badrabbit | 0b3e020b38d82713f98143e909cfdaf919b8aeedba30313614c8a6a08a9774ab

Resubmissions

20-07-2023 23:03

230720-21x8ksba59 10

20-07-2023 23:02

20-07-2023 23:01

19-04-2023 13:09

23-03-2023 02:20

11-03-2023 13:45

Analysis

max time kernel
175s
max time network
209s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Size

148KB
MD5

6ed3e3327246cc457d22bb92bd3bba8b
SHA1

1329a6af26f16bb371782ff404d526eec1af9d22
SHA256

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
SHA512

f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
SSDEEP

3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh

Score

10^/10

badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware trojan upx worm

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exeEndermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxtjy2yq.f3p\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzowzp5.veb\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxtjy2yq.f3p\\Endermanch@Xyeta.exe"	Endermanch@Xyeta.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1097) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1548 netsh.exe
1312 netsh.exe

pid	process
1548	netsh.exe
1312	netsh.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Xyeta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Endermanch@Xyeta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe"	Endermanch@Xyeta.exe

Drops startup file 1 IoCs

Processes:

Endermanch@DeriaLock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe Endermanch@DeriaLock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	Endermanch@DeriaLock.exe

Executes dropped EXE 44 IoCs

Processes:

Endermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeFantom.exeEndermanch@InfinityCrypt.exeEndermanch@Krotten.exeEndermanch@NoMoreRansom.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeTaQwEgMU.exeKqwMscwU.exeEndermanch@PolyRansom.exeEndermanch@WinlockerVB6Blacksod.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@WannaCrypt0r.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@Xyeta.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeBFA8.tmpEndermanch@Antivirus.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@AntivirusPlatinum.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@AntivirusPro2017.exeEndermanch@ViraLock.exe

pid	process
1980	Endermanch@BadRabbit.exe
1228	Endermanch@Birele.exe
432	Endermanch@Cerber5.exe
1800	Endermanch@DeriaLock.exe
1348	Fantom.exe
772	Endermanch@InfinityCrypt.exe
1400	Endermanch@Krotten.exe
1860	Endermanch@NoMoreRansom.exe
1572	Endermanch@Petya.A.exe
1980	Endermanch@PolyRansom.exe
512	TaQwEgMU.exe
1300	KqwMscwU.exe
1296	Endermanch@PolyRansom.exe
1508	Endermanch@WinlockerVB6Blacksod.exe
1568	Endermanch@PolyRansom.exe
1856	Endermanch@PolyRansom.exe
1924	Endermanch@ViraLock.exe
2164	Endermanch@PolyRansom.exe
2244	Endermanch@PolyRansom.exe
2448	Endermanch@ViraLock.exe
1980	Endermanch@PolyRansom.exe
2716	Endermanch@ViraLock.exe
2004	Endermanch@ViraLock.exe
2372	Endermanch@PolyRansom.exe
2812	Endermanch@WannaCrypt0r.exe
988	Endermanch@PolyRansom.exe
2108	Endermanch@ViraLock.exe
2620	Endermanch@PolyRansom.exe
2828	Endermanch@Xyeta.exe
2268	Endermanch@PolyRansom.exe
2532	Endermanch@ViraLock.exe
948	Endermanch@PolyRansom.exe
2116	Endermanch@ViraLock.exe
2728	BFA8.tmp
2588	Endermanch@Antivirus.exe
2376	Endermanch@PolyRansom.exe
2184	Endermanch@ViraLock.exe
2304	Endermanch@ViraLock.exe
2200	Endermanch@PolyRansom.exe
392	Endermanch@AntivirusPlatinum.exe
2604	Endermanch@PolyRansom.exe
2880	Endermanch@ViraLock.exe
2764	Endermanch@AntivirusPro2017.exe
1544	Endermanch@ViraLock.exe

Loads dropped DLL 59 IoCs

Processes:

Endermanch@PolyRansom.execmd.execmd.execmd.execmd.execmd.execmd.exeEndermanch@WinlockerVB6Blacksod.execmd.execmd.execmd.execmd.exeTaQwEgMU.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeEndermanch@WannaCrypt0r.exe

pid	process
1980	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
1916	cmd.exe
1916	cmd.exe
864	cmd.exe
864	cmd.exe
1464	cmd.exe
1464	cmd.exe
2088	cmd.exe
2088	cmd.exe
2504	cmd.exe
2504	cmd.exe
2740	cmd.exe
2740	cmd.exe
1508	Endermanch@WinlockerVB6Blacksod.exe
1508	Endermanch@WinlockerVB6Blacksod.exe
1568	cmd.exe
1568	cmd.exe
1916	cmd.exe
1916	cmd.exe
2852	cmd.exe
2760	cmd.exe
2760	cmd.exe
2852	cmd.exe
512	TaQwEgMU.exe
512	TaQwEgMU.exe
512	TaQwEgMU.exe
2492	cmd.exe
2492	cmd.exe
2488	cmd.exe
2488	cmd.exe
3024	cmd.exe
3024	cmd.exe
1804	cmd.exe
1804	cmd.exe
432	cmd.exe
432	cmd.exe
2940	cmd.exe
2940	cmd.exe
2416	cmd.exe
2416	cmd.exe
512	TaQwEgMU.exe
2156	cmd.exe
2156	cmd.exe
2088	cmd.exe
2088	cmd.exe
2872	cmd.exe
2872	cmd.exe
2652	cmd.exe
2652	cmd.exe
1632	cmd.exe
3056	cmd.exe
1632	cmd.exe
3056	cmd.exe
2076	cmd.exe
2076	cmd.exe
2812	Endermanch@WannaCrypt0r.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2484 icacls.exe

pid	process
2484	icacls.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe	upx
C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe	upx
behavioral1/memory/1228-83-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1228-112-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1860-294-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1860-327-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/864-413-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1568-615-0x0000000001F50000-0x0000000001F89000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\wxtjy2yq.f3p\Endermanch@Xyeta.exe	upx

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@PolyRansom.exeKqwMscwU.exeEndermanch@Krotten.exeEndermanch@NoMoreRansom.exeTaQwEgMU.exeEndermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KqwMscwU.exe = "C:\\ProgramData\\NAoUAcYg\\KqwMscwU.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KqwMscwU.exe = "C:\\ProgramData\\NAoUAcYg\\KqwMscwU.exe"	KqwMscwU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Endermanch@NoMoreRansom.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Endermanch@NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaQwEgMU.exe = "C:\\Users\\Admin\\fUYgoYsM\\TaQwEgMU.exe"	Endermanch@PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaQwEgMU.exe = "C:\\Users\\Admin\\fUYgoYsM\\TaQwEgMU.exe"	TaQwEgMU.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzowzp5.veb\\Endermanch@Birele.exe"	Endermanch@Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Endermanch@Krotten.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Endermanch@Cerber5.exe

