Analysis
-
max time kernel
52s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Resource
win7-20220901-en
General
-
Target
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
-
Size
148KB
-
MD5
d197fad90535fb974db139537a091a5b
-
SHA1
5529175952d3fa0697124260e46ec1dbd0c63ae7
-
SHA256
a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
-
SHA512
1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d
-
SSDEEP
3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
Endermanch@Xyeta.exeEndermanch@Birele.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe" Endermanch@Xyeta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe" Endermanch@Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Xyeta.exe" Endermanch@Xyeta.exe -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest Endermanch@InternetSecurityGuard.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 41 IoCs
Processes:
Endermanch@Antivirus.exeEndermanch@AntivirusPlatinum.exeEndermanch@AntivirusPro2017.exeEndermanch@AnViPC2009.exeEndermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeEndermanch@FakeAdwCleaner.exeEndermanch@HappyAntivirus.exeEndermanch@InfinityCrypt.exeEndermanch@InternetSecurityGuard.exeEndermanch@Krotten.exeEndermanch@LPS2019.exe6AdwCleaner.exeEndermanch@Movie.mpeg.exeEndermanch@NavaShield.exeEndermanch@NoMoreRansom.exeEndermanch@PCDefender.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@RegistrySmart.exeEndermanch@SE2011.exeEndermanch@SecurityCentral.exeEndermanch@SecurityDefender.exeDikkIMsc.exeEndermanch@SecurityDefener2015.exelwIEIUAw.exeEndermanch@SecurityScanner.exeEndermanch@SmartDefragmenter.exeEndermanch@VAV2008.exeEndermanch@ViraLock.exeEndermanch@WannaCrypt0r.exeEndermanch@WinlockerVB6Blacksod.exeEndermanch@Xyeta.exeFantom.exeis-PBJJ2.tmpwinsp2up.execonhost.exetaskdl.exeB56B.tmppid process 692 Endermanch@Antivirus.exe 1000 Endermanch@AntivirusPlatinum.exe 1884 Endermanch@AntivirusPro2017.exe 892 Endermanch@AnViPC2009.exe 1200 Endermanch@BadRabbit.exe 1800 Endermanch@Birele.exe 1492 Endermanch@Cerber5.exe 964 Endermanch@DeriaLock.exe 1700 Endermanch@FakeAdwCleaner.exe 1748 Endermanch@HappyAntivirus.exe 2020 Endermanch@InfinityCrypt.exe 1608 Endermanch@InternetSecurityGuard.exe 860 Endermanch@Krotten.exe 1308 Endermanch@LPS2019.exe 1440 6AdwCleaner.exe 1404 Endermanch@Movie.mpeg.exe 1192 Endermanch@NavaShield.exe 1344 Endermanch@NoMoreRansom.exe 1464 Endermanch@PCDefender.exe 1048 Endermanch@Petya.A.exe 1536 Endermanch@PolyRansom.exe 952 Endermanch@RegistrySmart.exe 832 Endermanch@SE2011.exe 2016 Endermanch@SecurityCentral.exe 1648 Endermanch@SecurityDefender.exe 1576 DikkIMsc.exe 1588 Endermanch@SecurityDefener2015.exe 672 lwIEIUAw.exe 1676 Endermanch@SecurityScanner.exe 1980 Endermanch@SmartDefragmenter.exe 2060 Endermanch@VAV2008.exe 2168 Endermanch@ViraLock.exe 2244 Endermanch@WannaCrypt0r.exe 2312 Endermanch@WinlockerVB6Blacksod.exe 2360 Endermanch@Xyeta.exe 2404 Fantom.exe 2580 is-PBJJ2.tmp 2780 winsp2up.exe 2164 conhost.exe 2140 taskdl.exe 2852 B56B.tmp -
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
Endermanch@Xyeta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Endermanch@Xyeta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" Endermanch@Xyeta.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1800-94-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1800-78-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe upx C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe upx C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe upx behavioral1/memory/2060-208-0x0000000000400000-0x0000000000423000-memory.dmp upx \Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe upx \Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe upx \Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe upx C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe upx behavioral1/memory/2360-236-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/1800-246-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1344-249-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Endermanch@SE2011.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine Endermanch@SE2011.exe -
Loads dropped DLL 22 IoCs
Processes:
Endermanch@FakeAdwCleaner.exeEndermanch@PolyRansom.exeEndermanch@VAV2008.exeEndermanch@RegistrySmart.exeEndermanch@SmartDefragmenter.exeWerFault.exeEndermanch@WinlockerVB6Blacksod.execmd.exeEndermanch@WannaCrypt0r.exewinsp2up.execmd.exepid process 1700 Endermanch@FakeAdwCleaner.exe 1536 Endermanch@PolyRansom.exe 1536 Endermanch@PolyRansom.exe 1536 Endermanch@PolyRansom.exe 1536 Endermanch@PolyRansom.exe 2060 Endermanch@VAV2008.exe 2060 Endermanch@VAV2008.exe 2060 Endermanch@VAV2008.exe 952 Endermanch@RegistrySmart.exe 1980 Endermanch@SmartDefragmenter.exe 1980 Endermanch@SmartDefragmenter.exe 1684 WerFault.exe 1684 WerFault.exe 2312 Endermanch@WinlockerVB6Blacksod.exe 1684 WerFault.exe 2312 Endermanch@WinlockerVB6Blacksod.exe 744 cmd.exe 744 cmd.exe 2244 Endermanch@WannaCrypt0r.exe 2244 Endermanch@WannaCrypt0r.exe 2780 winsp2up.exe 2712 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid process 2688 icacls.exe 3328 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/832-176-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-242-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-268-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-294-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-307-0x0000000000400000-0x0000000000CFB000-memory.dmp themida -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
