.exe
1492	Endermanch@LPS2019.exe
2148	Endermanch@VAV2008.exe
2148	Endermanch@VAV2008.exe
2148	Endermanch@VAV2008.exe
2528	cmd.exe
2528	cmd.exe
1492	Endermanch@LPS2019.exe
1492	Endermanch@LPS2019.exe
1492	Endermanch@LPS2019.exe
1740	Endermanch@AnViPC2009.exe
2160	cmd.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
548	Endermanch@SecurityDefender.exe
996	keUowsok.exe
996	keUowsok.exe
996	keUowsok.exe
996	keUowsok.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3068 icacls.exe

pid	process
3068	icacls.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/524-171-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/524-174-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/524-219-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/524-230-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/524-284-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/524-286-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Krotten.exeEndermanch@NoMoreRansom.exeEndermanch@PolyRansom.exeEndermanch@Birele.exeaIQowQoU.exekeUowsok.exeEndermanch@Movie.mpeg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Endermanch@NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe"	aIQowQoU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Endermanch@NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe"	keUowsok.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@Birele.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Endermanch@Movie.mpeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Endermanch@Krotten.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Endermanch@Cerber5.exe

description	ioc	process
File opened (read-only)	\??\b:	Endermanch@Cerber5.exe
File opened (read-only)	\??\e:	Endermanch@Cerber5.exe
File opened (read-only)	\??\g:	Endermanch@Cerber5.exe
File opened (read-only)	\??\h:	Endermanch@Cerber5.exe
File opened (read-only)	\??\j:	Endermanch@Cerber5.exe
File opened (read-only)	\??\m:	Endermanch@Cerber5.exe
File opened (read-only)	\??\p:	Endermanch@Cerber5.exe
File opened (read-only)	\??\s:	Endermanch@Cerber5.exe
File opened (read-only)	\??\t:	Endermanch@Cerber5.exe
File opened (read-only)	\??\v:	Endermanch@Cerber5.exe
File opened (read-only)	\??\w:	Endermanch@Cerber5.exe
File opened (read-only)	\??\u:	Endermanch@Cerber5.exe
File opened (read-only)	\??\a:	Endermanch@Cerber5.exe
File opened (read-only)	\??\i:	Endermanch@Cerber5.exe
File opened (read-only)	\??\o:	Endermanch@Cerber5.exe
File opened (read-only)	\??\r:	Endermanch@Cerber5.exe
File opened (read-only)	\??\z:	Endermanch@Cerber5.exe
File opened (read-only)	\??\f:	Endermanch@Cerber5.exe
File opened (read-only)	\??\k:	Endermanch@Cerber5.exe
File opened (read-only)	\??\l:	Endermanch@Cerber5.exe
File opened (read-only)	\??\n:	Endermanch@Cerber5.exe
File opened (read-only)	\??\q:	Endermanch@Cerber5.exe
File opened (read-only)	\??\x:	Endermanch@Cerber5.exe
File opened (read-only)	\??\y:	Endermanch@Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail wordsia@notrix.de êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Endermanch@Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Endermanch@AntivirusPro2017.exeEndermanch@Petya.A.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@AntivirusPro2017.exe
File opened for modification	\??\PhysicalDrive0	Endermanch@Petya.A.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Endermanch@SE2011.exe

pid process

524 Endermanch@SE2011.exe

pid	process
524	Endermanch@SE2011.exe

Drops file in Program Files directory 16 IoCs

Processes:

Endermanch@AnViPC2009.exeEndermanch@Antivirus.exeEndermanch@LPS2019.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll	Endermanch@AnViPC2009.exe
File created	C:\Program Files (x86)\AnVi\splash.mp3	Endermanch@Antivirus.exe
File created	C:\Program Files (x86)\antiviruspc2009\bzip2.dll	Endermanch@AnViPC2009.exe
File created	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe	Endermanch@AnViPC2009.exe
File opened for modification	C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe	Endermanch@LPS2019.exe
File created	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll	Endermanch@AnViPC2009.exe
File created	C:\Program Files (x86)\AnVi\virus.mp3	Endermanch@Antivirus.exe
File created	C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_7173269	Endermanch@LPS2019.exe
File created	C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe	Endermanch@LPS2019.exe
File opened for modification	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll	Endermanch@AnViPC2009.exe
File opened for modification	C:\Program Files (x86)\antiviruspc2009\bzip2.dll	Endermanch@AnViPC2009.exe
File opened for modification	C:\Program Files (x86)\HjuTygFcvX	Endermanch@LPS2019.exe
File created	C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_7173440	Endermanch@AnViPC2009.exe
File created	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll	Endermanch@AnViPC2009.exe
File opened for modification	C:\Program Files (x86)\antiviruspc2009	Endermanch@AnViPC2009.exe
File opened for modification	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe	Endermanch@AnViPC2009.exe