description	ioc	process
File opened (read-only)	\??\x:	Endermanch@Cerber5.exe
File opened (read-only)	\??\f:	Endermanch@Cerber5.exe
File opened (read-only)	\??\t:	Endermanch@Cerber5.exe
File opened (read-only)	\??\u:	Endermanch@Cerber5.exe
File opened (read-only)	\??\w:	Endermanch@Cerber5.exe
File opened (read-only)	\??\g:	Endermanch@Cerber5.exe
File opened (read-only)	\??\o:	Endermanch@Cerber5.exe
File opened (read-only)	\??\p:	Endermanch@Cerber5.exe
File opened (read-only)	\??\h:	Endermanch@Cerber5.exe
File opened (read-only)	\??\i:	Endermanch@Cerber5.exe
File opened (read-only)	\??\k:	Endermanch@Cerber5.exe
File opened (read-only)	\??\r:	Endermanch@Cerber5.exe
File opened (read-only)	\??\a:	Endermanch@Cerber5.exe
File opened (read-only)	\??\b:	Endermanch@Cerber5.exe
File opened (read-only)	\??\e:	Endermanch@Cerber5.exe
File opened (read-only)	\??\n:	Endermanch@Cerber5.exe
File opened (read-only)	\??\q:	Endermanch@Cerber5.exe
File opened (read-only)	\??\s:	Endermanch@Cerber5.exe
File opened (read-only)	\??\v:	Endermanch@Cerber5.exe
File opened (read-only)	\??\y:	Endermanch@Cerber5.exe
File opened (read-only)	\??\j:	Endermanch@Cerber5.exe
File opened (read-only)	\??\l:	Endermanch@Cerber5.exe
File opened (read-only)	\??\m:	Endermanch@Cerber5.exe
File opened (read-only)	\??\z:	Endermanch@Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail wordsia@notrix.de êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Endermanch@Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@Petya.A.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@Petya.A.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@Petya.A.exe

Drops file in Program Files directory 9 IoCs

Processes:

Endermanch@InfinityCrypt.exeEndermanch@Antivirus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File created	C:\Program Files (x86)\AnVi\virus.mp3	Endermanch@Antivirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe
File created	C:\Program Files (x86)\AnVi\splash.mp3	Endermanch@Antivirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840	Endermanch@InfinityCrypt.exe

Drops file in Windows directory 6 IoCs

Processes:

Endermanch@BadRabbit.exerundll32.exeEndermanch@Krotten.exe

description	ioc	process
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\WINDOWS\Web	Endermanch@Krotten.exe
File opened for modification	C:\Windows\BFA8.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Endermanch@InfinityCrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Endermanch@InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Endermanch@InfinityCrypt.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

328 schtasks.exe
1680 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1592 taskkill.exe
1008 taskkill.exe

pid	process
328	schtasks.exe
1680	schtasks.exe

pid	process
1592	taskkill.exe
1008	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

Processes:

Endermanch@Krotten.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Endermanch@Krotten.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

Endermanch@Krotten.exeEndermanch@Antivirus.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	Endermanch@Antivirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	Endermanch@Antivirus.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Endermanch@Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Endermanch@Krotten.exe

Modifies registry class 1 IoCs

Processes:

Endermanch@Krotten.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND Endermanch@Krotten.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND	Endermanch@Krotten.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
848	reg.exe
2160	reg.exe
2920	reg.exe
2552	reg.exe
2636	reg.exe
1960	reg.exe
2840	reg.exe
2844	reg.exe
2368	reg.exe
1036	reg.exe
1256	reg.exe
1372	reg.exe
2152	reg.exe
2520	reg.exe
2832	reg.exe
1968	reg.exe
2856	reg.exe
2164	reg.exe
580	reg.exe
2896	reg.exe
2904	reg.exe
3064	reg.exe
2960	reg.exe
2556	reg.exe
1980	reg.exe
2892	reg.exe
1000	reg.exe
2396	reg.exe
2196	reg.exe
2512	reg.exe
2820	reg.exe
3028	reg.exe
2368	reg.exe
2344	reg.exe
3024	reg.exe
2472	reg.exe
2760	reg.exe
2428	reg.exe
2980	reg.exe
2612	reg.exe
3064	reg.exe
1016	reg.exe
1608	reg.exe
3008	reg.exe
1992	reg.exe
3012	reg.exe
608	reg.exe
2132	reg.exe
2828	reg.exe
2844	reg.exe
2816	reg.exe
2564	reg.exe
2884	reg.exe
2900	reg.exe
2428	reg.exe
1824	reg.exe
2352	reg.exe
2532	reg.exe
3044	reg.exe
3060	reg.exe
268	reg.exe
2700	reg.exe
1788	reg.exe
2108	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2356 PING.EXE

pid	process
2356	PING.EXE

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

rundll32.exeEndermanch@NoMoreRansom.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeBFA8.tmpEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exeEndermanch@PolyRansom.exe

pid	process
1496	rundll32.exe
1496	rundll32.exe
1860	Endermanch@NoMoreRansom.exe
1860	Endermanch@NoMoreRansom.exe
1980	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
1296	Endermanch@PolyRansom.exe
1296	Endermanch@PolyRansom.exe
1568	Endermanch@PolyRansom.exe
1568	Endermanch@PolyRansom.exe
1856	Endermanch@PolyRansom.exe
1856	Endermanch@PolyRansom.exe
1924	Endermanch@ViraLock.exe
1924	Endermanch@ViraLock.exe
2164	Endermanch@PolyRansom.exe
2164	Endermanch@PolyRansom.exe
2448	Endermanch@ViraLock.exe
2448	Endermanch@ViraLock.exe
2244	Endermanch@PolyRansom.exe
2244	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
1980	Endermanch@PolyRansom.exe
2716	Endermanch@ViraLock.exe
2716	Endermanch@ViraLock.exe
2004	Endermanch@ViraLock.exe
2004	Endermanch@ViraLock.exe
2372	Endermanch@PolyRansom.exe
2372	Endermanch@PolyRansom.exe
988	Endermanch@PolyRansom.exe
988	Endermanch@PolyRansom.exe
2108	Endermanch@ViraLock.exe
2108	Endermanch@ViraLock.exe
2620	Endermanch@PolyRansom.exe
2620	Endermanch@PolyRansom.exe
2268	Endermanch@PolyRansom.exe
2268	Endermanch@PolyRansom.exe
2268	Endermanch@PolyRansom.exe
2268	Endermanch@PolyRansom.exe
2532	Endermanch@ViraLock.exe
2532	Endermanch@ViraLock.exe
2532	Endermanch@ViraLock.exe
2532	Endermanch@ViraLock.exe
2116	Endermanch@ViraLock.exe
2116	Endermanch@ViraLock.exe
948	Endermanch@PolyRansom.exe
948	Endermanch@PolyRansom.exe
2728	BFA8.tmp
2728	BFA8.tmp
2728	BFA8.tmp
2728	BFA8.tmp
2728	BFA8.tmp
2376	Endermanch@PolyRansom.exe
2376	Endermanch@PolyRansom.exe
2184	Endermanch@ViraLock.exe
2184	Endermanch@ViraLock.exe
2304	Endermanch@ViraLock.exe
2304	Endermanch@ViraLock.exe
2200	Endermanch@PolyRansom.exe
2200	Endermanch@PolyRansom.exe
2880	Endermanch@ViraLock.exe
2880	Endermanch@ViraLock.exe
2604	Endermanch@PolyRansom.exe
2604	Endermanch@PolyRansom.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exerundll32.exetaskkill.exeEndermanch@Krotten.exeFantom.exeEndermanch@Petya.A.exeEndermanch@Cerber5.exetaskkill.exeBFA8.tmpmsiexec.exeEndermanch@WinlockerVB6Blacksod.exe

