Analysis
-
max time kernel
82s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Resource
win10v2004-20220901-en
General
-
Target
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
-
Size
148KB
-
MD5
6ed3e3327246cc457d22bb92bd3bba8b
-
SHA1
1329a6af26f16bb371782ff404d526eec1af9d22
-
SHA256
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
-
SHA512
f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
-
SSDEEP
3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh
Malware Config
Extracted
\??\c:\_R_E_A_D___T_H_I_S___EY4TH_.txt
cerber
http://xpcx6erilkjced3j.onion/26C4-70E9-FBB8-0098-BDBD
http://xpcx6erilkjced3j.1n5mod.top/26C4-70E9-FBB8-0098-BDBD
http://xpcx6erilkjced3j.19kdeh.top/26C4-70E9-FBB8-0098-BDBD
http://xpcx6erilkjced3j.1mpsnr.top/26C4-70E9-FBB8-0098-BDBD
http://xpcx6erilkjced3j.18ey8e.top/26C4-70E9-FBB8-0098-BDBD
http://xpcx6erilkjced3j.17gcun.top/26C4-70E9-FBB8-0098-BDBD
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Endermanch@Birele.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\Endermanch@Birele.exe" Endermanch@Birele.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule C:\Windows\41CC.tmp mimikatz -
Disables RegEdit via registry modification 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 33 IoCs
Processes:
Endermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeFantom.exeEndermanch@InfinityCrypt.exeEndermanch@Krotten.exeEndermanch@NoMoreRansom.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@WinlockerVB6Blacksod.exeEndermanch@ViraLock.exemwIoMAwQ.exeicYgIkMc.exeEndermanch@PolyRansom.exeEndermanch@WannaCrypt0r.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@Xyeta.exeEndermanch@Antivirus.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@AntivirusPlatinum.exeEndermanch@AntivirusPro2017.exe41CC.tmpEndermanch@AnViPC2009.exeEndermanch@FakeAdwCleaner.exeEndermanch@HappyAntivirus.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exetaskdl.exetaskdl.exepid process 3776 Endermanch@BadRabbit.exe 3792 Endermanch@Birele.exe 3468 Endermanch@Cerber5.exe 1876 Endermanch@DeriaLock.exe 332 Fantom.exe 3192 Endermanch@InfinityCrypt.exe 3404 Endermanch@Krotten.exe 1436 Endermanch@NoMoreRansom.exe 4428 Endermanch@Petya.A.exe 5096 Endermanch@PolyRansom.exe 3412 Endermanch@WinlockerVB6Blacksod.exe 3016 Endermanch@ViraLock.exe 1036 mwIoMAwQ.exe 3860 icYgIkMc.exe 4668 Endermanch@PolyRansom.exe 2792 Endermanch@WannaCrypt0r.exe 2548 Endermanch@ViraLock.exe 4884 Endermanch@PolyRansom.exe 2652 Endermanch@ViraLock.exe 720 Endermanch@Xyeta.exe 5224 Endermanch@Antivirus.exe 5464 Endermanch@ViraLock.exe 5460 Endermanch@PolyRansom.exe 5496 Endermanch@AntivirusPlatinum.exe 5840 Endermanch@AntivirusPro2017.exe 5928 41CC.tmp 1616 Endermanch@AnViPC2009.exe 4692 Endermanch@FakeAdwCleaner.exe 1008 Endermanch@HappyAntivirus.exe 5800 Endermanch@ViraLock.exe 5988 Endermanch@PolyRansom.exe 5604 taskdl.exe 3816 taskdl.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Endermanch@DeriaLock.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\AddNew.tiff.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\HideConnect.crw.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\MoveDismount.tif.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\PublishEnable.raw.deria Endermanch@DeriaLock.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\Endermanch@Birele.exe upx behavioral2/memory/3792-145-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3792-157-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3792-150-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1436-187-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1436-189-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/3792-212-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exe upx C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exe upx behavioral2/memory/720-259-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe -
Drops startup file 1 IoCs
Processes:
Endermanch@DeriaLock.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe Endermanch@DeriaLock.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeEndermanch@WinlockerVB6Blacksod.exepid process 4536 rundll32.exe 3412 Endermanch@WinlockerVB6Blacksod.exe 3412 Endermanch@WinlockerVB6Blacksod.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
Endermanch@Krotten.exemwIoMAwQ.exeicYgIkMc.exeEndermanch@Birele.exeEndermanch@PolyRansom.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" mwIoMAwQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" icYgIkMc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\Endermanch@Birele.exe" Endermanch@Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" Endermanch@PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" Endermanch@PolyRansom.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Endermanch@Birele.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@WinlockerVB6Blacksod.exeEndermanch@Cerber5.exedescription ioc process File opened (read-only) \??\R: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\S: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\e: Endermanch@Cerber5.exe File opened (read-only) \??\n: Endermanch@Cerber5.exe File opened (read-only) \??\t: Endermanch@Cerber5.exe File opened (read-only) \??