Endermanch@Birele.exeDikkIMsc.exeEndermanch@ViraLock.exeEndermanch@SmartDefragmenter.exeEndermanch@PolyRansom.exelwIEIUAw.exeEndermanch@NoMoreRansom.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe" Endermanch@Birele.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe" DikkIMsc.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Endermanch@ViraLock.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run Endermanch@SmartDefragmenter.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsp2up.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsp2up.exe" Endermanch@SmartDefragmenter.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Endermanch@Birele.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe" Endermanch@PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe" Endermanch@PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe" lwIEIUAw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Endermanch@NoMoreRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Endermanch@NoMoreRansom.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process File opened (read-only) \??\M: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\P: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\S: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\N: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\O: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\R: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\U: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\X: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\V: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\E: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\G: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\H: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\J: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\K: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Q: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\T: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\W: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\F: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\I: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\L: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Y: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Z: Endermanch@InternetSecurityGuard.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Endermanch@InternetSecurityGuard.exeEndermanch@AntivirusPro2017.exedescription ioc process File opened for modification \??\PhysicalDrive0 Endermanch@InternetSecurityGuard.exe File opened for modification \??\PhysicalDrive0 Endermanch@AntivirusPro2017.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Endermanch@SE2011.exepid process 832 Endermanch@SE2011.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Endermanch@Antivirus.exedescription ioc process File created C:\Program Files (x86)\AnVi\splash.mp3 Endermanch@Antivirus.exe File created C:\Program Files (x86)\AnVi\virus.mp3 Endermanch@Antivirus.exe -
Drops file in Windows directory 5 IoCs
Processes:
Endermanch@BadRabbit.exerundll32.exedescription ioc process File created C:\Windows\infpub.dat Endermanch@BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\B56B.tmp rundll32.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 948 sc.exe 2276 sc.exe 4564 sc.exe 4892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1684 1588 WerFault.exe Endermanch@SecurityDefener2015.exe 4008 1004 WerFault.exe Endermanch@SecurityDefener2015.exe 3040 2576 WerFault.exe UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe -
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Endermanch@InfinityCrypt.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Endermanch@InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Endermanch@InfinityCrypt.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2148 schtasks.exe 3308 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2200 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 956 taskkill.exe 2224 taskkill.exe -
Processes:
Endermanch@Antivirus.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" Endermanch@Antivirus.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main Endermanch@Antivirus.exe -
Modifies registry key 1 TTPs 42 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4688 reg.exe 2212 reg.exe 1864 reg.exe 4264 reg.exe 3508 reg.exe 3476 reg.exe 3056 reg.exe 4336 reg.exe 4472 reg.exe 2928 reg.exe 3004 reg.exe 3152 reg.exe 3428 reg.exe 3028 reg.exe 4364 reg.exe 4680 reg.exe 2856 reg.exe 2220 reg.exe 2628 reg.exe 2144 reg.exe 4700 reg.exe 2080 reg.exe 1408 reg.exe 2332 reg.exe 3540 reg.exe 1120 reg.exe 3408 reg.exe 2144 reg.exe 2636 reg.exe 3120 reg.exe 3644 reg.exe 2136 reg.exe 3128 reg.exe 2616 reg.exe 1816 reg.exe 2624 reg.exe 2068 reg.exe 2548 reg.exe 4404 reg.exe 3548 reg.exe 3924 reg.exe 4252 reg.exe -
Processes:
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Endermanch@InternetSecurityGuard.exeEndermanch@PolyRansom.exeEndermanch@SE2011.exeEndermanch@ViraLock.exerundll32.exeEndermanch@NoMoreRansom.exewinsp2up.execonhost.exepid process 1608 Endermanch@InternetSecurityGuard.exe 1536 Endermanch@PolyRansom.exe 1536 Endermanch@PolyRansom.exe 832 Endermanch@SE2011.exe 2168 Endermanch@ViraLock.exe 2168 Endermanch@ViraLock.exe 624 rundll32.exe 624 rundll32.exe 1344 Endermanch@NoMoreRansom.exe 1344 Endermanch@NoMoreRansom.exe 2780 winsp2up.exe 2780 winsp2up.exe 2780 winsp2up.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe6AdwCleaner.exerundll32.exeUDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exeFantom.exetaskkill.exeschtasks.exemsiexec.exeEndermanch@WinlockerVB6Blacksod.exedescription pid process Token: SeDebugPrivilege 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Token: SeDebugPrivilege 1440 6AdwCleaner.exe Token: SeShutdownPrivilege 624 rundll32.exe Token: SeDebugPrivilege 624 rundll32.exe Token: SeTcbPrivilege 624 rundll32.exe Token: SeDebugPrivilege 2504 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Token: SeDebugPrivilege 2404 Fantom.exe Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 2224 schtasks.exe Token: SeRestorePrivilege 2052 msiexec.exe Token: SeTakeOwnershipPrivilege 2052 msiexec.exe Token: SeSecurityPrivilege 2052 msiexec.exe Token: SeCreateTokenPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeAssignPrimaryTokenPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeLockMemoryPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncreaseQuotaPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeMachineAccountPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeTcbPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeSecurityPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeTakeOwnershipPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeLoadDriverPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemProfilePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemtimePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeProfSingleProcessPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeIncBasePriorityPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePagefilePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreatePermanentPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeBackupPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeRestorePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeDebugPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeAuditPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeSystemEnvironmentPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeChangeNotifyPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeRemoteShutdownPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeUndockPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeSyncAgentPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeEnableDelegationPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeManageVolumePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeImpersonatePrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe Token: SeCreateGlobalPrivilege 2312 Endermanch@WinlockerVB6Blacksod.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Endermanch@Antivirus.exeEndermanch@Xyeta.exepid process 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 2360 Endermanch@Xyeta.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Endermanch@Antivirus.exepid process 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Endermanch@Antivirus.exeEndermanch@SmartDefragmenter.exewinsp2up.exepid process 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 692 Endermanch@Antivirus.exe 1980 Endermanch@SmartDefragmenter.exe 2780 winsp2up.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
Endermanch@Cerber5.exeEndermanch@NoMoreRansom.exepid process 1492 Endermanch@Cerber5.exe 1344 Endermanch@NoMoreRansom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exeEndermanch@BadRabbit.exedescription pid process target process PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Antivirus.exe PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Antivirus.exe PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Antivirus.exe PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Antivirus.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPlatinum.exe PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPro2017.exe PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPro2017.exe PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPro2017.exe PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AntivirusPro2017.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@AnViPC2009.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@BadRabbit.exe PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Birele.exe PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Birele.exe PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Birele.exe PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Birele.exe PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Cerber5.exe PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Cerber5.exe PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Cerber5.exe PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@Cerber5.exe PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@DeriaLock.exe PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@DeriaLock.exe PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@DeriaLock.exe PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@DeriaLock.exe PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@FakeAdwCleaner.exe PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@FakeAdwCleaner.exe PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@FakeAdwCleaner.exe PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@FakeAdwCleaner.exe PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@HappyAntivirus.exe PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@HappyAntivirus.exe PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@HappyAntivirus.exe PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@HappyAntivirus.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1200 wrote to memory of 624 1200 Endermanch@BadRabbit.exe rundll32.exe PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InfinityCrypt.exe PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InfinityCrypt.exe PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InfinityCrypt.exe PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InfinityCrypt.exe PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InternetSecurityGuard.exe PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InternetSecurityGuard.exe PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InternetSecurityGuard.exe PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Endermanch@InternetSecurityGuard.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Endermanch@SmartDefragmenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Endermanch@SmartDefragmenter.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Endermanch@SmartDefragmenter.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2788 attrib.exe 2608 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:004⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:005⤵
- Creates scheduled task(s)
-
C:\Windows\B56B.tmp"C:\Windows\B56B.tmp" \\.\pipe\{75ACB937-FCAC-477C-9E38-6B7F3924A8CC}4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1404 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe" & start C:\Users\Admin\AppData\Local\ogkfdop.exe -f3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 14044⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\ogkfdop.exeC:\Users\Admin\AppData\Local\ogkfdop.exe -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\WoIIwYkc\DikkIMsc.exe"C:\Users\Admin\WoIIwYkc\DikkIMsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\WuUIQoAs\lwIEIUAw.exe"C:\ProgramData\WuUIQoAs\lwIEIUAw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"9⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom10⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"11⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom12⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 113⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SEcAkIEE.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""13⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs14⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 213⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 111⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dIUUosEM.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 211⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Kgoswggo.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""9⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BoAgMwEg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qasQEUwI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xkAwoEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp"C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp" /SL4 $1025C "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 558083⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\ProgramData\6981d600-e615-40eb-abf4-c6062762452e_31.avi", start3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1523⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\rlyqdr.exeC:\Users\Admin\AppData\Roaming\rlyqdr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock8⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"9⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QeIcMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""9⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gcIMgYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rMcMQYEM.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mgcAwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 11511664455271.bat3⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 154⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"3⤵