description	pid	process
Token: SeDebugPrivilege	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Token: SeShutdownPrivilege	1496	rundll32.exe
Token: SeDebugPrivilege	1496	rundll32.exe
Token: SeTcbPrivilege	1496	rundll32.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeSystemtimePrivilege	1400	Endermanch@Krotten.exe
Token: SeDebugPrivilege	1348	Fantom.exe
Token: SeShutdownPrivilege	1572	Endermanch@Petya.A.exe
Token: SeShutdownPrivilege	432	Endermanch@Cerber5.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	2728	BFA8.tmp
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	1508	Endermanch@WinlockerVB6Blacksod.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Endermanch@Xyeta.exeEndermanch@Antivirus.exe

pid process

2828 Endermanch@Xyeta.exe
2588 Endermanch@Antivirus.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Endermanch@Antivirus.exe

pid process

2588 Endermanch@Antivirus.exe
2588 Endermanch@Antivirus.exe
2588 Endermanch@Antivirus.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

Endermanch@Cerber5.exeEndermanch@NoMoreRansom.exe

pid process

432 Endermanch@Cerber5.exe
1860 Endermanch@NoMoreRansom.exe

pid	process
2828	Endermanch@Xyeta.exe
2588	Endermanch@Antivirus.exe

pid	process
2588	Endermanch@Antivirus.exe
2588	Endermanch@Antivirus.exe
2588	Endermanch@Antivirus.exe

pid	process
432	Endermanch@Cerber5.exe
1860	Endermanch@NoMoreRansom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exeEndermanch@BadRabbit.exerundll32.exeEndermanch@Birele.execmd.execmd.exeEndermanch@Cerber5.exe

description	pid	process	target process
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 2044 wrote to memory of 1980	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@BadRabbit.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 1980 wrote to memory of 1496	1980	Endermanch@BadRabbit.exe	rundll32.exe
PID 2044 wrote to memory of 1228	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Birele.exe
PID 2044 wrote to memory of 1228	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Birele.exe
PID 2044 wrote to memory of 1228	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Birele.exe
PID 2044 wrote to memory of 1228	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Birele.exe
PID 1496 wrote to memory of 288	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 288	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 288	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 288	1496	rundll32.exe	cmd.exe
PID 1228 wrote to memory of 1592	1228	Endermanch@Birele.exe	taskkill.exe
PID 1228 wrote to memory of 1592	1228	Endermanch@Birele.exe	taskkill.exe
PID 1228 wrote to memory of 1592	1228	Endermanch@Birele.exe	taskkill.exe
PID 1228 wrote to memory of 1592	1228	Endermanch@Birele.exe	taskkill.exe
PID 2044 wrote to memory of 432	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Cerber5.exe
PID 2044 wrote to memory of 432	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Cerber5.exe
PID 2044 wrote to memory of 432	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Cerber5.exe
PID 2044 wrote to memory of 432	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Cerber5.exe
PID 288 wrote to memory of 1332	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 1332	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 1332	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 1332	288	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1800	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@DeriaLock.exe
PID 2044 wrote to memory of 1800	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@DeriaLock.exe
PID 2044 wrote to memory of 1800	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@DeriaLock.exe
PID 2044 wrote to memory of 1800	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@DeriaLock.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 1348	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Fantom.exe
PID 2044 wrote to memory of 772	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@InfinityCrypt.exe
PID 2044 wrote to memory of 772	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@InfinityCrypt.exe
PID 2044 wrote to memory of 772	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@InfinityCrypt.exe
PID 2044 wrote to memory of 772	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@InfinityCrypt.exe
PID 2044 wrote to memory of 1400	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Krotten.exe
PID 2044 wrote to memory of 1400	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Krotten.exe
PID 2044 wrote to memory of 1400	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Krotten.exe
PID 2044 wrote to memory of 1400	2044	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	Endermanch@Krotten.exe
PID 1496 wrote to memory of 1540	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 1540	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 1540	1496	rundll32.exe	cmd.exe
PID 1496 wrote to memory of 1540	1496	rundll32.exe	cmd.exe
PID 1540 wrote to memory of 328	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 328	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 328	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 328	1540	cmd.exe	schtasks.exe
PID 432 wrote to memory of 1548	432	Endermanch@Cerber5.exe	netsh.exe
PID 432 wrote to memory of 1548	432	Endermanch@Cerber5.exe	netsh.exe
PID 432 wrote to memory of 1548	432	Endermanch@Cerber5.exe	netsh.exe

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

Processes:

Endermanch@Krotten.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Endermanch@Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Endermanch@Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Endermanch@Krotten.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2604 attrib.exe

pid	process
2604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
"C:\Users\Admin\AppData\Local\Temp\72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\4s5mjz3f.n5x\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\4s5mjz3f.n5x\Endermanch@BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
5⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 381835330 && exit"
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 381835330 && exit"
5⤵
- Creates scheduled task(s)
PID:328

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:06:00
4⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:06:00
5⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\BFA8.tmp
"C:\Windows\BFA8.tmp" \\.\pipe\{3494D74D-BEC1-42A1-A5A9-6537148037A2}
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\Temp\c5kz2ewg.1ic\Endermanch@Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\c5kz2ewg.1ic\Endermanch@Cerber5.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:1548

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
3⤵
- Modifies Windows Firewall
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
3⤵
PID:3016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "E"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2356

C:\Users\Admin\AppData\Local\Temp\jubazenl.vfs\Endermanch@DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\jubazenl.vfs\Endermanch@DeriaLock.exe"
2⤵
- Drops startup file
- Executes dropped EXE
PID:1800

C:\Users\Admin\AppData\Local\Temp\jwqbiyut.njb\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\jwqbiyut.njb\Fantom.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Users\Admin\AppData\Local\Temp\2spfodx0.mdt\Endermanch@InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2spfodx0.mdt\Endermanch@InfinityCrypt.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:772

C:\Users\Admin\AppData\Local\Temp\dr2gsskz.bbq\Endermanch@Krotten.exe
"C:\Users\Admin\AppData\Local\Temp\dr2gsskz.bbq\Endermanch@Krotten.exe"
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1400

C:\Users\Admin\AppData\Local\Temp\rkw1on2c.4tx\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\rkw1on2c.4tx\Endermanch@NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1860

C:\Users\Admin\AppData\Local\Temp\aizexndg.veh\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\aizexndg.veh\Endermanch@Petya.A.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Users\Admin\fUYgoYsM\TaQwEgMU.exe
"C:\Users\Admin\fUYgoYsM\TaQwEgMU.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:512

C:\ProgramData\NAoUAcYg\KqwMscwU.exe
"C:\ProgramData\NAoUAcYg\KqwMscwU.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
3⤵
- Loads dropped DLL
PID:1916

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
5⤵
- Loads dropped DLL
PID:864

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
7⤵
- Loads dropped DLL
PID:1464

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
9⤵
- Loads dropped DLL
PID:2088

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
11⤵
- Loads dropped DLL
PID:2504

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
13⤵
- Loads dropped DLL
PID:1568