\u: Endermanch@Cerber5.exe File opened (read-only) \??\L: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\P: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\g: Endermanch@Cerber5.exe File opened (read-only) \??\h: Endermanch@Cerber5.exe File opened (read-only) \??\m: Endermanch@Cerber5.exe File opened (read-only) \??\H: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\K: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\f: Endermanch@Cerber5.exe File opened (read-only) \??\s: Endermanch@Cerber5.exe File opened (read-only) \??\X: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\a: Endermanch@Cerber5.exe File opened (read-only) \??\k: Endermanch@Cerber5.exe File opened (read-only) \??\r: Endermanch@Cerber5.exe File opened (read-only) \??\F: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\v: Endermanch@Cerber5.exe File opened (read-only) \??\z: Endermanch@Cerber5.exe File opened (read-only) \??\E: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\I: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\T: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\b: Endermanch@Cerber5.exe File opened (read-only) \??\p: Endermanch@Cerber5.exe File opened (read-only) \??\w: Endermanch@Cerber5.exe File opened (read-only) \??\y: Endermanch@Cerber5.exe File opened (read-only) \??\Q: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\U: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\G: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\W: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\l: Endermanch@Cerber5.exe File opened (read-only) \??\o: Endermanch@Cerber5.exe File opened (read-only) \??\q: Endermanch@Cerber5.exe File opened (read-only) \??\x: Endermanch@Cerber5.exe File opened (read-only) \??\A: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\B: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\V: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\Y: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\i: Endermanch@Cerber5.exe File opened (read-only) \??\j: Endermanch@Cerber5.exe File opened (read-only) \??\J: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\M: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\N: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\O: Endermanch@WinlockerVB6Blacksod.exe File opened (read-only) \??\Z: Endermanch@WinlockerVB6Blacksod.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail wordsia@notrix.de êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Endermanch@Krotten.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Endermanch@Petya.A.exeEndermanch@AntivirusPro2017.exedescription ioc process File opened for modification \??\PhysicalDrive0 Endermanch@Petya.A.exe File opened for modification \??\PhysicalDrive0 Endermanch@AntivirusPro2017.exe -
Drops file in System32 directory 2 IoCs
Processes:
mwIoMAwQ.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe mwIoMAwQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe mwIoMAwQ.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Endermanch@InfinityCrypt.exeEndermanch@Cerber5.exeEndermanch@AnViPC2009.exeEndermanch@Antivirus.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft sql server Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\office Endermanch@Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote Endermanch@Cerber5.exe File opened for modification \??\c:\program files (x86)\word Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\onenote Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\antiviruspc2009 Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File created C:\Program Files (x86)\AnVi\splash.mp3 Endermanch@Antivirus.exe File created C:\Program Files (x86)\AnVi\virus.mp3 Endermanch@Antivirus.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\excel Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\steam Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\powerpoint Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe File opened for modification \??\c:\program files (x86)\microsoft\word Endermanch@Cerber5.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A Endermanch@InfinityCrypt.exe -
Drops file in Windows directory 15 IoCs
Processes:
rundll32.exeEndermanch@AntivirusPlatinum.exeEndermanch@Krotten.exeEndermanch@BadRabbit.exedescription ioc process File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\41CC.tmp rundll32.exe File opened for modification C:\Windows\antivirus-platinum.exe Endermanch@AntivirusPlatinum.exe File created C:\Windows\COMCTL32.OCX Endermanch@AntivirusPlatinum.exe File opened for modification C:\Windows\COMCTL32.OCX Endermanch@AntivirusPlatinum.exe File created C:\Windows\302746537.exe Endermanch@AntivirusPlatinum.exe File opened for modification C:\WINDOWS\Web Endermanch@Krotten.exe File created C:\Windows\antivirus-platinum.exe Endermanch@AntivirusPlatinum.exe File created C:\Windows\MSCOMCTL.OCX Endermanch@AntivirusPlatinum.exe File opened for modification C:\Windows\302746537.exe Endermanch@AntivirusPlatinum.exe File created C:\Windows\infpub.dat Endermanch@BadRabbit.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\__tmp_rar_sfx_access_check_240611125 Endermanch@AntivirusPlatinum.exe File opened for modification C:\Windows\MSCOMCTL.OCX Endermanch@AntivirusPlatinum.exe File created C:\Windows\cscc.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5776 720 WerFault.exe Endermanch@Xyeta.exe 3908 1008 WerFault.exe Endermanch@HappyAntivirus.exe 5772 5840 WerFault.exe Endermanch@AntivirusPro2017.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Endermanch@InfinityCrypt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Endermanch@InfinityCrypt.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Endermanch@InfinityCrypt.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3168 schtasks.exe 5444 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3028 taskkill.exe -
