wannacry | 5f5ff4b40cbcaa1922811c43aaab17d6a71207e7775ed8bc68ae47a4463eb7be

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 15 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerPoint Presentation.exe	PowerPoint Presentation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3C08.tmp	EndermanchWannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3C0F.tmp	EndermanchWannaCrypt0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerPoint Presentation.exe	PowerPoint Presentation.exe

Executes dropped EXE 25 IoCs

pid	Process
4712	EndermanchXyeta.exe
3764	EndermanchWinlockerVB6Blacksod.exe
680	EndermanchWannaCrypt0r.exe
1428	taskdl.exe
4872	@[email protected]
1780	@[email protected]
2504	taskhsvc.exe
1996	EndermanchPolyRansom.exe
2380	HyQUYMck.exe
1392	YOkUoIgg.exe
3508	EndermanchPolyRansom.exe
2840	EndermanchPolyRansom.exe
644	EndermanchPolyRansom.exe
2456	EndermanchPolyRansom.exe
1528	EndermanchPolyRansom.exe
4780	EndermanchPolyRansom.exe
1156	EndermanchPolyRansom.exe
3332	EndermanchPolyRansom.exe
2188	EndermanchPolyRansom.exe
1016	EndermanchPolyRansom.exe
2364	EndermanchPolyRansom.exe
2324	EndermanchPolyRansom.exe
3404	EndermanchPolyRansom.exe
4280	EndermanchPolyRansom.exe
3424	EndermanchPolyRansom.exe