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
15⤵
- Loads dropped DLL
PID:2852

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
17⤵
- Loads dropped DLL
PID:2492

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
19⤵
- Loads dropped DLL
PID:3024

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
21⤵
- Loads dropped DLL
PID:1804

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
23⤵
- Loads dropped DLL
PID:2940

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
25⤵
- Loads dropped DLL
PID:2088

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
27⤵
- Loads dropped DLL
PID:2652

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
29⤵
- Loads dropped DLL
PID:1632

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom"
31⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
32⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
- Modifies registry key
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
- Modifies registry key
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgIwYEQo.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
31⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQIIwIwc.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
29⤵
PID:3040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkAEkYQs.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
27⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
- Modifies registry key
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEMsIccU.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
25⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
- Modifies registry key
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSgsgcco.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
23⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
- Modifies registry key
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
- Modifies registry key
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwgswsMw.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
21⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOMwcscY.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
19⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIgYcgAA.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
17⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies registry key
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- Modifies registry key
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAQwccwE.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
15⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkIcMkYs.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
13⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwEwYAMI.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
11⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCwIoIQI.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
9⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUMIwoQc.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
7⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies registry key
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkIUUkMU.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
5⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMccoMwU.bat" "C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe""
3⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\f11uihd0.bbw\Endermanch@WinlockerVB6Blacksod.exe
"C:\Users\Admin\AppData\Local\Temp\f11uihd0.bbw\Endermanch@WinlockerVB6Blacksod.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
3⤵
- Loads dropped DLL
PID:2740

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
5⤵
- Loads dropped DLL
PID:1916

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
7⤵
- Loads dropped DLL
PID:2760

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
9⤵
- Loads dropped DLL
PID:2488

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
11⤵
- Loads dropped DLL
PID:432

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
13⤵
- Loads dropped DLL
PID:2416

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
15⤵
- Loads dropped DLL
PID:2156

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
17⤵
- Loads dropped DLL
PID:2872

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
19⤵
- Loads dropped DLL
PID:3056

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock"
21⤵
- Loads dropped DLL
PID:2076

C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
22⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
- Modifies registry key
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
- Modifies registry key
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
- Modifies registry key
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\umsEYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
21⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- Modifies registry key
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
- Modifies registry key
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUcAkswA.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
19⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies registry key
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
- Modifies registry key
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
- Modifies registry key
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQsUQEQo.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
17⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies registry key
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYokIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
15⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEoQgoIc.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
13⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies registry key
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEYwocYc.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
11⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies registry key
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OScsEIcA.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
9⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsMcIUMs.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
7⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
- Modifies registry key
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKYgggIo.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
5⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQkUAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe""
3⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\xbn0n1zb.hcz\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\xbn0n1zb.hcz\Endermanch@WannaCrypt0r.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:2604

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2484

C:\Users\Admin\AppData\Local\Temp\xbn0n1zb.hcz\taskdl.exe
taskdl.exe
3⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c 285381678546154.bat
3⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\wxtjy2yq.f3p\Endermanch@Xyeta.exe
"C:\Users\Admin\AppData\Local\Temp\wxtjy2yq.f3p\Endermanch@Xyeta.exe"
2⤵
- Modifies WinLogon for persistence
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2828

C:\Users\Admin\AppData\Local\Temp\0uoczxdb.shz\Endermanch@Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\0uoczxdb.shz\Endermanch@Antivirus.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Users\Admin\AppData\Local\Temp\ciuirlpb.vdp\Endermanch@AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\ciuirlpb.vdp\Endermanch@AntivirusPlatinum.exe"
2⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Local\Temp\vzd5qvun.jbj\Endermanch@AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\vzd5qvun.jbj\Endermanch@AntivirusPro2017.exe"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NAoUAcYg\KqwMscwU.exe
Filesize
185KB

MD5
485f91cfd494871e1e3aff9dd1fcd725

SHA1
98d3cfed819dae147893cfe9b6ad6015b94938f4

SHA256
5573d4e4375d3f2f5ca46edde6d55e9b0d8efed5bbd53e1c0c58e933916978e9

SHA512
c10291ba7c3660693dcd644ce0c09dcb556be5a57c9d59c8c183a5146fab0e763865f0b5d4e83c778b3c3d4abeea185dcef5ac65b49bfd5a681a18838931c111

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.exe
Filesize
185KB

MD5
485f91cfd494871e1e3aff9dd1fcd725

SHA1
98d3cfed819dae147893cfe9b6ad6015b94938f4

SHA256
5573d4e4375d3f2f5ca46edde6d55e9b0d8efed5bbd53e1c0c58e933916978e9

SHA512
c10291ba7c3660693dcd644ce0c09dcb556be5a57c9d59c8c183a5146fab0e763865f0b5d4e83c778b3c3d4abeea185dcef5ac65b49bfd5a681a18838931c111

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
721a612afd39a22869831493bfb143e9

SHA1
537e1422dc15fbbc9673f838a6a6a74038ee8c31

SHA256
113c0a55c013ad06b8c50f7e7bb94916456c98f045c418f57778d516da1da0a2

SHA512
93066b190abdf409548db802d4b66899ae0cc8af4fba25c02359995a164da714dc9a772e84e9687f45e5a02e63c63b7a0766ca1cc3d25f28cead94a447a1a469

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
1f24a3fe038c5abd7cc2dbe4d88084d6

SHA1
116b1003e919d98ff29a5b54b0321bde6e18b993

SHA256
b2cb49ec8c2356e6ea722cc2264ff26213e5cc40b731288bfd894ed562af196b

SHA512
82823ac3dafa756f0ea12d4b1bcede2df260da05ac246f58dc6dc919c445ed7e249b7bfc2736b8dc186187dafa7b0bce645d43549b1a7ce14a3ee2c7fc39fa85

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
efc531ec0abc3151b367775a93bc5014

SHA1
64806122477dfe8246174017d6d54345d6f30cca

SHA256
a45f49cd3bcd101d18ce6c709db76c70bea24e27acf427a462ec7d66ccf3f67d

SHA512
d9c5264893db3dedc8aa8e7919826ec558e3e48f9da558a6f0669d5017de26f12695d2066d6370f86a8982e62921f860f371fc2280fcea3a1fbe23fdf39b9bde

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
de25f144c235268103776a3c545f24ec

SHA1
d9beb07d8d3fb82c5899ce34e3eac537442ed0c7

SHA256
104a1e7c00a62d9e516dda06f64bf8a99d6a2b5db5b8232004eae4d05f9cecb1

SHA512
f5859f47bd4d655bb849f86bd196b35cd846ab7a0d4645f3a84cbdb90247b5794d1b3c0ec03fb2390b15d763a2391266aae2274eda006e270beac0007719f59f

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
ad4db440add7e62023396c43ebdedffd

SHA1
cdf824927933ddfea5d194820736a63a2ce44ce6

SHA256
252e8fe3009f4010152c4e585ec1d5c50c9829f4c4ed72c30afca6a7b5e85f0e

SHA512
9e5d9dc94ffe46d05051f710c8c558c51d79ce15804e5dd2ab43555f499fb0255e59616c1b7bd3dd522881b9dc3ed4c6fa4a83420c5f5dec645d3313d56aa11b

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
ad4db440add7e62023396c43ebdedffd

SHA1
cdf824927933ddfea5d194820736a63a2ce44ce6

SHA256
252e8fe3009f4010152c4e585ec1d5c50c9829f4c4ed72c30afca6a7b5e85f0e

SHA512
9e5d9dc94ffe46d05051f710c8c558c51d79ce15804e5dd2ab43555f499fb0255e59616c1b7bd3dd522881b9dc3ed4c6fa4a83420c5f5dec645d3313d56aa11b

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
f6aa7bbfb09092761d158506c5a60477

SHA1
0670e7ea5a8d57829040b972febae1a554495147

SHA256
504d18249e7e57b0f7f23275b63948a9a2e1099e3752c4f7164c866d1904cf16

SHA512
0dfdab9a05d3a5d8f521d31ff33bc365e561cab3d4ddcc85a386958c55d3e752caa3379720844821c8fd64c40589d1a37b2f6cfccae1082d17a9209969db2fd8

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
8981968fdf7d603709623364230cc3c5

SHA1
6b960b78c98e17c1b5e61a7f8b22d0c050c2a31b

SHA256
4be47f402de66cf66dea8b1343aa16948ad6befd0721540c24b92872e7a643b8

SHA512
d20159ee7e90eceaa3bb9782f1869d7b88431ec415621d9507a6af63438547940ef183556c03b45e8fc3f9a9b7e6c841f71446eacf51f9e66990e7bf0745a488

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
a2aa6aa422aed1dbb792e2726c0f62dc

SHA1
a4445cf3c4ebc48ac1626cf0d157a568f68cf43e

SHA256
4e88c5ad0326e4af406cbe5116842365ac7ce890db569b066079136351c3459c

SHA512
7b00f18dc6f0aa5583590477d3d6b7ca832249f48904987c2e8767c5c065aa71a4587e64974aad6c400e4a2a38e03f875799ae373a075b0f0f5f104c83c5dccf

Download Submit
C:\ProgramData\NAoUAcYg\KqwMscwU.inf
Filesize
4B

MD5
0e5943df7ea4866ac8cf2b43bd9b6ee5

SHA1
61a7aee349ff8d9b13f456161e46c44ce2279fb5

SHA256
43ff1587f24c5192bfab055ae0289db354cc8ce0bec2a235a468e0fc3c54a3af

SHA512
d9b32fe6e515feeda646e29cac8add0b8c6494e084d71c404bedaebab985d8b90bacb2ecf704ef9a0035060dd076873fb9452577df5307642a0640c8d663283d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uoczxdb.shz\Endermanch@Antivirus.exe
Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\2spfodx0.mdt\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\2spfodx0.mdt\Endermanch@InfinityCrypt.exe
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\4s5mjz3f.n5x\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\4s5mjz3f.n5x\Endermanch@BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiYIQIQE.bat
Filesize
4B

MD5
ec2b730575cc835789f52f1ee8fe9101

SHA1
99e5c3fc9eeffdcbc602a9db3d81159ffda3a3ca

SHA256
d9f7d8e1a63e9245fd6befa8c71c878ce09df7331d8ce8d912d5b7715d92882b

SHA512
0fa942ead8e4a8d59c0883bed063e2069f9896474eeab98ce8203cc9ff26884b87a6ced2b8020bf7a84843479276ecfe13560c14dd6b20ab242fe3e46000b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGoggMMM.bat
Filesize
4B

MD5
618e0f8ddcdeeb907f18d90088fe1e0f

SHA1
0c7b0c091cc49c3cbeb12c5adc8f9ab4807a37c1

SHA256
7a480f1c0a81162c6b45de05f14385075126364adcec844284b48c423a65b06a

SHA512
8277c1e74074aff862317328388e6a02dd8af8ceb93cdc8f63d81703186032f4223d3bd49577644a85763b72d55eee241033afbe7f102507d922f8eea3850cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWwEsQoI.bat
Filesize
4B

MD5
0d599045abd3d219ae93d720f27240c8

SHA1
c4c9e3b5f65961bed3035f9e737662e38d0e8412

SHA256
51cc2989d243525ae6a209212c0fce0c2239c8a7bb0c667b00ecf18d49851cc0

SHA512
dc07c251454273ec978e8e98eb7a746e3026dbb353e040733b7b68952c8fb91c2c04b51d0a7aa6fc1ab960a7eb4e9ea9e9e61477a1a48185c7f50fe5f580e44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HccoQQww.bat
Filesize
4B

MD5
f493af5ab8e8d4ff80c07448b087ba80

SHA1
eef9126d3bfafc27ece34ea9248b75b8623d6ae6

SHA256
1c85b7673828d680d5803b0966c31d570a786c2fab2c64c877a80525f43cf1db

SHA512
fef016d437cf2545d5bba28625f1c05465d66a3660ef27a3b9a81a6ee2580cc54b805f502c74431374c9542101adbd8e0f02b277fa874b7b6afb050f63946492

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgYEAEgo.bat
Filesize
4B

MD5
25fa6bc6cf91a27c2bad6760bbd0586e

SHA1
3ba0deb9272f4799167ac2648b00f99d2cc80ac2

SHA256
94dc6c1f297e571839a44df4c40e283ade1a6400ea9c5e49f6c69824fd9f455e

SHA512
f44b52902561a8cc34e0e8869440881c60d78ed74c4ac0c09da80e6b95219eb6899d2dd748d108ceb44cd79b0128ec953e1780c8e21eced4a8212ef51aeda8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAoAsMs.bat
Filesize
4B

MD5
0078b97fa2cb62d008eff2f398f539ec

SHA1
77b206b8747441f7a96d7092a6d8bfacf431ea4c

SHA256
fadc54348d0cff94a5036c734886a1ca3fd75392315ea7e33bf7a0bd01d5bb96

SHA512
4ac23407c74812f1d6e037ac8c2e14595287f56c6b771ffdf22af230587169c19282dd76623e11d9057f63ab5901a980c82be1e318afc405d4186b6560535586

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEgEkgE.bat
Filesize
4B

MD5
1966442148c597701eab710231981c7c

SHA1
1cdff7ebe604790c7e3fe21f746866a84c0f1ba0

SHA256
bb146e4ee15da5be647986d34be15f594cd05a1762e350e33312f173d93f9b23

SHA512
4125219fef5d1e3009f4b34f1cf5ae6e701ddbc97ef0fc03a1e2a4f28622abf0ae218de99fc9755ab816bd311fb6f0aeaf2ac2a64dfe381bd817e065485e5c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiYIsgco.bat
Filesize
4B

MD5
a5e1ae798b623dbdfafea20279c2b460

SHA1
4defd43c8ee4c2e5f15c6a11b7325d2619ec78a7

SHA256
b3060b546f13798637d5e63f51e0f0e3fc3e71be0cd72392d5b8fa3c11ef9f1c

SHA512
281a1e1fcd34dbe9e277c23978c733b980eb632e67aceabde40633231823d275b3717aa707e257ad519a16b86525ce57b5375daade85c040f921e3e509bad858

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUscwww.bat
Filesize
4B

MD5
8a36dd86dc692de485681db11281fceb

SHA1
80b70c9c5fdde7a0b2a772495025f721f1c30777

SHA256
a1d8c5a09ad5939987c5ae6239cb1bf48875c2de536eba0207cfa6b690840b1b

SHA512
cb8df11a575f49aa06ca859d9bb60adca57da7d9841423a574bce2ab593d500fcab88aee42318a033e1fc06ca11c6c40657424fd0981cafbf77524018f24a94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYEwIAE.bat
Filesize
4B

MD5
108891eb105c5ec777efb97d0a44a752

SHA1
a492e4a6a47be2d006e7ab3011e355ff5a200584

SHA256
7b853931dbf299b4004487594c0fafb9410a51386f34685a53197d65492c9fc8

SHA512
7298152a64b2284d2d9a18c55b30bb66d5f8332cfba0094fd122d1d3cd622cd97fe49686319804cd62b0985f79b17eadc191c93197e54efc9c23da118731e5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WewAgIMg.bat
Filesize
4B

MD5
f94707c4e6d3fceffeb86b9519afb39b

SHA1
d1480cea47db9d3f38849f1c96798ad5b2896984

SHA256
dcd86bee07ccf6f2a502cc73c93051fc64c53adafb4691ae2c2d7aa4bb6bf6ea

SHA512
75e616847c2d48ac0e918fb79a49f33a31e4817d3fc1f4233a5363f4ab6fd80a1230aa5ac94abab9c0b9356cf1e6286a857b7a77f5920faeed06055a8b0fa277

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGkokcUY.bat
Filesize
4B

MD5
64e30cbcd4d643f20d93607d298bcefd

SHA1
74dc11070d332450e2031f067f32758771964b33

SHA256
193bd5ca55d2628d06be207841952e373e470923fc1b5211cbee8a69cb27757c

SHA512
ed51926ccc860536e1a71af8b2e7a785ddbb2a16fcbf6d5b7932377d6726ab2525022322a7b100d9bfc411c119ceaa3bb0896fc57c93dfa46ba1d9ebd8b9e4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWQMAwAY.bat
Filesize
4B

MD5
18ed65dd13d16f42b60b2eab97dbb79e

SHA1
d807e0778c5c9de6b02c291d9169c7fdcaaeb3f4

SHA256
189dabf97966db16c33c63fe2d3903d2663e9b2cfc76ecdd3b371a7b7e928edb

SHA512
efe2bac02fe22052c174b29e1266ec8807edb4c2ef0f49b3e384556eb04a11370dbc0c022b90185cf733622266757aa71791bf54b35456f41e03f547d4bfe2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aizexndg.veh\Endermanch@Petya.A.exe
Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCQUQsUg.bat
Filesize
4B

MD5
fe9b67781ea0a3538418d02e25aa4d39

SHA1
5ffaa787ac08c89086febb1b3916367ae8d1fab6

SHA256
07b267e0b282d1e0b2bfc9728808ed30be8081ba1a537bce5e65e953e1673d4b

SHA512
056de38857c52321a93e59f58f69694fae53f08b802cdfcc907ff2d43beb2de9cd4eecf0e9360874aa5fcc813b308bcaae9fa2f19219233e52d66f44ec2dc7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\beQcMgsk.bat
Filesize
4B

MD5
6a575549ed19859f7e44f5c0b1a30732

SHA1
4592e4fcd05c43ed8eb6fb2769e36362162cb673

SHA256
fd41db5abbd23dd2878ce90319ee62df8aa3d2a15ab6a0f2080f40bdc157dea4

SHA512
a681c893b2532ab513d0d997828a5375223c084e10b905e527c8ed54d1ccba5d564be0591b2d20dbb5763b6f29e06ce994a96c90685fb0f0db02f7e2b39cf7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5kz2ewg.1ic\Endermanch@Cerber5.exe
Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5kz2ewg.1ic\Endermanch@Cerber5.exe
Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5kz2ewg.1ic\Endermanch@Cerber5.exe
Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr2gsskz.bbq\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr2gsskz.bbq\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr2gsskz.bbq\Endermanch@Krotten.exe
Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiQsEMgg.bat
Filesize
4B

MD5
8116e463caae4ca243f9da87cca13094

SHA1
d105c5604869db01a9504242a4fea4e31a519972

SHA256
2b6e056048373435403e04cb08e70483bd1f56014abfa5fa7f6f5bdcedfa2118

SHA512
a487a147b1fc1bf84ac1d32518788d40856ee37c38f11f493c136278261e4dc558bc5c50b9caa0b21b293d922a1dff6b2777749b54b1dbfbe4c80b4e267bb4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f11uihd0.bbw\Endermanch@WinlockerVB6Blacksod.exe
Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f11uihd0.bbw\Endermanch@WinlockerVB6Blacksod.exe
Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock
Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnqtf1ca.etn\Endermanch@ViraLock.exe
Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowAIcUQ.bat
Filesize
4B

MD5
cc296faca3e1d1499e383a182e4e5e65

SHA1
db03f0897198dc3136ea3b5ae1f0f3c8e4337bfa

SHA256
6ffebc3a6260fe229cdc70c87cdca0f817ba8a959806777dddc95c1c7ca1ce17

SHA512
b1692c8443fffdd97cecd175d032af6d261240d4da3cbb80c98ec9e08d46ec9bb6bee1c4bc7256d9fae713a6a0d7484648162e800ccba899525e4200d399f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYAwsUQ.bat
Filesize
4B

MD5
fae3f1dfd9f3692bc4ec372e9f8beaf0

SHA1
470c9d5547bb446a7c746eb5d60cdf370964ed5b

SHA256
3aeb7d47eb2c5f68299c1f10d91bc007d307456e188e67168c9311d19b641c84

SHA512
6894ee5bb424578b3275789ed31fc11c90939fef0174afb9cfc791db66674e0388e8b9d52205215ba5fafc02e03aa0a4d6aa71b0d43d83439cdbb17475944e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe
Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifzowzp5.veb\Endermanch@Birele.exe
Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubazenl.vfs\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubazenl.vfs\Endermanch@DeriaLock.exe
Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwqbiyut.njb\Fantom.exe
Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGEMgoIU.bat
Filesize
4B

MD5
01005a8015259c4fd631eea6efa5bc08

SHA1
f5ec52440a7106fa20486ade31f7fd493265b821

SHA256
c6697bce66110126ede4096b791b4c7919f81bb5c0c4786e58c44c13604b8a76

SHA512
b350e6426fa4c456156009524c943e367ae4c82df819b2be35f2ab46bd3aa0ebe29f10e6073498c6752899ab1855dd77deb09fc52ee7b7c3997d267e3b758e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkIUUkMU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkIUUkMU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGAcIscM.bat
Filesize
4B

MD5
d9a37dfd1fcebaf68a9e226317a79ae6

SHA1
66015a08f5b853bbe234775d9508db4411e2d5c3

SHA256
5102d76c21227fffe0f853dd065bb0da7e08633466889542c267afaa230e23e6

SHA512
0b4455d54d0a0d7c7d6d02f42963594d1d014a662e39d0a9680660f77e48a9be02b6f5f7beb4e343a16bf88b720eea01f97f5073014e8713e5aa53fb3e59f9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQkEQwI.bat
Filesize
4B

MD5
627be61714f713105380aa4a5066cf73

SHA1
baa7629ae3f8c22dc0d5b5b4cc97fa6817076d74

SHA256
6ca494d1e182fbf0db780e498476f4a2980bbc1bf7df0f75f8e5a18cd18332c9

SHA512
5df8fef7bd64d1d8ebd4ce6000da74e99468a50708b4c1c56edaef35716a28d9b49144149ee3e1221e78cfea181ca7cc774df01b1acb295eaac40c5d62c39597

Download Submit
C:\Users\Admin\AppData\Local\Temp\oicYEsUM.bat
Filesize
4B

MD5
6361654452ac014fc61703a5a12b2a4e

SHA1
084e274be56043e080d8728ccd661efb73a8b031

SHA256
80f0f2c4872a50259d60080ce064c2e3671b63829c3c092010925df3ef74ee86

SHA512
ce70bac4ba4032ce25ea9405c466eb4877bf1867de5e223b30288c79c35b8cd5b46b33d51b0fb8fa43c0e6b3484ebf7a2a26f4310ff984415ce425f21d5aa207

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgoIoQEk.bat
Filesize
4B

MD5
b61f60fab28da15e56c793d63a9d9f8e

SHA1
ceb2a2c1860d34c157e31eb96f15c5863f9c1200

SHA256
7230e6684af0b8fdb9151cd060c29e367fc6f90626dd3919fc52c56b0380c430

SHA512
8e72eaa18fc9b1ce8db9a7a58fd87560e60192524a772b5b8607097e2b0c2c172e0d8db6fe0521ee24f276ef2f74d0d8890106dc64aab7e0df3bd38be0808870

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkw1on2c.4tx\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkw1on2c.4tx\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkw1on2c.4tx\Endermanch@NoMoreRansom.exe
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsAU.exe
Filesize
1.2MB

MD5
d85e9dc0e825365842dae2eb4dbe02ec

SHA1
d287d1583489d29e3d599b75c4c35bad8b60d7e3

SHA256
4a909d4bab81a0cfa8beb59561b5267d62da3575415d7e9aaaaec2e27275516c

SHA512
93d133e5265361d9682b5dc5694566554cb6898675fdcc362b6fbb3988d3e974a52236c95f81cdbfa51e0d4ef96aa315fd76dade1b3fcdace58042276191f78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzd5qvun.jbj\Endermanch@AntivirusPro2017.exe
Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxtjy2yq.f3p\Endermanch@Xyeta.exe
Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbn0n1zb.hcz\285381678546154.bat
Filesize
366B

MD5
64473f66cd6919ea9365f8b89e976fb1

SHA1
3ec620a487eb4f552201af042d886edc72a25ece

SHA256
30b5e62df10b9eb7fec456a7bbcfdd9e82b59ddc0ca41feabf1559c6c3f5c8cf

SHA512
5669e11f8a3a565d4ca25773d3ba7f4e94d0cfca54df330d9efe7dc1a887ccbbb988352ec2ad2f1accb326e32e30cfedc49ada65ded278267362c2f37195731f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbn0n1zb.hcz\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyUkcUkY.bat
Filesize
4B

MD5
ed8496d27af14e9f0da1edd85bba49ce

SHA1
bccd82195d8b7d50631c6fbbfa31ecd719af294a

SHA256
fb194b6cffb624e99f63a57b987126e556a37164153441bbbd02afbedddff91f

SHA512
dec4cc26f261074f8babb5a9fced099fd06c49a5f99dd221a4ccd8741fe14466cffcf6861cca759f8ae0453a84d4f3a440523ded593395f5a408ae5f0d12b046

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygEQYAQk.bat
Filesize
4B

MD5
9038a3c8c154237aad96e990784818d5

SHA1
a9aae3744f9fcb59f14010c6b29f122ad9495475

SHA256
ed6b500df0ad30d56b148914027b7fc2d11de78109d69bc99fa55b2fe043efca

SHA512
b94806d815c6b3c3c6d7ab0ae394a0234bd1a0b7f3f835823ae6fa1ae15cf95c1a2de4bd67380a8fdbe00120eae3b473fd29dd2f0fc8b6d210236fb133d1c115

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.exe
Filesize
187KB

MD5
09e2327f625e9ba4628e2cef87ad9af8

SHA1
db1a7cce8cbbad524fee68b0dab92263d5e5f370

SHA256
aa296f28a1fe895e96e0e383745df2c0ec79e09d306ae528c311f19994695cb7

SHA512
e6c870be11c66ef6469bceb1df5043cbcfc0030a50c6cef828683b76a06bf9f5d6cdf61594f8d08216904a64473750594757acdd0038dfa963a5f68a7a7385a1

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.exe
Filesize
187KB

MD5
09e2327f625e9ba4628e2cef87ad9af8

SHA1
db1a7cce8cbbad524fee68b0dab92263d5e5f370

SHA256
aa296f28a1fe895e96e0e383745df2c0ec79e09d306ae528c311f19994695cb7

SHA512
e6c870be11c66ef6469bceb1df5043cbcfc0030a50c6cef828683b76a06bf9f5d6cdf61594f8d08216904a64473750594757acdd0038dfa963a5f68a7a7385a1

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
fdc712579350e34da4e912cf04be90ad

SHA1
cd5bbf91221c3203a70dd47a510ce2489e80be96

SHA256
8f16b79fcf7cc5292e06494597df319a45627b65a83c88d3a8fd80623aee3e1b

SHA512
f3cdc6d3a03d27375936f894116aee7a9553aa6204667eb5f10314af18caebd34dbf9dc4d29f475c848d16907969601a09485d9d9d92fed33c90ed29e60c9125

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
de25f144c235268103776a3c545f24ec

SHA1
d9beb07d8d3fb82c5899ce34e3eac537442ed0c7

SHA256
104a1e7c00a62d9e516dda06f64bf8a99d6a2b5db5b8232004eae4d05f9cecb1

SHA512
f5859f47bd4d655bb849f86bd196b35cd846ab7a0d4645f3a84cbdb90247b5794d1b3c0ec03fb2390b15d763a2391266aae2274eda006e270beac0007719f59f

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
b0dda99359087118c20c43481c337f4e

SHA1
49195e55ab6741997075de791d6786bb66df8267

SHA256
63f2c74c6e6d692524bffd4c3b601b1954379194909a329f3c94bc9c699f63aa

SHA512
43257cf4fa33094e97b78b9e5280719e4fd88823634725a9d4d52798f1fc41c175342b5bcbf535402fca189429c357884bd442caa88ab1d9f676c9e07873dddd

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
f1dd840a2a2231450de9df05d23d925a

SHA1
81c9c179ef31cbabdc3f30d746c798b76ce31bbf

SHA256
320fe51a3f3c1b46e709ec9efd4499bb34a0f4f38c509b77ba488854f4d26c97

SHA512
d4e220e3a56cb9330dc78451f291edc9af606b59435c1f4f1bacaaaff6ef239cd5b3bdee6c207b83ffdb7bafb4cd3f982626241fc7b98c7e4119e7d4e4bd4709

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
ad4db440add7e62023396c43ebdedffd

SHA1
cdf824927933ddfea5d194820736a63a2ce44ce6

SHA256
252e8fe3009f4010152c4e585ec1d5c50c9829f4c4ed72c30afca6a7b5e85f0e

SHA512
9e5d9dc94ffe46d05051f710c8c558c51d79ce15804e5dd2ab43555f499fb0255e59616c1b7bd3dd522881b9dc3ed4c6fa4a83420c5f5dec645d3313d56aa11b

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
36d403653eef2c7820630272777ccf19

SHA1
9a8f776147d12d3f8eacf4b06eac01ab3f4acc2f

SHA256
e5a0f9fd842f493f546e7c369698687b5f806f45325515c26dd9478ceec2db36

SHA512
33e4966b02748457cdb192472dc8d5780eb54ff144650dd0f8e352a8b4a9ba2cd5fa486c9c5568a2a01db79c4e327c93a59da1d84d77e20cd1506c40af7858a2

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
8981968fdf7d603709623364230cc3c5

SHA1
6b960b78c98e17c1b5e61a7f8b22d0c050c2a31b

SHA256
4be47f402de66cf66dea8b1343aa16948ad6befd0721540c24b92872e7a643b8

SHA512
d20159ee7e90eceaa3bb9782f1869d7b88431ec415621d9507a6af63438547940ef183556c03b45e8fc3f9a9b7e6c841f71446eacf51f9e66990e7bf0745a488

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
6b1d3ab83d93b6c9d4897c539464b97b

SHA1
60bf5aee573ebaadb5dada62325b167cb88e3d3d

SHA256
b6f7cc225b0b86f6ea26e3da98fa8e2f9314690d64c3710d572cd0bea9ceb1b0

SHA512
9012c03ae231fea3889c3ebc75c48669776898ace6c59dff8afbf15d9890d1463fd34f77717cc6d2eff97be10953eaee1693bfbc5376677dfd18ebf7f4162336

Download Submit
C:\Users\Admin\fUYgoYsM\TaQwEgMU.inf
Filesize
4B

MD5
c16ae3f29dd88752d635eb402e731830

SHA1
1f8d5b844b7c615188e35540f35503186c53ae18

SHA256
ed969d431c3dbd1a8a168333ac00957e041dfe09f62138887042bd29bad2494c

SHA512
ca2e23022b26a5ccf5918415574f7cbd3fbeb317b550ba2bae89ebc5c331f3835e8df0b89443b50c099b0542f0d188dfba55cf3ecf8415e9606ca25c9d1dd2f7

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\ProgramData\NAoUAcYg\KqwMscwU.exe
Filesize
185KB

MD5
485f91cfd494871e1e3aff9dd1fcd725

SHA1
98d3cfed819dae147893cfe9b6ad6015b94938f4

SHA256
5573d4e4375d3f2f5ca46edde6d55e9b0d8efed5bbd53e1c0c58e933916978e9

SHA512
c10291ba7c3660693dcd644ce0c09dcb556be5a57c9d59c8c183a5146fab0e763865f0b5d4e83c778b3c3d4abeea185dcef5ac65b49bfd5a681a18838931c111

Download Submit
\ProgramData\NAoUAcYg\KqwMscwU.exe
Filesize
185KB

MD5
485f91cfd494871e1e3aff9dd1fcd725

SHA1
98d3cfed819dae147893cfe9b6ad6015b94938f4

SHA256
5573d4e4375d3f2f5ca46edde6d55e9b0d8efed5bbd53e1c0c58e933916978e9

SHA512
c10291ba7c3660693dcd644ce0c09dcb556be5a57c9d59c8c183a5146fab0e763865f0b5d4e83c778b3c3d4abeea185dcef5ac65b49bfd5a681a18838931c111

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\AppData\Local\Temp\f3o0wcdm.od2\Endermanch@PolyRansom.exe
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
\Users\Admin\fUYgoYsM\TaQwEgMU.exe
Filesize
187KB

MD5
09e2327f625e9ba4628e2cef87ad9af8

SHA1
db1a7cce8cbbad524fee68b0dab92263d5e5f370

SHA256
aa296f28a1fe895e96e0e383745df2c0ec79e09d306ae528c311f19994695cb7

SHA512
e6c870be11c66ef6469bceb1df5043cbcfc0030a50c6cef828683b76a06bf9f5d6cdf61594f8d08216904a64473750594757acdd0038dfa963a5f68a7a7385a1

Download Submit
\Users\Admin\fUYgoYsM\TaQwEgMU.exe
Filesize
187KB

MD5
09e2327f625e9ba4628e2cef87ad9af8

SHA1
db1a7cce8cbbad524fee68b0dab92263d5e5f370

SHA256
aa296f28a1fe895e96e0e383745df2c0ec79e09d306ae528c311f19994695cb7

SHA512
e6c870be11c66ef6469bceb1df5043cbcfc0030a50c6cef828683b76a06bf9f5d6cdf61594f8d08216904a64473750594757acdd0038dfa963a5f68a7a7385a1

Download Submit
memory/432-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-148-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/512-338-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/772-134-0x0000000001100000-0x000000000113C000-memory.dmp

Filesize
240KB

Download
memory/864-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-113-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1228-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1296-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1296-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-206-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-190-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-166-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-192-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-194-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-135-0x00000000004E0000-0x0000000000512000-memory.dmp

Filesize
200KB

Download
memory/1348-136-0x00000000046B0000-0x00000000046E2000-memory.dmp

Filesize
200KB

Download
memory/1348-150-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1348-174-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-281-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1348-282-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1348-178-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-182-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-184-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-188-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-151-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1348-158-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-170-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-162-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-196-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-200-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-157-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-160-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-164-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-168-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-202-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-172-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-210-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-176-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-208-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-180-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-204-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-198-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1348-186-0x00000000046B0000-0x00000000046DB000-memory.dmp

Filesize
172KB

Download
memory/1464-452-0x0000000000740000-0x0000000000779000-memory.dmp

Filesize
228KB

Download
memory/1464-451-0x0000000000740000-0x0000000000779000-memory.dmp

Filesize
228KB

Download
memory/1496-75-0x00000000002B0000-0x0000000000318000-memory.dmp

Filesize
416KB

Download
memory/1496-90-0x00000000002B0000-0x0000000000318000-memory.dmp

Filesize
416KB

Download
memory/1568-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-513-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-615-0x0000000001F50000-0x0000000001F89000-memory.dmp

Filesize
228KB

Download
memory/1572-309-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1800-131-0x0000000000C30000-0x0000000000CB2000-memory.dmp

Filesize
520KB

Download
memory/1856-453-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1856-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1860-294-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1860-327-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1860-293-0x0000000001DC0000-0x0000000001E8E000-memory.dmp

Filesize
824KB

Download
memory/1916-374-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1916-375-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1916-617-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-454-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-579-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1980-336-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/1980-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-678-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-337-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/1980-355-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/1980-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-347-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/1980-616-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-57-0x00000000005C0000-0x00000000005F8000-memory.dmp

Filesize
224KB

Download
memory/2044-111-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2044-55-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2044-54-0x0000000000FE0000-0x000000000100C000-memory.dmp

Filesize
176KB

Download
memory/2044-58-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2044-56-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2088-524-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/2088-523-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/2164-525-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-652-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-561-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-736-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2448-632-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2448-583-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2504-560-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2716-667-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-618-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2740-582-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2760-735-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/2852-714-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download