Drops file in Windows directory 19 IoCs

Processes:

Endermanch@BadRabbit.exeEndermanch@Krotten.exeEndermanch@AntivirusPlatinum.exeEndermanch@LPS2019.exeEndermanch@SecurityDefender.exerundll32.exeEndermanch@SE2011.exe

description	ioc	process
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\WINDOWS\Web	Endermanch@Krotten.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7173378	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\COMCTL32.OCX	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	Endermanch@LPS2019.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	Endermanch@SecurityDefender.exe
File created	C:\Windows\COMCTL32.OCX	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	Endermanch@SE2011.exe
File created	C:\Windows\antivirus-platinum.exe	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\302746537.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\A593.tmp	rundll32.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\MSCOMCTL.OCX	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\302746537.exe	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\A593.tmp	rundll32.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2172 sc.exe
1780 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2172	sc.exe
1780	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2448	268	WerFault.exe	Endermanch@SecurityDefener2015.exe
2484	524	WerFault.exe	Endermanch@SE2011.exe
2900	1676	WerFault.exe	Endermanch@InfinityCrypt.exe
1392	1572	WerFault.exe	Endermanch@DeriaLock.exe
2784	1692	WerFault.exe	Endermanch@HappyAntivirus.exe
3068	1648	WerFault.exe	6AdwCleaner.exe
1076	2652	WerFault.exe	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
1084	696	WerFault.exe	Endermanch@AntivirusPro2017.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_2

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1292 taskkill.exe
2772 taskkill.exe

pid	process
1292	taskkill.exe
2772	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Endermanch@Krotten.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

Endermanch@Krotten.exeEndermanch@Antivirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Antivirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	Endermanch@Antivirus.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe

Modifies registry class 1 IoCs

Processes:

Endermanch@Krotten.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND Endermanch@Krotten.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2092 reg.exe
2728 reg.exe
3000 reg.exe
1756 reg.exe
2812 reg.exe
2940 reg.exe
3024 reg.exe
3048 reg.exe
2268 reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND	Endermanch@Krotten.exe

pid	process
2092	reg.exe
2728	reg.exe
3000	reg.exe
1756	reg.exe
2812	reg.exe
2940	reg.exe
3024	reg.exe
3048	reg.exe
2268	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1820 PING.EXE

pid	process
1820	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Endermanch@PolyRansom.exeEndermanch@NoMoreRansom.exeEndermanch@SE2011.exeEndermanch@ViraLock.exerundll32.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@SecurityDefender.exe

pid	process
1812	Endermanch@PolyRansom.exe
1812	Endermanch@PolyRansom.exe
1472	Endermanch@NoMoreRansom.exe
1472	Endermanch@NoMoreRansom.exe
524	Endermanch@SE2011.exe
2176	Endermanch@ViraLock.exe
2176	Endermanch@ViraLock.exe
1876	rundll32.exe
2620	Endermanch@PolyRansom.exe
2620	Endermanch@PolyRansom.exe
1876	rundll32.exe
2912	Endermanch@ViraLock.exe
2912	Endermanch@ViraLock.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exeEndermanch@Krotten.exeEndermanch@Petya.A.exe6AdwCleaner.exerundll32.exeEndermanch@SecurityDefender.exeEndermanch@SE2011.exe