Modifies Control Panel 6 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginY = "187" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\MenuShowDelay = "9999" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginX = "210" Endermanch@Krotten.exe -
Processes:
Endermanch@Krotten.exeEndermanch@Antivirus.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main Endermanch@Antivirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" Endermanch@Antivirus.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Endermanch@Krotten.exe -
Modifies registry class 1 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Endermanch@Krotten.exe -
Modifies registry key 1 TTPs 24 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3776 reg.exe 5296 reg.exe 6132 reg.exe 1412 reg.exe 3024 reg.exe 4244 reg.exe 2408 reg.exe 5852 reg.exe 5312 reg.exe 1376 reg.exe 4880 reg.exe 2488 reg.exe 5020 reg.exe 3796 reg.exe 1824 reg.exe 1640 reg.exe 4736 reg.exe 2084 reg.exe 5184 reg.exe 6012 reg.exe 4992 reg.exe 3680 reg.exe 4384 reg.exe 1072 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exe41CC.tmpEndermanch@NoMoreRansom.exeEndermanch@DeriaLock.exepid process 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 5096 Endermanch@PolyRansom.exe 5096 Endermanch@PolyRansom.exe 5096 Endermanch@PolyRansom.exe 5096 Endermanch@PolyRansom.exe 3016 Endermanch@ViraLock.exe 3016 Endermanch@ViraLock.exe 3016 Endermanch@ViraLock.exe 3016 Endermanch@ViraLock.exe 4668 Endermanch@PolyRansom.exe 4668 Endermanch@PolyRansom.exe 4668 Endermanch@PolyRansom.exe 4668 Endermanch@PolyRansom.exe 2548 Endermanch@ViraLock.exe 2548 Endermanch@ViraLock.exe 2548 Endermanch@ViraLock.exe 2548 Endermanch@ViraLock.exe 4884 Endermanch@PolyRansom.exe 4884 Endermanch@PolyRansom.exe 4884 Endermanch@PolyRansom.exe 4884 Endermanch@PolyRansom.exe 2652 Endermanch@ViraLock.exe 2652 Endermanch@ViraLock.exe 2652 Endermanch@ViraLock.exe 2652 Endermanch@ViraLock.exe 5460 Endermanch@PolyRansom.exe 5460 Endermanch@PolyRansom.exe 5460 Endermanch@PolyRansom.exe 5460 Endermanch@PolyRansom.exe 5464 Endermanch@ViraLock.exe 5464 Endermanch@ViraLock.exe 5464 Endermanch@ViraLock.exe 5464 Endermanch@ViraLock.exe 5928 41CC.tmp 5928 41CC.tmp 5928 41CC.tmp 5928 41CC.tmp 5928 41CC.tmp 5928 41CC.tmp 5928 41CC.tmp 1436 Endermanch@NoMoreRansom.exe 1436 Endermanch@NoMoreRansom.exe 1436 Endermanch@NoMoreRansom.exe 1436 Endermanch@NoMoreRansom.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe 1876 Endermanch@DeriaLock.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exerundll32.exeEndermanch@Krotten.exeFantom.exetaskkill.exeEndermanch@Petya.A.exeEndermanch@DeriaLock.exemsiexec.exe41CC.tmpEndermanch@WinlockerVB6Blacksod.exeEndermanch@Cerber5.exedescription pid process Token: SeDebugPrivilege 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Token: SeShutdownPrivilege 4536 rundll32.exe Token: SeDebugPrivilege 4536 rundll32.exe Token: SeTcbPrivilege 4536 rundll32.exe Token: SeSystemtimePrivilege 3404 Endermanch@Krotten.exe Token: SeDebugPrivilege 332 Fantom.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeShutdownPrivilege 4428 Endermanch@Petya.A.exe Token: SeDebugPrivilege 1876 Endermanch@DeriaLock.exe Token: SeSecurityPrivilege 5584 msiexec.exe Token: SeDebugPrivilege 5928 41CC.tmp Token: SeCreateTokenPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeAssignPrimaryTokenPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeLockMemoryPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncreaseQuotaPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeMachineAccountPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeTcbPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSecurityPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeTakeOwnershipPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeLoadDriverPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemProfilePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemtimePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeProfSingleProcessPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncBasePriorityPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePagefilePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePermanentPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeBackupPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeRestorePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeDebugPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeAuditPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemEnvironmentPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeChangeNotifyPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeRemoteShutdownPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeUndockPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSyncAgentPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeEnableDelegationPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeManageVolumePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeImpersonatePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreateGlobalPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 3468 Endermanch@Cerber5.exe Token: SeCreatePagefilePrivilege 3468 Endermanch@Cerber5.exe Token: SeCreateTokenPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeAssignPrimaryTokenPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeLockMemoryPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncreaseQuotaPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeMachineAccountPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeTcbPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSecurityPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeTakeOwnershipPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeLoadDriverPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemProfilePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemtimePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeProfSingleProcessPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncBasePriorityPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePagefilePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePermanentPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeBackupPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeRestorePrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeDebugPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeAuditPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemEnvironmentPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe Token: SeChangeNotifyPrivilege 3412 Endermanch@WinlockerVB6Blacksod.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Endermanch@Antivirus.exeEndermanch@AntivirusPro2017.exepid process 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5840 Endermanch@AntivirusPro2017.exe 5840 Endermanch@AntivirusPro2017.exe 5840 Endermanch@AntivirusPro2017.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Endermanch@Antivirus.exepid process 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Endermanch@Antivirus.exepid process 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe 5224 Endermanch@Antivirus.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exeEndermanch@BadRabbit.exeEndermanch@Birele.exerundll32.exeEndermanch@Cerber5.execmd.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exedescription pid process target process PID 4188 wrote to memory of 3776 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@BadRabbit.exe PID 4188 wrote to memory of 3776 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@BadRabbit.exe PID 4188 wrote to memory of 3776 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@BadRabbit.exe PID 4188 wrote to memory of 3792 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Birele.exe PID 4188 wrote to memory of 3792 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Birele.exe PID 4188 wrote to memory of 3792 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Birele.exe PID 3776 wrote to memory of 4536 3776 Endermanch@BadRabbit.exe rundll32.exe PID 3776 wrote to memory of 4536 3776 Endermanch@BadRabbit.exe rundll32.exe PID 3776 wrote to memory of 4536 3776 Endermanch@BadRabbit.exe rundll32.exe PID 4188 wrote to memory of 3468 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Cerber5.exe PID 4188 wrote to memory of 3468 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Cerber5.exe PID 4188 wrote to memory of 3468 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Cerber5.exe PID 4188 wrote to memory of 1876 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@DeriaLock.exe PID 4188 wrote to memory of 1876 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@DeriaLock.exe PID 4188 wrote to memory of 1876 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@DeriaLock.exe PID 4188 wrote to memory of 332 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Fantom.exe PID 4188 wrote to memory of 332 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Fantom.exe PID 4188 wrote to memory of 332 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Fantom.exe PID 3792 wrote to memory of 3028 3792 Endermanch@Birele.exe taskkill.exe PID 3792 wrote to memory of 3028 3792 Endermanch@Birele.exe taskkill.exe PID 3792 wrote to memory of 3028 3792 Endermanch@Birele.exe taskkill.exe PID 4188 wrote to memory of 3192 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@InfinityCrypt.exe PID 4188 wrote to memory of 3192 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@InfinityCrypt.exe PID 4188 wrote to memory of 3192 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@InfinityCrypt.exe PID 4188 wrote to memory of 3404 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Krotten.exe PID 4188 wrote to memory of 3404 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Krotten.exe PID 4188 wrote to memory of 3404 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Krotten.exe PID 4536 wrote to memory of 4424 4536 rundll32.exe cmd.exe PID 4536 wrote to memory of 4424 4536 rundll32.exe cmd.exe PID 4536 wrote to memory of 4424 4536 rundll32.exe cmd.exe PID 4188 wrote to memory of 1436 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@NoMoreRansom.exe PID 4188 wrote to memory of 1436 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@NoMoreRansom.exe PID 4188 wrote to memory of 1436 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@NoMoreRansom.exe PID 4188 wrote to memory of 4428 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Petya.A.exe PID 4188 wrote to memory of 4428 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Petya.A.exe PID 4188 wrote to memory of 4428 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@Petya.A.exe PID 4188 wrote to memory of 5096 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@PolyRansom.exe PID 4188 wrote to memory of 5096 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@PolyRansom.exe PID 4188 wrote to memory of 5096 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@PolyRansom.exe PID 3468 wrote to memory of 2556 3468 Endermanch@Cerber5.exe netsh.exe PID 3468 wrote to memory of 2556 3468 Endermanch@Cerber5.exe netsh.exe PID 3468 wrote to memory of 2556 3468 Endermanch@Cerber5.exe netsh.exe PID 4536 wrote to memory of 1560 4536 rundll32.exe cmd.exe PID 4536 wrote to memory of 1560 4536 rundll32.exe cmd.exe PID 4536 wrote to memory of 1560 4536 rundll32.exe cmd.exe PID 4188 wrote to memory of 3412 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@WinlockerVB6Blacksod.exe PID 4188 wrote to memory of 3412 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@WinlockerVB6Blacksod.exe PID 4188 wrote to memory of 3412 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@WinlockerVB6Blacksod.exe PID 4424 wrote to memory of 2480 4424 cmd.exe schtasks.exe PID 4424 wrote to memory of 2480 4424 cmd.exe schtasks.exe PID 4424 wrote to memory of 2480 4424 cmd.exe schtasks.exe PID 4188 wrote to memory of 3016 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@ViraLock.exe PID 4188 wrote to memory of 3016 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@ViraLock.exe PID 4188 wrote to memory of 3016 4188 Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe Endermanch@ViraLock.exe PID 5096 wrote to memory of 1036 5096 Endermanch@PolyRansom.exe mwIoMAwQ.exe PID 5096 wrote to memory of 1036 5096 Endermanch@PolyRansom.exe mwIoMAwQ.exe PID 5096 wrote to memory of 1036 5096 Endermanch@PolyRansom.exe mwIoMAwQ.exe PID 5096 wrote to memory of 3860 5096 Endermanch@PolyRansom.exe icYgIkMc.exe PID 5096 wrote to memory of 3860 5096 Endermanch@PolyRansom.exe icYgIkMc.exe PID 5096 wrote to memory of 3860 5096 Endermanch@PolyRansom.exe icYgIkMc.exe PID 5096 wrote to memory of 428 5096 Endermanch@PolyRansom.exe cmd.exe PID 5096 wrote to memory of 428 5096 Endermanch@PolyRansom.exe cmd.exe PID 5096 wrote to memory of 428 5096 Endermanch@PolyRansom.exe cmd.exe PID 3016 wrote to memory of 3344 3016 Endermanch@ViraLock.exe cmd.exe -
System policy modification 1 TTPs 37 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Endermanch@Krotten.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\Endermanch@BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\Endermanch@BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:004⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:005⤵
- Creates scheduled task(s)
-
C:\Windows\41CC.tmp"C:\Windows\41CC.tmp" \\.\pipe\{9668C2A0-7AE3-436A-B3A4-C45297891E27}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\Endermanch@Birele.exe"C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\Endermanch@Birele.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\Endermanch@Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\Endermanch@DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\Endermanch@DeriaLock.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\Endermanch@Krotten.exe"C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\Endermanch@Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\Endermanch@InfinityCrypt.exe"C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\Endermanch@InfinityCrypt.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\Endermanch@NoMoreRansom.exe"C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\Endermanch@NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\Endermanch@Petya.A.exe"C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\Endermanch@Petya.A.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe"C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe"C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\ProgramData\QGAUgUkc\icYgIkMc.exe"C:\ProgramData\QGAUgUkc\icYgIkMc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"7⤵
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmgsQccs.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe""9⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"9⤵
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUcQAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\Endermanch@WinlockerVB6Blacksod.exe"C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\Endermanch@WinlockerVB6Blacksod.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\Endermanch@WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "3⤵