Loads dropped DLL 24 IoCs

pid	Process
3764	EndermanchWinlockerVB6Blacksod.exe
3764	EndermanchWinlockerVB6Blacksod.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4896	MsiExec.exe
4624	MsiExec.exe
3764	EndermanchWinlockerVB6Blacksod.exe
4624	MsiExec.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe
2504	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5112	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\HyQUYMck.exe = "C:\\Users\\Admin\\eUYUMEQQ\\HyQUYMck.exe"	EndermanchPolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YOkUoIgg.exe = "C:\\ProgramData\\gEkQcwMk\\YOkUoIgg.exe"	EndermanchPolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YOkUoIgg.exe = "C:\\ProgramData\\gEkQcwMk\\YOkUoIgg.exe"	YOkUoIgg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\HyQUYMck.exe = "C:\\Users\\Admin\\eUYUMEQQ\\HyQUYMck.exe"	HyQUYMck.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	4624	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\M:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\Z:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\U:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\W:	EndermanchWinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	msiexec.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
2	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	EndermanchWannaCrypt0r.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000002589e-427.dat	upx
behavioral1/memory/4712-430-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4712-432-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e60c6ee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC89A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e60c6ee.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC73C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC849.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7217658B967AF1E9.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5EE0F91C6029FD34.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8DA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE24EDEBA36AF92C6.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC809.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC889.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC91A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC94A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC979.tmp	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSICA07.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC13E4C50BF9AE8ED.TMP	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3288	4712	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchWinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchWannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchPolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YOkUoIgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HyQUYMck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchPolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchPolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchPolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EndermanchPolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3876	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	calc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
2008	reg.exe
5100	reg.exe
4392	reg.exe
904	reg.exe
3144	reg.exe
1804	reg.exe
4392	reg.exe
4580	reg.exe
1312	reg.exe
2792	reg.exe
3332	reg.exe
1748	reg.exe
3304	reg.exe
1924	reg.exe
3788	reg.exe
952	reg.exe
4992	reg.exe
1664	reg.exe
2104	reg.exe
3416	reg.exe
1820	reg.exe
2932	reg.exe
1808	reg.exe
1112	reg.exe
3172	reg.exe
2612	reg.exe
3884	reg.exe
2004	reg.exe
3232	reg.exe
3080	reg.exe
792	reg.exe
3976	reg.exe
3684	reg.exe
3368	reg.exe
4392	reg.exe
732	reg.exe
976	reg.exe
4744	reg.exe
4744	reg.exe
1780	reg.exe
2072	reg.exe
1040	reg.exe
1740	reg.exe
644	reg.exe
2236	reg.exe
5080	reg.exe
900	reg.exe
2212	reg.exe
3180	reg.exe
2456	reg.exe
2780	reg.exe
860	reg.exe
1332	reg.exe
2472	reg.exe
3676	reg.exe
1900	reg.exe
2296	reg.exe
2888	reg.exe
1384	reg.exe
1288	reg.exe
2028	reg.exe
5112	reg.exe
3324	reg.exe
5060	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	PowerPoint Presentation.exe
2556	PowerPoint Presentation.exe
1384	msedge.exe
1384	msedge.exe
2448	msedge.exe
2448	msedge.exe
1108	msedge.exe
1108	msedge.exe
3964	identity_helper.exe
3964	identity_helper.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
2556	PowerPoint Presentation.exe
2556	PowerPoint Presentation.exe
2556	PowerPoint Presentation.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
376	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	PowerPoint Presentation.exe
Token: 33	1612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1612	AUDIODG.EXE
Token: SeDebugPrivilege	376	Taskmgr.exe
Token: SeSystemProfilePrivilege	376	Taskmgr.exe
Token: SeCreateGlobalPrivilege	376	Taskmgr.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeSecurityPrivilege	4892	msiexec.exe
Token: SeCreateTokenPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	3764	EndermanchWinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeCreateTokenPrivilege	2028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2028	msiexec.exe
Token: SeLockMemoryPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeMachineAccountPrivilege	2028	msiexec.exe
Token: SeTcbPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeLoadDriverPrivilege	2028	msiexec.exe
Token: SeSystemProfilePrivilege	2028	msiexec.exe
Token: SeSystemtimePrivilege	2028	msiexec.exe
Token: SeProfSingleProcessPrivilege	2028	msiexec.exe
Token: SeIncBasePriorityPrivilege	2028	msiexec.exe
Token: SeCreatePagefilePrivilege	2028	msiexec.exe
Token: SeCreatePermanentPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeDebugPrivilege	2028	msiexec.exe
Token: SeAuditPrivilege	2028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2028	msiexec.exe
Token: SeChangeNotifyPrivilege	2028	msiexec.exe
Token: SeRemoteShutdownPrivilege	2028	msiexec.exe
Token: SeUndockPrivilege	2028	msiexec.exe
Token: SeSyncAgentPrivilege	2028	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe
376	Taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2556	PowerPoint Presentation.exe
1212	OpenWith.exe
1456	OpenWith.exe
4872	@[email protected]
4872	@[email protected]
1780	@[email protected]
1780	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3028	2556	PowerPoint Presentation.exe	78
PID 2556 wrote to memory of 3028	2556	PowerPoint Presentation.exe	78
PID 3028 wrote to memory of 2088	3028	cmd.exe	80
PID 3028 wrote to memory of 2088	3028	cmd.exe	80
PID 864 wrote to memory of 2448	864	explorer.exe	82
PID 864 wrote to memory of 2448	864	explorer.exe	82
PID 2448 wrote to memory of 1712	2448	msedge.exe	85
PID 2448 wrote to memory of 1712	2448	msedge.exe	85
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 4568	2448	msedge.exe	86
PID 2448 wrote to memory of 1384	2448	msedge.exe	87
PID 2448 wrote to memory of 1384	2448	msedge.exe	87
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88
PID 2448 wrote to memory of 732	2448	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1984	attrib.exe
4616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PowerPoint Presentation.exe
"C:\Users\Admin\AppData\Local\Temp\PowerPoint Presentation.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C explorer https://niggafart.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\explorer.exe
    explorer https://niggafart.com
    3⤵
    PID:2088
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C https://watchpeopledie.tv
  2⤵
  PID:2932
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start notepad
  2⤵
  PID:1432
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2756
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start https://www.blackmen.com
  2⤵
  PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blackmen.com/
    3⤵
    PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa39a03cb8,0x7ffa39a03cc8,0x7ffa39a03cd8
      4⤵
      PID:4536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C calc.exe
  2⤵
  PID:2176
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    - Modifies registry class
    PID:1116
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start calc.exe
  2⤵
  PID:200
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    - Modifies registry class
    PID:3380
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start taskmgr
  2⤵
  PID:860
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:376
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C taskkill -f -im msedge.exe
  2⤵
  PID:3976
- - C:\Windows\system32\taskkill.exe
    taskkill -f -im msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start msedge niggaballs.com
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\EndermanchXyeta.exe
  "C:\Users\Admin\AppData\Local\Temp\EndermanchXyeta.exe"
  2⤵
  - Executes dropped EXE
  PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 472
    3⤵
    - Program crash
    PID:3288
- C:\Users\Admin\AppData\Local\Temp\EndermanchWinlockerVB6Blacksod.exe
  "C:\Users\Admin\AppData\Local\Temp\EndermanchWinlockerVB6Blacksod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\EndermanchWinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Users\Admin\AppData\Local\Temp\EndermanchWannaCrypt0r.exe
  "C:\Users\Admin\AppData\Local\Temp\EndermanchWannaCrypt0r.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:680
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1984
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 125121729240434.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4616
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
- C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
  "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1996
- - C:\Users\Admin\eUYUMEQQ\HyQUYMck.exe
    "C:\Users\Admin\eUYUMEQQ\HyQUYMck.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\ProgramData\gEkQcwMk\YOkUoIgg.exe
    "C:\ProgramData\gEkQcwMk\YOkUoIgg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
      C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        6⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        9⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        10⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        11⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        13⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        14⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        15⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        17⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        18⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        19⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        20⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        22⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        24⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        25⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        26⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        27⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        29⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        30⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        31⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        32⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        33⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        34⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        35⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        36⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        37⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        38⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        39⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        40⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        41⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        42⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        43⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        44⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        45⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        46⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        47⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        48⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom"
        49⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom
        50⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        Modifies registry key
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeAgcAQw.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        49⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miAsowsE.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        47⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeIcQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        45⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWYkMMYw.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        43⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYEUcgsM.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        41⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEQAAkM.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        39⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        Modifies registry key
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWwIkAYA.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        37⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekkgUsAE.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        35⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqsUIQcU.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        33⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOIMAkco.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        31⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUwAYwEY.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUQksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsAwsQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        25⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyIEMMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        23⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMEQgcQU.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        21⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIMwUEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        19⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGgYAUwo.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        17⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIMYUIo.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        15⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGssggYA.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        13⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiEgIMss.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        11⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuEUokIM.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQscYssM.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        7⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEkwwko.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:3368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOAkwIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\EndermanchPolyRansom.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4736
- C:\Users\Admin\AppData\Local\Temp\EndermanchPetya.A.exe
  "C:\Users\Admin\AppData\Local\Temp\EndermanchPetya.A.exe"
  2⤵
  PID:2648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://niggafart.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa39a03cb8,0x7ffa39a03cc8,0x7ffa39a03cd8
    3⤵
    PID:1712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:2
    3⤵
    PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
    3⤵
    PID:732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4900 /prefetch:8
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:1520
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5904 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,1845118895192238441,14633022782140944210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:2340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712
1⤵
PID:2964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 97979F9FCF46F7819B4071D18C793335
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:4624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1554EF7ADBC73C4EC25393AA1A577D8C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2612 -ip 2612
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2104 -ip 2104
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery