badrabbit | 4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304

Processes:

Endermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdnsgvhk.4zp\\Endermanch@Birele.exe"	Endermanch@Birele.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

Processes:

resource	yara_rule
C:\Windows\30D4.tmp	mimikatz
C:\Windows\30D4.tmp	mimikatz

Contacts a large (1116) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 35 IoCs

Processes:

Endermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeFantom.exeEndermanch@InfinityCrypt.exeEndermanch@Krotten.exeEndermanch@NoMoreRansom.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@WinlockerVB6Blacksod.exePkAUIAQo.exeEndermanch@ViraLock.exevoQQsQwA.exe30D4.tmpEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@WannaCrypt0r.exeEndermanch@Xyeta.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@Antivirus.exeEndermanch@PolyRansom.exeEndermanch@AntivirusPlatinum.exeEndermanch@ViraLock.exeEndermanch@AntivirusPro2017.exeEndermanch@PolyRansom.exevoQQsQwA.exe

pid	process
4516	Endermanch@BadRabbit.exe
3432	Endermanch@Birele.exe
876	Endermanch@Cerber5.exe
1172	Endermanch@DeriaLock.exe
4004	Fantom.exe
2872	Endermanch@InfinityCrypt.exe
2040	Endermanch@Krotten.exe
4152	Endermanch@NoMoreRansom.exe
3064	Endermanch@Petya.A.exe
1756	Endermanch@PolyRansom.exe
3816	Endermanch@WinlockerVB6Blacksod.exe
2780	PkAUIAQo.exe
3696	Endermanch@ViraLock.exe
3704	voQQsQwA.exe
4460	30D4.tmp
4276	Endermanch@PolyRansom.exe
4872	Endermanch@ViraLock.exe
2404	Endermanch@ViraLock.exe
5352	Endermanch@ViraLock.exe
5380	Endermanch@PolyRansom.exe
5528	Endermanch@ViraLock.exe
5540	Endermanch@PolyRansom.exe
5644	Endermanch@PolyRansom.exe
5736	Endermanch@ViraLock.exe
5904	Endermanch@WannaCrypt0r.exe
6464	Endermanch@Xyeta.exe
6648	Endermanch@PolyRansom.exe
6852	Endermanch@ViraLock.exe
6952	Endermanch@Antivirus.exe
5540	Endermanch@PolyRansom.exe
1600	Endermanch@AntivirusPlatinum.exe
5936	Endermanch@ViraLock.exe
5492	Endermanch@AntivirusPro2017.exe
4976	Endermanch@PolyRansom.exe
4664	voQQsQwA.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1740 netsh.exe
4836 netsh.exe

pid	process
1740	netsh.exe
4836	netsh.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Endermanch@DeriaLock.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DisableNew.tif.deria	Endermanch@DeriaLock.exe
File opened for modification	C:\Users\Admin\Pictures\GrantAdd.png.deria	Endermanch@DeriaLock.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateExport.png.deria	Endermanch@DeriaLock.exe
File opened for modification	C:\Users\Admin\Pictures\WatchInstall.crw.deria	Endermanch@DeriaLock.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\Endermanch@Birele.exe	upx
behavioral2/memory/3432-146-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3432-145-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3432-172-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/4152-188-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4152-189-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3432-197-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/4152-204-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\Endermanch@Xyeta.exe	upx
C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\Endermanch@Xyeta.exe	upx
behavioral2/memory/6464-314-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe

Drops startup file 1 IoCs

Processes:

Endermanch@DeriaLock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe Endermanch@DeriaLock.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeEndermanch@WinlockerVB6Blacksod.exe

pid process

1100 rundll32.exe
3816 Endermanch@WinlockerVB6Blacksod.exe
3816 Endermanch@WinlockerVB6Blacksod.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4440 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	Endermanch@DeriaLock.exe

pid	process
4440	icacls.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Endermanch@NoMoreRansom.exeEndermanch@Birele.exeEndermanch@Krotten.exePkAUIAQo.exevoQQsQwA.exeEndermanch@PolyRansom.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Endermanch@NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Endermanch@NoMoreRansom.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@Birele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PkAUIAQo.exe = "C:\\Users\\Admin\\XosUgMoc\\PkAUIAQo.exe"	PkAUIAQo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\voQQsQwA.exe = "C:\\ProgramData\\qekgkMEU\\voQQsQwA.exe"	voQQsQwA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdnsgvhk.4zp\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PkAUIAQo.exe = "C:\\Users\\Admin\\XosUgMoc\\PkAUIAQo.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\voQQsQwA.exe = "C:\\ProgramData\\qekgkMEU\\voQQsQwA.exe"	Endermanch@PolyRansom.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Endermanch@Cerber5.exe

description	ioc	process
File opened (read-only)	\??\r:	Endermanch@Cerber5.exe
File opened (read-only)	\??\t:	Endermanch@Cerber5.exe
File opened (read-only)	\??\k:	Endermanch@Cerber5.exe
File opened (read-only)	\??\l:	Endermanch@Cerber5.exe
File opened (read-only)	\??\q:	Endermanch@Cerber5.exe
File opened (read-only)	\??\f:	Endermanch@Cerber5.exe
File opened (read-only)	\??\v:	Endermanch@Cerber5.exe
File opened (read-only)	\??\x:	Endermanch@Cerber5.exe
File opened (read-only)	\??\n:	Endermanch@Cerber5.exe
File opened (read-only)	\??\o:	Endermanch@Cerber5.exe
File opened (read-only)	\??\p:	Endermanch@Cerber5.exe
File opened (read-only)	\??\u:	Endermanch@Cerber5.exe
File opened (read-only)	\??\y:	Endermanch@Cerber5.exe
File opened (read-only)	\??\a:	Endermanch@Cerber5.exe
File opened (read-only)	\??\e:	Endermanch@Cerber5.exe
File opened (read-only)	\??\m:	Endermanch@Cerber5.exe
File opened (read-only)	\??\z:	Endermanch@Cerber5.exe
File opened (read-only)	\??\i:	Endermanch@Cerber5.exe
File opened (read-only)	\??\j:	Endermanch@Cerber5.exe
File opened (read-only)	\??\s:	Endermanch@Cerber5.exe
File opened (read-only)	\??\w:	Endermanch@Cerber5.exe
File opened (read-only)	\??\b:	Endermanch@Cerber5.exe
File opened (read-only)	\??\g:	Endermanch@Cerber5.exe
File opened (read-only)	\??\h:	Endermanch@Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail wordsia@notrix.de êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Endermanch@Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Endermanch@Petya.A.exeEndermanch@AntivirusPro2017.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@Petya.A.exe
File opened for modification	\??\PhysicalDrive0	Endermanch@AntivirusPro2017.exe

Drops file in Program Files directory 64 IoCs

Processes:

Endermanch@Cerber5.exeEndermanch@InfinityCrypt.exe

description	ioc	process
File opened for modification	\??\c:\program files (x86)\microsoft\word	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\excel	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\outlook	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\word	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\onenote	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	Endermanch@Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	\??\c:\program files (x86)\steam	Endermanch@Cerber5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	Endermanch@InfinityCrypt.exe

Drops file in Windows directory 15 IoCs

Processes:

Endermanch@Krotten.exeEndermanch@AntivirusPlatinum.exeEndermanch@BadRabbit.exerundll32.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Web	Endermanch@Krotten.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240620375	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\antivirus-platinum.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\302746537.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\30D4.tmp	rundll32.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\COMCTL32.OCX	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\COMCTL32.OCX	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\MSCOMCTL.OCX	Endermanch@AntivirusPlatinum.exe
File opened for modification	C:\Windows\302746537.exe	Endermanch@AntivirusPlatinum.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2568 6464 WerFault.exe Endermanch@Xyeta.exe
3732 5492 WerFault.exe Endermanch@AntivirusPro2017.exe

pid	pid_target	process	target process
2568	6464	WerFault.exe	Endermanch@Xyeta.exe
3732	5492	WerFault.exe	Endermanch@AntivirusPro2017.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Endermanch@InfinityCrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Endermanch@InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Endermanch@InfinityCrypt.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4404 schtasks.exe
1012 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

6388 taskkill.exe
3132 taskkill.exe

pid	process
4404	schtasks.exe
1012	schtasks.exe

pid	process
6388	taskkill.exe
3132	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Endermanch@Krotten.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

Endermanch@Krotten.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe

Modifies registry class 1 IoCs

Processes:

Endermanch@Krotten.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Endermanch@Krotten.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Endermanch@Krotten.exe

Modifies registry key 1 TTPs 45 IoCs

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3148	reg.exe
6284	reg.exe
4040	reg.exe
5544	reg.exe
1504	reg.exe
3536	reg.exe
4908	reg.exe
5848	reg.exe
5984	reg.exe
5816	reg.exe
4100	reg.exe
5140	reg.exe
6100	reg.exe
6924	reg.exe
5644	reg.exe
4548	reg.exe
4336	reg.exe
6020	reg.exe
5924	reg.exe
3724	reg.exe
6124	reg.exe
5868	reg.exe
1688	reg.exe
3896	reg.exe
1076	reg.exe
5828	reg.exe
6060	reg.exe
6276	reg.exe
7020	reg.exe
5896	reg.exe
2408	reg.exe
6012	reg.exe
5840	reg.exe
5804	reg.exe
6084	reg.exe
6972	reg.exe
4132	reg.exe
4852	reg.exe
5992	reg.exe
4664	reg.exe
6004	reg.exe
5916	reg.exe
6092	reg.exe
6248	reg.exe
6456	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exe30D4.tmpEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@NoMoreRansom.exe

pid	process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1756	Endermanch@PolyRansom.exe
1756	Endermanch@PolyRansom.exe
1756	Endermanch@PolyRansom.exe
1756	Endermanch@PolyRansom.exe
3696	Endermanch@ViraLock.exe
3696	Endermanch@ViraLock.exe
3696	Endermanch@ViraLock.exe
3696	Endermanch@ViraLock.exe
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4276	Endermanch@PolyRansom.exe
4276	Endermanch@PolyRansom.exe
4276	Endermanch@PolyRansom.exe
4276	Endermanch@PolyRansom.exe
4872	Endermanch@ViraLock.exe
4872	Endermanch@ViraLock.exe
4872	Endermanch@ViraLock.exe
4872	Endermanch@ViraLock.exe
2404	Endermanch@ViraLock.exe
2404	Endermanch@ViraLock.exe
2404	Endermanch@ViraLock.exe
2404	Endermanch@ViraLock.exe
5352	Endermanch@ViraLock.exe
5352	Endermanch@ViraLock.exe
5352	Endermanch@ViraLock.exe
5352	Endermanch@ViraLock.exe
5380	Endermanch@PolyRansom.exe
5380	Endermanch@PolyRansom.exe
5380	Endermanch@PolyRansom.exe
5380	Endermanch@PolyRansom.exe
5540	Endermanch@PolyRansom.exe
5540	Endermanch@PolyRansom.exe
5540	Endermanch@PolyRansom.exe
5540	Endermanch@PolyRansom.exe
5528	Endermanch@ViraLock.exe
5528	Endermanch@ViraLock.exe
5528	Endermanch@ViraLock.exe
5528	Endermanch@ViraLock.exe
5644	Endermanch@PolyRansom.exe
5644	Endermanch@PolyRansom.exe
5644	Endermanch@PolyRansom.exe
5644	Endermanch@PolyRansom.exe
5736	Endermanch@ViraLock.exe
5736	Endermanch@ViraLock.exe
5736	Endermanch@ViraLock.exe
5736	Endermanch@ViraLock.exe
6648	Endermanch@PolyRansom.exe
6648	Endermanch@PolyRansom.exe
6648	Endermanch@PolyRansom.exe
6648	Endermanch@PolyRansom.exe
6852	Endermanch@ViraLock.exe
6852	Endermanch@ViraLock.exe
6852	Endermanch@ViraLock.exe
6852	Endermanch@ViraLock.exe
4152	Endermanch@NoMoreRansom.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exerundll32.exeFantom.exeEndermanch@Krotten.exetaskkill.exeEndermanch@Petya.A.exe30D4.tmpEndermanch@Cerber5.exeEndermanch@DeriaLock.exe

description	pid	process
Token: SeDebugPrivilege	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
Token: SeShutdownPrivilege	1100	rundll32.exe
Token: SeDebugPrivilege	1100	rundll32.exe
Token: SeTcbPrivilege	1100	rundll32.exe
Token: SeDebugPrivilege	4004	Fantom.exe
Token: SeSystemtimePrivilege	2040	Endermanch@Krotten.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeShutdownPrivilege	3064	Endermanch@Petya.A.exe
Token: SeDebugPrivilege	4460	30D4.tmp
Token: SeShutdownPrivilege	876	Endermanch@Cerber5.exe
Token: SeCreatePagefilePrivilege	876	Endermanch@Cerber5.exe
Token: SeDebugPrivilege	1172	Endermanch@DeriaLock.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@AntivirusPro2017.exe

pid process

6952 Endermanch@Antivirus.exe
5492 Endermanch@AntivirusPro2017.exe
5492 Endermanch@AntivirusPro2017.exe
5492 Endermanch@AntivirusPro2017.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Endermanch@Antivirus.exe

pid process

6952 Endermanch@Antivirus.exe
6952 Endermanch@Antivirus.exe
6952 Endermanch@Antivirus.exe

pid	process
6952	Endermanch@Antivirus.exe
5492	Endermanch@AntivirusPro2017.exe
5492	Endermanch@AntivirusPro2017.exe
5492	Endermanch@AntivirusPro2017.exe

pid	process
6952	Endermanch@Antivirus.exe
6952	Endermanch@Antivirus.exe
6952	Endermanch@Antivirus.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exeEndermanch@BadRabbit.exerundll32.exeEndermanch@Birele.execmd.exeEndermanch@Cerber5.execmd.exeEndermanch@PolyRansom.exe

description	pid	process	target process
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@BadRabbit.exe
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@BadRabbit.exe
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@BadRabbit.exe
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Birele.exe
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Birele.exe
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Birele.exe
PID 4516 wrote to memory of 1100	4516	Endermanch@BadRabbit.exe	rundll32.exe
PID 4516 wrote to memory of 1100	4516	Endermanch@BadRabbit.exe	rundll32.exe
PID 4516 wrote to memory of 1100	4516	Endermanch@BadRabbit.exe	rundll32.exe
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Cerber5.exe
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Cerber5.exe
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Cerber5.exe
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@DeriaLock.exe
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@DeriaLock.exe
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@DeriaLock.exe
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Fantom.exe
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Fantom.exe
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Fantom.exe
PID 1100 wrote to memory of 956	1100	rundll32.exe	cmd.exe
PID 1100 wrote to memory of 956	1100	rundll32.exe	cmd.exe
PID 1100 wrote to memory of 956	1100	rundll32.exe	cmd.exe
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@InfinityCrypt.exe
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@InfinityCrypt.exe
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@InfinityCrypt.exe
PID 3432 wrote to memory of 3132	3432	Endermanch@Birele.exe	taskkill.exe
PID 3432 wrote to memory of 3132	3432	Endermanch@Birele.exe	taskkill.exe
PID 3432 wrote to memory of 3132	3432	Endermanch@Birele.exe	taskkill.exe
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Krotten.exe
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Krotten.exe
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Krotten.exe
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@NoMoreRansom.exe
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@NoMoreRansom.exe
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@NoMoreRansom.exe
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Petya.A.exe
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Petya.A.exe
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@Petya.A.exe
PID 956 wrote to memory of 4440	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 4440	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 4440	956	cmd.exe	schtasks.exe
PID 1100 wrote to memory of 768	1100	rundll32.exe	cmd.exe
PID 1100 wrote to memory of 768	1100	rundll32.exe	cmd.exe
PID 1100 wrote to memory of 768	1100	rundll32.exe	cmd.exe
PID 876 wrote to memory of 1740	876	Endermanch@Cerber5.exe	netsh.exe
PID 876 wrote to memory of 1740	876	Endermanch@Cerber5.exe	netsh.exe
PID 876 wrote to memory of 1740	876	Endermanch@Cerber5.exe	netsh.exe
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@PolyRansom.exe
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@PolyRansom.exe
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@PolyRansom.exe
PID 768 wrote to memory of 4404	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 4404	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 4404	768	cmd.exe	schtasks.exe
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@WinlockerVB6Blacksod.exe
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@WinlockerVB6Blacksod.exe
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@WinlockerVB6Blacksod.exe
PID 876 wrote to memory of 4836	876	Endermanch@Cerber5.exe	netsh.exe
PID 876 wrote to memory of 4836	876	Endermanch@Cerber5.exe	netsh.exe
PID 876 wrote to memory of 4836	876	Endermanch@Cerber5.exe	netsh.exe
PID 1756 wrote to memory of 2780	1756	Endermanch@PolyRansom.exe	PkAUIAQo.exe
PID 1756 wrote to memory of 2780	1756	Endermanch@PolyRansom.exe	PkAUIAQo.exe
PID 1756 wrote to memory of 2780	1756	Endermanch@PolyRansom.exe	PkAUIAQo.exe
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@ViraLock.exe
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@ViraLock.exe
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	Endermanch@ViraLock.exe
PID 1100 wrote to memory of 1792	1100	rundll32.exe	cmd.exe

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Endermanch@Krotten.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5772 attrib.exe

pid	process
5772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\Endermanch@BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
5⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 424208606 && exit"
4⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 424208606 && exit"
5⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
4⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
5⤵
- Creates scheduled task(s)
PID:1012

C:\Windows\30D4.tmp
"C:\Windows\30D4.tmp" \\.\pipe\{64DE3FDC-E086-4E13-8B24-EAD03D77FE52}
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\Endermanch@Birele.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\Endermanch@Cerber5.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:1740

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
3⤵
- Modifies Windows Firewall
PID:4836

C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\Endermanch@DeriaLock.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\Endermanch@InfinityCrypt.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:2872

C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\Endermanch@NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\Endermanch@Krotten.exe"
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2040

C:\Users\Admin\AppData\Local\Temp\bdu0r3ga.hhv\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\bdu0r3ga.hhv\Endermanch@Petya.A.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\XosUgMoc\PkAUIAQo.exe
"C:\Users\Admin\XosUgMoc\PkAUIAQo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2780

C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM voQQsQwA.exe
4⤵
- Kills process with taskkill
PID:6388

C:\ProgramData\qekgkMEU\voQQsQwA.exe
"C:\ProgramData\qekgkMEU\voQQsQwA.exe"
4⤵
- Executes dropped EXE
PID:4664

C:\ProgramData\qekgkMEU\voQQsQwA.exe
"C:\ProgramData\qekgkMEU\voQQsQwA.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
3⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
5⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
7⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
9⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
11⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
13⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
14⤵
- Executes dropped EXE
PID:5540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
15⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
16⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- Modifies registry key
PID:5868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:5896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies registry key
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKcEEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
15⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies registry key
PID:6924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:6972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSMsQkcs.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
13⤵
PID:7028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
- Modifies registry key
PID:7020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies registry key
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKQQEoMU.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
11⤵
PID:6116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:6668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- Modifies registry key
PID:6092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:6084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:5916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKAsQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
9⤵
PID:6076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:5932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:6060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkkckUEo.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
7⤵
PID:6028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:6664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:6020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:6012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:5840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgosIoww.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
5⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:5844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSsUYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom.exe""
3⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:6624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4336

C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\Endermanch@WinlockerVB6Blacksod.exe
"C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\Endermanch@WinlockerVB6Blacksod.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3816

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
3⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
5⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
7⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
9⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
11⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
13⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
15⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
16⤵
- Executes dropped EXE
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
17⤵
PID:5592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies registry key
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
- Modifies registry key
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meMwsoIg.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
17⤵
PID:6060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies registry key
PID:5544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:5644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiocsogw.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
15⤵
PID:6268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- Modifies registry key
PID:6284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies registry key
PID:6248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqwUggYI.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
13⤵
PID:6472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
- Modifies registry key
PID:6456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:6276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies registry key
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:6004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcIEMkEU.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
11⤵
PID:6132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:6584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- Modifies registry key
PID:6124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOkwUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
9⤵
PID:4516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:5740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:5140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:5984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:5804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYAUAUYs.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
7⤵
PID:6108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:5864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:6100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUEEAsMs.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
5⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:5880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meEcggYg.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock.exe""
3⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:6508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3148

C:\Users\Admin\AppData\Local\Temp\vx54l0ju.sww\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\vx54l0ju.sww\Endermanch@WannaCrypt0r.exe"
2⤵
- Executes dropped EXE
PID:5904

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5772

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4440

C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\Endermanch@Xyeta.exe
"C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\Endermanch@Xyeta.exe"
2⤵
- Executes dropped EXE
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 448
3⤵
- Program crash
PID:2568

C:\Users\Admin\AppData\Local\Temp\q5ggvv33.1sv\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\q5ggvv33.1sv\Endermanch@Antivirus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6952

C:\Users\Admin\AppData\Local\Temp\rjhil340.ybm\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\rjhil340.ybm\Endermanch@AntivirusPlatinum.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600

C:\Users\Admin\AppData\Local\Temp\oeluqcax.mv0\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\oeluqcax.mv0\Endermanch@AntivirusPro2017.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 804
3⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6464 -ip 6464
1⤵
PID:6656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 2416 -ip 2416
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5492 -ip 5492
1⤵
PID:5172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

System Information Discovery