description	pid	process
Token: SeDebugPrivilege	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
Token: SeSystemtimePrivilege	1952	Endermanch@Krotten.exe
Token: SeSystemtimePrivilege	1952	Endermanch@Krotten.exe
Token: SeSystemtimePrivilege	1952	Endermanch@Krotten.exe
Token: SeShutdownPrivilege	1668	Endermanch@Petya.A.exe
Token: SeDebugPrivilege	1648	6AdwCleaner.exe
Token: SeShutdownPrivilege	1876	rundll32.exe
Token: SeDebugPrivilege	1876	rundll32.exe
Token: SeTcbPrivilege	1876	rundll32.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	548	Endermanch@SecurityDefender.exe
Token: SeDebugPrivilege	548	Endermanch@SecurityDefender.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe
Token: SeRestorePrivilege	524	Endermanch@SE2011.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@Xyeta.exeEndermanch@SecurityScanner.exeEndermanch@SecurityDefender.exe

pid	process
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe
2212	Endermanch@Xyeta.exe
568	Endermanch@SecurityScanner.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe
548	Endermanch@SecurityDefender.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Endermanch@Antivirus.exe

pid process

2032 Endermanch@Antivirus.exe
2032 Endermanch@Antivirus.exe
2032 Endermanch@Antivirus.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@SecurityCentral.exeEndermanch@SE2011.exeEndermanch@SmartDefragmenter.exe

pid	process
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe
804	Endermanch@SecurityCentral.exe
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe
524	Endermanch@SE2011.exe
2032	Endermanch@Antivirus.exe
2116	Endermanch@SmartDefragmenter.exe
2032	Endermanch@Antivirus.exe
2032	Endermanch@Antivirus.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Endermanch@NoMoreRansom.exeEndermanch@Cerber5.exe

pid process

1472 Endermanch@NoMoreRansom.exe
1460 Endermanch@Cerber5.exe

pid	process
1472	Endermanch@NoMoreRansom.exe
1460	Endermanch@Cerber5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exeEndermanch@BadRabbit.exe

description	pid	process	target process
PID 1928 wrote to memory of 2032	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Antivirus.exe
PID 1928 wrote to memory of 2032	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Antivirus.exe
PID 1928 wrote to memory of 2032	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Antivirus.exe
PID 1928 wrote to memory of 2032	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Antivirus.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 944	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPlatinum.exe
PID 1928 wrote to memory of 696	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPro2017.exe
PID 1928 wrote to memory of 696	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPro2017.exe
PID 1928 wrote to memory of 696	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPro2017.exe
PID 1928 wrote to memory of 696	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AntivirusPro2017.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 1740	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@AnViPC2009.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 456	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@BadRabbit.exe
PID 1928 wrote to memory of 320	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Birele.exe
PID 1928 wrote to memory of 320	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Birele.exe
PID 1928 wrote to memory of 320	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Birele.exe
PID 1928 wrote to memory of 320	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Birele.exe
PID 1928 wrote to memory of 1460	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Cerber5.exe
PID 1928 wrote to memory of 1460	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Cerber5.exe
PID 1928 wrote to memory of 1460	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Cerber5.exe
PID 1928 wrote to memory of 1460	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Cerber5.exe
PID 1928 wrote to memory of 1572	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@DeriaLock.exe
PID 1928 wrote to memory of 1572	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@DeriaLock.exe
PID 1928 wrote to memory of 1572	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@DeriaLock.exe
PID 1928 wrote to memory of 1572	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@DeriaLock.exe
PID 1928 wrote to memory of 2040	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@FakeAdwCleaner.exe
PID 1928 wrote to memory of 2040	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@FakeAdwCleaner.exe
PID 1928 wrote to memory of 2040	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@FakeAdwCleaner.exe
PID 1928 wrote to memory of 2040	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@FakeAdwCleaner.exe
PID 1928 wrote to memory of 1692	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@HappyAntivirus.exe
PID 1928 wrote to memory of 1692	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@HappyAntivirus.exe
PID 1928 wrote to memory of 1692	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@HappyAntivirus.exe
PID 1928 wrote to memory of 1692	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@HappyAntivirus.exe
PID 1928 wrote to memory of 1676	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@InfinityCrypt.exe
PID 1928 wrote to memory of 1676	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@InfinityCrypt.exe
PID 1928 wrote to memory of 1676	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@InfinityCrypt.exe
PID 1928 wrote to memory of 1676	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@InfinityCrypt.exe
PID 1928 wrote to memory of 1952	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Krotten.exe
PID 1928 wrote to memory of 1952	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Krotten.exe
PID 1928 wrote to memory of 1952	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Krotten.exe
PID 1928 wrote to memory of 1952	1928	Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe	Endermanch@Krotten.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe
PID 456 wrote to memory of 1876	456	Endermanch@BadRabbit.exe	rundll32.exe

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Endermanch@Krotten.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3044 attrib.exe

pid	process
3044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\net.exe
net stop wscsvc
3⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
net start winmgmt
3⤵
PID:3020

C:\Windows\SysWOW64\net.exe
net start wscsvc
3⤵
PID:3032

C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
3⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:944

C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
3⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 552
3⤵
- Program crash
PID:1084

C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1740

C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
PID:2872

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
5⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2935895650 && exit"
4⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00
4⤵
PID:2200

C:\Windows\A593.tmp
"C:\Windows\A593.tmp" \\.\pipe\{10650376-FE2C-4ECF-B705-8C989E15919B}
4⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:320

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
3⤵
- Kills process with taskkill
PID:1292

C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of UnmapMainImage
PID:1460

C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 512
3⤵
- Program crash
PID:1392

C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1648 -s 1004
4⤵
- Program crash
PID:3068

C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 512
3⤵
- Program crash
PID:2784

C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 512
3⤵
- Program crash
PID:2900

C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1952

C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1492

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
3⤵
- Executes dropped EXE
PID:2832

C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1908 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe" & start C:\Users\Admin\AppData\Local\qabsbnuj.exe -f
3⤵
- Loads dropped DLL
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1908
4⤵
- Kills process with taskkill
PID:2772

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
4⤵
- Runs ping.exe
PID:1820

C:\Users\Admin\AppData\Local\qabsbnuj.exe
C:\Users\Admin\AppData\Local\qabsbnuj.exe -f
4⤵
- Executes dropped EXE
PID:3016

C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1472

C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
3⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\NegQYIUk\keUowsok.exe
"C:\Users\Admin\NegQYIUk\keUowsok.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:996

C:\ProgramData\tkUQYEIg\aIQowQoU.exe
"C:\ProgramData\tkUQYEIg\aIQowQoU.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
3⤵
- Loads dropped DLL
PID:556

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
5⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2268

C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940

C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp" /SL4 $101DC "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 55808
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860

C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"
2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 748
3⤵
- Program crash
PID:2484

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrkE651.tmp", start install worker
3⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"
2⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 152
3⤵
- Loads dropped DLL
- Program crash
PID:2448

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:568

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2172

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
3⤵
- Launches sc.exe
PID:1780

C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
3⤵
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
5⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMAkMIYI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
5⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQIkIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
3⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:3044

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3068

C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious use of FindShellTrayWindow
PID:2212

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
2⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
2⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
2⤵
PID:2652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2652 -s 564
3⤵
- Program crash
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tkUQYEIg\aIQowQoU.exe
Filesize
204KB

MD5
1207141b9a5e9f700332a69d0b4195f7

SHA1
3e9efd9e629ef5f99fd49ab76aea838b98308595

SHA256
8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1

SHA512
b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

Download Submit
C:\ProgramData\tkUQYEIg\aIQowQoU.inf
Filesize
4B

MD5
e9924fd5e0e1fa35e4989687a6611c9a

SHA1
33f31a3d3d8d9b931342033aa87b70eae58449ba

SHA256
214fdbebecbf099bd6af4e607badba8812215d1eecdd383601b861b9015a3c55

SHA512
7b821b245563e70a2739e0160344559b731aa4049f33bb5d29628991d17662976dd533d355a002dc4df1ba6cae767af25abe496cbe12f68c65f97fadee292ef4

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
Filesize
2.4MB

MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
Filesize
904KB

MD5
0315c3149c7dc1d865dc5a89043d870d

SHA1
f74546dda99891ca688416b1a61c9637b3794108

SHA256
90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

SHA512
7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe
Filesize
1.2MB

MD5
d5e5853f5a2a5a7413f26c625c0e240b

SHA1
0ced68483e7f3742a963f2507937bb7089de3ffe

SHA256
415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

SHA512
49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
Filesize
2.2MB

MD5
7dde6427dcf06d0c861693b96ad053a0

SHA1
086008ecfe06ad06f4c0eee2b13530897146ae01

SHA256
077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

SHA512
8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
Filesize
2.2MB

MD5
7dde6427dcf06d0c861693b96ad053a0

SHA1
086008ecfe06ad06f4c0eee2b13530897146ae01

SHA256
077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

SHA512
8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe
Filesize
438KB

MD5
03baeba6b4224371cca7fa6f95ae61c0

SHA1
8731202d2f954421a37b5c9e01d971131bd515f1

SHA256
61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35

SHA512
386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe
Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\NegQYIUk\keUowsok.exe
Filesize
179KB

MD5
0b6f371fbfdea58bdf6271cc237001d5

SHA1
d56a75a9ff7bbb2eddc953b768c509f81c64bc32

SHA256
640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab

SHA512
b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

Download Submit
C:\Users\Admin\NegQYIUk\keUowsok.inf
Filesize
4B

MD5
f52d93ee078a11254df6875fea5e518e

SHA1
2b97d3a1863cabc4fca49c670be2cf5ea7f1956d

SHA256
256bf5c9363aaf85197fb8efc0b2157e4110fb25faa04f6fdb67358dd51018c1

SHA512
9fff1521da0764fc1a13da83292acc250f244c571cf4ca3746c2c9467fa57cfb7961ae69c7b79b3974ad294b1c928a04c2e4abb502a77a192d22701b617999f7

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\ProgramData\tkUQYEIg\aIQowQoU.exe
Filesize
204KB

MD5
1207141b9a5e9f700332a69d0b4195f7

SHA1
3e9efd9e629ef5f99fd49ab76aea838b98308595

SHA256
8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1

SHA512
b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

Download Submit
\ProgramData\tkUQYEIg\aIQowQoU.exe
Filesize
204KB

MD5
1207141b9a5e9f700332a69d0b4195f7

SHA1
3e9efd9e629ef5f99fd49ab76aea838b98308595

SHA256
8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1

SHA512
b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

Download Submit
\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\NegQYIUk\keUowsok.exe
Filesize
179KB

MD5
0b6f371fbfdea58bdf6271cc237001d5

SHA1
d56a75a9ff7bbb2eddc953b768c509f81c64bc32

SHA256
640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab

SHA512
b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

Download Submit
\Users\Admin\NegQYIUk\keUowsok.exe
Filesize
179KB

MD5
0b6f371fbfdea58bdf6271cc237001d5

SHA1
d56a75a9ff7bbb2eddc953b768c509f81c64bc32

SHA256
640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab

SHA512
b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

Download Submit
memory/268-181-0x0000000000000000-mapping.dmp

Download
memory/268-185-0x0000000001370000-0x00000000014AB000-memory.dmp

Filesize
1.2MB

Download
memory/320-107-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/320-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-73-0x0000000000000000-mapping.dmp

Download
memory/320-110-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/456-69-0x0000000000000000-mapping.dmp

Download
memory/524-284-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/524-230-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/524-174-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/524-171-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/524-146-0x0000000000000000-mapping.dmp

Download
memory/524-286-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/524-219-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/548-191-0x0000000000630000-0x0000000000777000-memory.dmp

Filesize
1.3MB

Download
memory/548-176-0x0000000000000000-mapping.dmp

Download
memory/556-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/556-243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/556-179-0x0000000000000000-mapping.dmp

Download
memory/568-198-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/568-225-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/568-229-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/568-194-0x0000000000000000-mapping.dmp

Download
memory/696-281-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/696-112-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/696-63-0x0000000000000000-mapping.dmp

Download
memory/696-167-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/696-141-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/804-154-0x0000000000000000-mapping.dmp

Download
memory/860-150-0x0000000000000000-mapping.dmp

Download
memory/944-61-0x0000000000000000-mapping.dmp

Download
memory/944-268-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/944-266-0x0000000000960000-0x0000000000966000-memory.dmp

Filesize
24KB

Download
memory/976-169-0x0000000000000000-mapping.dmp

Download
memory/976-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-161-0x0000000000000000-mapping.dmp

Download
memory/996-186-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1064-116-0x0000000000000000-mapping.dmp

Download
memory/1292-178-0x0000000000000000-mapping.dmp

Download
memory/1460-164-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-75-0x0000000000000000-mapping.dmp

Download
memory/1460-285-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-162-0x0000000000150000-0x0000000000181000-memory.dmp

Filesize
196KB

Download
memory/1472-132-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1472-133-0x0000000000320000-0x00000000003EE000-memory.dmp

Filesize
824KB

Download
memory/1472-108-0x0000000000000000-mapping.dmp

Download
memory/1472-282-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1472-138-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1492-102-0x0000000000000000-mapping.dmp

Download
memory/1572-263-0x0000000000D80000-0x0000000000E02000-memory.dmp

Filesize
520KB

Download
memory/1572-77-0x0000000000000000-mapping.dmp

Download
memory/1648-137-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

Filesize
184KB

Download
memory/1648-130-0x0000000000000000-mapping.dmp

Download
memory/1668-190-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1668-118-0x0000000000000000-mapping.dmp

Download
memory/1668-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1676-264-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/1692-262-0x0000000000D00000-0x0000000000EF2000-memory.dmp

Filesize
1.9MB

Download
memory/1692-86-0x0000000000000000-mapping.dmp

Download
memory/1740-66-0x0000000000000000-mapping.dmp

Download
memory/1756-196-0x0000000000000000-mapping.dmp

Download
memory/1812-187-0x0000000000470000-0x00000000004A4000-memory.dmp

Filesize
208KB

Download
memory/1812-120-0x0000000000000000-mapping.dmp

Download
memory/1812-173-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1812-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-175-0x0000000000470000-0x00000000004A4000-memory.dmp

Filesize
208KB

Download
memory/1876-92-0x0000000000000000-mapping.dmp

Download
memory/1876-236-0x0000000000B10000-0x0000000000B78000-memory.dmp

Filesize
416KB

Download
memory/1876-248-0x0000000000B10000-0x0000000000B78000-memory.dmp

Filesize
416KB

Download
memory/1908-104-0x0000000000000000-mapping.dmp

Download
memory/1908-136-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/1908-259-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/1928-55-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/1928-57-0x00000000004F0000-0x0000000000528000-memory.dmp

Filesize
224KB

Download
memory/1928-54-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/1928-56-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1940-165-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1940-126-0x0000000000000000-mapping.dmp

Download
memory/1940-143-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1952-91-0x0000000000000000-mapping.dmp

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/2040-80-0x0000000000000000-mapping.dmp

Download
memory/2092-211-0x0000000000000000-mapping.dmp

Download
memory/2116-278-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2116-267-0x0000000001D20000-0x0000000001D87000-memory.dmp

Filesize
412KB

Download
memory/2116-197-0x0000000000000000-mapping.dmp

Download
memory/2116-283-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2148-200-0x0000000000000000-mapping.dmp

Download
memory/2148-271-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2148-270-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2148-269-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2148-221-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-215-0x0000000000000000-mapping.dmp

Download
memory/2176-202-0x0000000000000000-mapping.dmp

Download
memory/2176-279-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-223-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2192-204-0x0000000000000000-mapping.dmp

Download
memory/2212-207-0x0000000000000000-mapping.dmp

Download
memory/2212-249-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-224-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-244-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2224-208-0x0000000000000000-mapping.dmp

Download
memory/2224-275-0x0000000000550000-0x0000000000582000-memory.dmp

Filesize
200KB

Download
memory/2268-216-0x0000000000000000-mapping.dmp

Download
memory/2448-228-0x0000000000000000-mapping.dmp

Download
memory/2480-226-0x0000000000000000-mapping.dmp

Download
memory/2528-274-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2528-227-0x0000000000000000-mapping.dmp

Download
memory/2528-273-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2620-232-0x0000000000000000-mapping.dmp

Download
memory/2620-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-234-0x0000000000000000-mapping.dmp

Download
memory/2652-260-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2660-247-0x0000000000000000-mapping.dmp

Download
memory/2728-245-0x0000000000000000-mapping.dmp

Download
memory/2772-250-0x0000000000000000-mapping.dmp

Download
memory/2788-251-0x0000000000000000-mapping.dmp

Download
memory/2812-255-0x0000000000000000-mapping.dmp

Download
memory/2820-272-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2820-252-0x0000000000000000-mapping.dmp

Download
memory/2832-276-0x0000000000000000-mapping.dmp

Download
memory/2872-257-0x0000000000000000-mapping.dmp

Download
memory/2912-265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-258-0x0000000000000000-mapping.dmp

Download
memory/2940-261-0x0000000000000000-mapping.dmp

Download