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jAAcAEQY.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PgcAQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp"C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp" /SL4 $10488 "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 558084⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\kutmmf.exeC:\Users\Admin\AppData\Roaming\kutmmf.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iEgUwYQI.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IIIQIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe"C:\Users\Admin\AppData\Local\Temp\taskse.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe"C:\Users\Admin\AppData\Local\Temp\taskdl.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h .4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7138496.exe"C:\Users\Admin\AppData\Local\Temp\7138496.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"4⤵
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2576 -s 18404⤵
- Program crash
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1629774111-1189734067479411229-306934536647202789249845971-982271422-290965814"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1352951619-697510235-1153078449122492692-192055209515389129671996466594-1835603822"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Registry Run Keys / Startup Folder
2Modify Existing Service
1Bootkit
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7File Deletion
2Virtualization/Sandbox Evasion
2Impair Defenses
1File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WuUIQoAs\lwIEIUAw.exeFilesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exeFilesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exeFilesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exeFilesize
1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exeFilesize
1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exeFilesize
816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exeFilesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exeFilesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exeFilesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exeFilesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exeFilesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exeFilesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exeFilesize
6.1MB
MD504155ed507699b4e37532e8371192c0b
SHA1a14107131237dbb0df750e74281c462a2ea61016
SHA256b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA5126de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exeFilesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exeFilesize
1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exeFilesize
1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exeFilesize
414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exeFilesize
414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NavaShield.exeFilesize
9.7MB
MD51f13396fa59d38ebe76ccc587ccb11bb
SHA1867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA25683ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA51282ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exeFilesize
878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exeFilesize
878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exeFilesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exeFilesize
1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exeFilesize
1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exeFilesize
2.4MB
MD502f471d1fefbdc07af5555dbfd6ea918
SHA12a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA25636619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exeFilesize
904KB
MD50315c3149c7dc1d865dc5a89043d870d
SHA1f74546dda99891ca688416b1a61c9637b3794108
SHA25690c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA5127168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exeFilesize
1.4MB
MD5e1b69c058131e1593eccd4fbcdbb72b2
SHA16d319439cac072547edd7cf2019855fa25092006
SHA256b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exeFilesize
1.4MB
MD5e1b69c058131e1593eccd4fbcdbb72b2
SHA16d319439cac072547edd7cf2019855fa25092006
SHA256b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exeFilesize
1.2MB
MD5d5e5853f5a2a5a7413f26c625c0e240b
SHA10ced68483e7f3742a963f2507937bb7089de3ffe
SHA256415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA51249ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exeFilesize
2.2MB
MD57dde6427dcf06d0c861693b96ad053a0
SHA1086008ecfe06ad06f4c0eee2b13530897146ae01
SHA256077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf
SHA5128cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exeFilesize
438KB
MD503baeba6b4224371cca7fa6f95ae61c0
SHA18731202d2f954421a37b5c9e01d971131bd515f1
SHA25661a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exeFilesize
438KB
MD503baeba6b4224371cca7fa6f95ae61c0
SHA18731202d2f954421a37b5c9e01d971131bd515f1
SHA25661a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exeFilesize
770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exeFilesize
770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeFilesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WinlockerVB6Blacksod.exeFilesize
2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exeFilesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exeFilesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmpFilesize
661KB
MD519672882daf21174647509b74a406a8c
SHA1e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA25634e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f
-
C:\Users\Admin\WoIIwYkc\DikkIMsc.exeFilesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
\ProgramData\WuUIQoAs\lwIEIUAw.exeFilesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
\ProgramData\WuUIQoAs\lwIEIUAw.exeFilesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
\Users\Admin\AppData\Local\6AdwCleaner.exeFilesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exeFilesize
770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exeFilesize
770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exeFilesize
770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmpFilesize
661KB
MD519672882daf21174647509b74a406a8c
SHA1e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA25634e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f
-
\Users\Admin\WoIIwYkc\DikkIMsc.exeFilesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345
-
\Users\Admin\WoIIwYkc\DikkIMsc.exeFilesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345
-
memory/624-257-0x0000000001F00000-0x0000000001F68000-memory.dmpFilesize
416KB
-
memory/624-270-0x0000000001F00000-0x0000000001F68000-memory.dmpFilesize
416KB
-
memory/624-89-0x0000000000000000-mapping.dmp
-
memory/672-168-0x0000000000000000-mapping.dmp
-
memory/672-178-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/692-58-0x0000000000000000-mapping.dmp
-
memory/692-60-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/744-182-0x0000000000000000-mapping.dmp
-
memory/744-296-0x00000000001E0000-0x0000000000219000-memory.dmpFilesize
228KB
-
memory/744-297-0x00000000001E0000-0x0000000000219000-memory.dmpFilesize
228KB
-
memory/832-153-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/832-242-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/832-307-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/832-176-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/832-146-0x0000000000000000-mapping.dmp
-
memory/832-294-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/832-268-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/860-108-0x0000000000000000-mapping.dmp
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/952-143-0x0000000000000000-mapping.dmp
-
memory/952-191-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/952-203-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/956-104-0x0000000000000000-mapping.dmp
-
memory/964-77-0x0000000000000000-mapping.dmp
-
memory/964-190-0x0000000000D60000-0x0000000000DE2000-memory.dmpFilesize
520KB
-
memory/988-300-0x0000000000000000-mapping.dmp
-
memory/1000-61-0x0000000000000000-mapping.dmp
-
memory/1048-173-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1048-205-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1048-135-0x0000000000000000-mapping.dmp
-
memory/1048-223-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1048-188-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1048-174-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/1192-123-0x0000000000000000-mapping.dmp
-
memory/1200-70-0x0000000000000000-mapping.dmp
-
memory/1308-112-0x0000000000000000-mapping.dmp
-
memory/1344-251-0x00000000002F0000-0x00000000003BE000-memory.dmpFilesize
824KB
-
memory/1344-249-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/1344-127-0x0000000000000000-mapping.dmp
-
memory/1404-278-0x0000000001000000-0x00000000010CE000-memory.dmpFilesize
824KB
-
memory/1404-116-0x0000000000000000-mapping.dmp
-
memory/1404-287-0x0000000001000000-0x00000000010CE000-memory.dmpFilesize
824KB
-
memory/1404-132-0x0000000001000000-0x00000000010CE000-memory.dmpFilesize
824KB
-
memory/1440-122-0x0000000000A00000-0x0000000000A2E000-memory.dmpFilesize
184KB
-
memory/1440-115-0x0000000000000000-mapping.dmp
-
memory/1440-224-0x000007FEFC591000-0x000007FEFC593000-memory.dmpFilesize
8KB
-
memory/1464-133-0x0000000000000000-mapping.dmp
-
memory/1492-131-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1492-75-0x0000000000000000-mapping.dmp
-
memory/1492-130-0x0000000000120000-0x0000000000151000-memory.dmpFilesize
196KB
-
memory/1536-237-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1536-139-0x0000000000000000-mapping.dmp
-
memory/1536-172-0x00000000004B0000-0x00000000004E3000-memory.dmpFilesize
204KB
-
memory/1536-177-0x00000000004B0000-0x00000000004E3000-memory.dmpFilesize
204KB
-
memory/1536-170-0x00000000004B0000-0x00000000004E2000-memory.dmpFilesize
200KB
-
memory/1536-150-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1536-158-0x00000000004B0000-0x00000000004E2000-memory.dmpFilesize
200KB
-
memory/1576-171-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1576-160-0x0000000000000000-mapping.dmp
-
memory/1588-163-0x0000000000000000-mapping.dmp
-
memory/1588-166-0x0000000001020000-0x000000000115B000-memory.dmpFilesize
1.2MB
-
memory/1608-103-0x0000000000000000-mapping.dmp
-
memory/1648-155-0x0000000000000000-mapping.dmp
-
memory/1648-209-0x00000000004F0000-0x0000000000637000-memory.dmpFilesize
1.3MB
-
memory/1676-179-0x0000000000000000-mapping.dmp
-
memory/1676-279-0x00000000034C0000-0x00000000034C3000-memory.dmpFilesize
12KB
-
memory/1676-187-0x0000000000400000-0x0000000000843000-memory.dmpFilesize
4.3MB
-
memory/1676-253-0x00000000009A0000-0x0000000000A00000-memory.dmpFilesize
384KB
-
memory/1684-175-0x0000000000000000-mapping.dmp
-
memory/1700-83-0x0000000000000000-mapping.dmp
-
memory/1748-193-0x00000000000D0000-0x00000000002C2000-memory.dmpFilesize
1.9MB
-
memory/1748-86-0x0000000000000000-mapping.dmp
-
memory/1768-56-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB
-
memory/1768-57-0x0000000000550000-0x0000000000588000-memory.dmpFilesize
224KB
-
memory/1768-55-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB
-
memory/1768-54-0x00000000001B0000-0x00000000001DC000-memory.dmpFilesize
176KB
-
memory/1800-97-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1800-246-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1800-73-0x0000000000000000-mapping.dmp
-
memory/1800-94-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1800-78-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-281-0x0000000000000000-mapping.dmp
-
memory/1884-101-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/1884-121-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/1884-250-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/1884-64-0x0000000000000000-mapping.dmp
-
memory/1884-100-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/1980-291-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/1980-183-0x0000000000000000-mapping.dmp
-
memory/1980-207-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/1980-206-0x00000000002D0000-0x0000000000337000-memory.dmpFilesize
412KB
-
memory/2016-149-0x0000000000000000-mapping.dmp
-
memory/2020-154-0x00000000009E0000-0x0000000000A1C000-memory.dmpFilesize
240KB
-
memory/2020-92-0x0000000000000000-mapping.dmp
-
memory/2060-221-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB
-
memory/2060-217-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB
-
memory/2060-219-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB
-
memory/2060-208-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2060-198-0x0000000000000000-mapping.dmp
-
memory/2080-197-0x0000000000000000-mapping.dmp
-
memory/2140-293-0x0000000000000000-mapping.dmp
-
memory/2144-204-0x0000000000000000-mapping.dmp
-
memory/2164-283-0x0000000000000000-mapping.dmp
-
memory/2164-298-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2164-305-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2168-284-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2168-211-0x0000000000000000-mapping.dmp
-
memory/2168-222-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2212-216-0x0000000000000000-mapping.dmp
-
memory/2224-288-0x0000000000000000-mapping.dmp
-
memory/2244-218-0x0000000000000000-mapping.dmp
-
memory/2244-260-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/2312-225-0x0000000000000000-mapping.dmp
-
memory/2332-228-0x0000000000000000-mapping.dmp
-
memory/2360-229-0x0000000000000000-mapping.dmp
-
memory/2360-271-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2360-236-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2360-269-0x00000000001B0000-0x00000000001B3000-memory.dmpFilesize
12KB
-
memory/2372-292-0x0000000000000000-mapping.dmp
-
memory/2404-233-0x0000000000000000-mapping.dmp
-
memory/2404-282-0x0000000001EA0000-0x0000000001ED2000-memory.dmpFilesize
200KB
-
memory/2404-286-0x0000000001FF0000-0x0000000002022000-memory.dmpFilesize
200KB
-
memory/2488-238-0x0000000000000000-mapping.dmp
-
memory/2504-240-0x0000000000000000-mapping.dmp
-
memory/2536-241-0x0000000000000000-mapping.dmp
-
memory/2568-299-0x0000000000000000-mapping.dmp
-
memory/2580-245-0x0000000000000000-mapping.dmp
-
memory/2608-244-0x0000000000000000-mapping.dmp
-
memory/2688-255-0x0000000000000000-mapping.dmp
-
memory/2712-254-0x0000000000000000-mapping.dmp
-
memory/2780-295-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/2780-303-0x0000000000C30000-0x0000000000C89000-memory.dmpFilesize
356KB
-
memory/2780-304-0x0000000010000000-0x0000000010126000-memory.dmpFilesize
1.1MB
-
memory/2780-272-0x0000000000000000-mapping.dmp
-
memory/2852-301-0x0000000000000000-mapping.dmp
-
memory/2856-273-0x0000000000000000-mapping.dmp
-
memory/2872-274-0x0000000000000000-mapping.dmp
-
memory/2928-277-0x0000000000000000-mapping.dmp
-
memory/3004-280-0x0000000000000000-mapping.dmp