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"5⤵
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"7⤵
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAkQMkk.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe""9⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"9⤵
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSUIckso.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe""7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyYMMokg.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\Endermanch@WannaCrypt0r.exe"C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\Endermanch@WannaCrypt0r.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exe"C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 4483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\Endermanch@Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\Endermanch@Antivirus.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y3⤵
-
C:\Windows\SysWOW64\net.exenet start winmgmt3⤵
-
C:\Windows\SysWOW64\net.exenet start wscsvc3⤵
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof3⤵
-
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\Endermanch@AntivirusPlatinum.exe"C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\Endermanch@AntivirusPlatinum.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\Endermanch@FakeAdwCleaner.exe"C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\Endermanch@FakeAdwCleaner.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\Endermanch@AnViPC2009.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\Endermanch@AntivirusPro2017.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 8203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\Endermanch@HappyAntivirus.exe"C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\Endermanch@HappyAntivirus.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 8043⤵
- Program crash
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 7201⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEMIEUoU.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exe""1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1008 -ip 10081⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 2472 -ip 24721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5840 -ip 58401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
2Modify Existing Service
1Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7File Permissions Modification
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QGAUgUkc\icYgIkMc.exeFilesize
202KB
MD5ff7330d26dfb4a2c95098ff8d7ada9f3
SHA1b4a2321f57204c2a7dceb82e2e1d92dca3741f7e
SHA2563149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1
SHA512f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4
-
C:\ProgramData\QGAUgUkc\icYgIkMc.exeFilesize
202KB
MD5ff7330d26dfb4a2c95098ff8d7ada9f3
SHA1b4a2321f57204c2a7dceb82e2e1d92dca3741f7e
SHA2563149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1
SHA512f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4
-
C:\ProgramData\QGAUgUkc\icYgIkMc.infFilesize
4B
MD50d9f119b066f5b17e20e8b1de6990f6d
SHA156d16930f213f090d55bf7667b4065578389e712
SHA256794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698
SHA512f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61
-
C:\ProgramData\QGAUgUkc\icYgIkMc.infFilesize
4B
MD5ca5f1bcf00493f15604b170b21df60d4
SHA1f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c
SHA2565f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c
SHA51249fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c
-
C:\ProgramData\QGAUgUkc\icYgIkMc.infFilesize
4B
MD51493d913199bc77d25c9f705bbcf0467
SHA13d60a637bf152cdd915cde9816e10802bb852c14
SHA256b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa
SHA5128eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56
-
C:\ProgramData\QGAUgUkc\icYgIkMc.infFilesize
4B
MD5603b57c6f4fbfe4b823fa40a667f7276
SHA1360aad3994d9d02cd126c6f759269b4d9036ccc7
SHA256b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc
SHA5127e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b
-
C:\ProgramData\QGAUgUkc\icYgIkMc.infFilesize
4B
MD58e93ff7439640abe97ccd045878ca3bc
SHA111166c68dcb6b8cb3b4d7d8b120e2b30c2d66726
SHA256beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5
SHA5123b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansomFilesize
25KB
MD52fc0e096bf2f094cca883de93802abb6
SHA1a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA25614695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA5127418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansomFilesize
25KB
MD52fc0e096bf2f094cca883de93802abb6
SHA1a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA25614695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA5127418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansomFilesize
25KB
MD52fc0e096bf2f094cca883de93802abb6
SHA1a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA25614695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA5127418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\Endermanch@Krotten.exeFilesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\Endermanch@Krotten.exeFilesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.batFilesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\Endermanch@Cerber5.exeFilesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\Endermanch@Cerber5.exeFilesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\Endermanch@AntivirusPro2017.exeFilesize
816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\Endermanch@AntivirusPro2017.exeFilesize
816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exeFilesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exeFilesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.batFilesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\Endermanch@Petya.A.exeFilesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exeFilesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\Endermanch@Xyeta.exeFilesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\Endermanch@Birele.exeFilesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\Endermanch@WinlockerVB6Blacksod.exeFilesize
2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\Endermanch@WinlockerVB6Blacksod.exeFilesize
2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\Endermanch@WannaCrypt0r.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLockFilesize
6KB
MD576e08b93985d60b82ddb4a313733345c
SHA1273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA2564dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA5124226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLockFilesize
6KB
MD576e08b93985d60b82ddb4a313733345c
SHA1273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA2564dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA5124226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLockFilesize
6KB
MD576e08b93985d60b82ddb4a313733345c
SHA1273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA2564dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA5124226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dllFilesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dllFilesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exeFilesize
200KB
MD5a7c96a585c886ea97d740c34d88b50fe
SHA1c06189d72afee45caafc83478e82a2bac61b730b
SHA256fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba
SHA512d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exeFilesize
200KB
MD5a7c96a585c886ea97d740c34d88b50fe
SHA1c06189d72afee45caafc83478e82a2bac61b730b
SHA256fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba
SHA512d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.infFilesize
4B
MD50d9f119b066f5b17e20e8b1de6990f6d
SHA156d16930f213f090d55bf7667b4065578389e712
SHA256794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698
SHA512f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.infFilesize
4B
MD5ca5f1bcf00493f15604b170b21df60d4
SHA1f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c
SHA2565f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c
SHA51249fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.infFilesize
4B
MD51493d913199bc77d25c9f705bbcf0467
SHA13d60a637bf152cdd915cde9816e10802bb852c14
SHA256b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa
SHA5128eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.infFilesize
4B
MD5603b57c6f4fbfe4b823fa40a667f7276
SHA1360aad3994d9d02cd126c6f759269b4d9036ccc7
SHA256b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc
SHA5127e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b
-
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.infFilesize
4B
MD58e93ff7439640abe97ccd045878ca3bc
SHA111166c68dcb6b8cb3b4d7d8b120e2b30c2d66726
SHA256beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5
SHA5123b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685
-
C:\Windows\41CC.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
memory/332-152-0x0000000000000000-mapping.dmp
-
memory/332-177-0x00000000049F0000-0x0000000004A82000-memory.dmpFilesize
584KB
-
memory/428-208-0x0000000000000000-mapping.dmp
-
memory/720-261-0x00000000004D0000-0x00000000004D3000-memory.dmpFilesize
12KB
-
memory/720-259-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/720-241-0x0000000000000000-mapping.dmp
-
memory/1008-317-0x00000000003B0000-0x00000000005A2000-memory.dmpFilesize
1.9MB
-
memory/1036-205-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1036-201-0x0000000000000000-mapping.dmp
-
memory/1072-277-0x0000000000000000-mapping.dmp
-
memory/1100-240-0x0000000000000000-mapping.dmp
-
memory/1376-243-0x0000000000000000-mapping.dmp
-
memory/1412-235-0x0000000000000000-mapping.dmp
-
memory/1436-188-0x0000000002290000-0x000000000235E000-memory.dmpFilesize
824KB
-
memory/1436-189-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/1436-187-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/1436-175-0x0000000000000000-mapping.dmp
-
memory/1560-194-0x0000000000000000-mapping.dmp
-
memory/1824-258-0x0000000000000000-mapping.dmp
-
memory/1876-170-0x00000000049D0000-0x0000000004A6C000-memory.dmpFilesize
624KB
-
memory/1876-147-0x0000000000000000-mapping.dmp
-
memory/1876-176-0x0000000005020000-0x00000000055C4000-memory.dmpFilesize
5.6MB
-
memory/1876-193-0x0000000004CA0000-0x0000000004CF6000-memory.dmpFilesize
344KB
-
memory/1876-184-0x0000000004A70000-0x0000000004A7A000-memory.dmpFilesize
40KB
-
memory/1876-166-0x00000000000F0000-0x0000000000172000-memory.dmpFilesize
520KB
-
memory/1940-225-0x0000000000000000-mapping.dmp
-
memory/2084-253-0x0000000000000000-mapping.dmp
-
memory/2280-265-0x0000000000000000-mapping.dmp
-
memory/2408-266-0x0000000000000000-mapping.dmp
-
memory/2480-199-0x0000000000000000-mapping.dmp
-
memory/2488-249-0x0000000000000000-mapping.dmp
-
memory/2548-226-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2548-270-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2548-222-0x0000000000000000-mapping.dmp
-
memory/2556-192-0x0000000000000000-mapping.dmp
-
memory/2652-300-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-233-0x0000000000000000-mapping.dmp
-
memory/2652-257-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2792-220-0x0000000000000000-mapping.dmp
-
memory/2792-289-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/3016-204-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3016-276-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3016-200-0x0000000000000000-mapping.dmp
-
memory/3024-244-0x0000000000000000-mapping.dmp
-
memory/3028-159-0x0000000000000000-mapping.dmp
-
memory/3168-219-0x0000000000000000-mapping.dmp
-
memory/3192-173-0x0000000000A10000-0x0000000000A4C000-memory.dmpFilesize
240KB
-
memory/3192-164-0x0000000000000000-mapping.dmp
-
memory/3344-215-0x0000000000000000-mapping.dmp
-
memory/3404-169-0x0000000000000000-mapping.dmp
-
memory/3412-195-0x0000000000000000-mapping.dmp
-
memory/3468-140-0x0000000000000000-mapping.dmp
-
memory/3468-214-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3468-182-0x0000000001640000-0x0000000001671000-memory.dmpFilesize
196KB
-
memory/3468-162-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3468-321-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3488-262-0x0000000000000000-mapping.dmp
-
memory/3680-238-0x0000000000000000-mapping.dmp
-
memory/3776-134-0x0000000000000000-mapping.dmp
-
memory/3776-245-0x0000000000000000-mapping.dmp
-
memory/3792-150-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3792-212-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3792-154-0x00000000004B0000-0x00000000004B6000-memory.dmpFilesize
24KB
-
memory/3792-157-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3792-145-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3792-136-0x0000000000000000-mapping.dmp
-
memory/3796-237-0x0000000000000000-mapping.dmp
-
memory/3860-206-0x0000000000000000-mapping.dmp
-
memory/3860-213-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3904-230-0x0000000000000000-mapping.dmp
-
memory/4092-267-0x0000000000000000-mapping.dmp
-
memory/4188-133-0x00007FFD41540000-0x00007FFD42001000-memory.dmpFilesize
10.8MB
-
memory/4188-132-0x000001B133800000-0x000001B13382C000-memory.dmpFilesize
176KB
-
memory/4188-320-0x00007FFD41540000-0x00007FFD42001000-memory.dmpFilesize
10.8MB
-
memory/4188-181-0x00007FFD41540000-0x00007FFD42001000-memory.dmpFilesize
10.8MB
-
memory/4244-252-0x0000000000000000-mapping.dmp
-
memory/4252-248-0x0000000000000000-mapping.dmp
-
memory/4384-264-0x0000000000000000-mapping.dmp
-
memory/4424-174-0x0000000000000000-mapping.dmp
-
memory/4428-180-0x0000000000000000-mapping.dmp
-
memory/4428-198-0x0000000000510000-0x0000000000522000-memory.dmpFilesize
72KB
-
memory/4428-197-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4428-284-0x0000000000510000-0x0000000000522000-memory.dmpFilesize
72KB
-
memory/4536-139-0x0000000000000000-mapping.dmp
-
memory/4536-165-0x0000000002520000-0x0000000002588000-memory.dmpFilesize
416KB
-
memory/4536-149-0x0000000002520000-0x0000000002588000-memory.dmpFilesize
416KB
-
memory/4668-216-0x0000000000000000-mapping.dmp
-
memory/4668-268-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4732-263-0x0000000000000000-mapping.dmp
-
memory/4736-218-0x0000000000000000-mapping.dmp
-
memory/4880-260-0x0000000000000000-mapping.dmp
-
memory/4884-231-0x0000000000000000-mapping.dmp
-
memory/4884-301-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4884-256-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4992-242-0x0000000000000000-mapping.dmp
-
memory/5020-247-0x0000000000000000-mapping.dmp
-
memory/5096-185-0x0000000000000000-mapping.dmp
-
memory/5096-190-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5096-272-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5172-269-0x0000000000000000-mapping.dmp
-
memory/5184-273-0x0000000000000000-mapping.dmp
-
memory/5224-271-0x0000000000000000-mapping.dmp
-
memory/5272-274-0x0000000000000000-mapping.dmp
-
memory/5304-291-0x0000000000000000-mapping.dmp
-
memory/5312-290-0x0000000000000000-mapping.dmp
-
memory/5460-281-0x0000000000000000-mapping.dmp
-
memory/5460-314-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5464-315-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5464-280-0x0000000000000000-mapping.dmp
-
memory/5496-285-0x0000000000000000-mapping.dmp
-
memory/5668-292-0x0000000000000000-mapping.dmp
-
memory/5840-316-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/5840-318-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/5840-319-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/5840-312-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/5840-307-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB