According to malware analysis reports from ANY.RUN , the executable performs the following actions:
: Modern EDR tools can flag the suspicious use of WMIC.EXE and TASKKILL.EXE that this malware relies on.
: Frequently identified under PID 2900 or 1876 in sandboxed environments.
: It modifies the Windows Registry to change the login/logoff helper path and creates files in the Startup directory to ensure it runs every time the computer boots.
: Since this malware targets system files and startup configurations, having a clean system image is the fastest way to recover.
: In many instances, the final stage of the payload involves a forced system shutdown or reboot , often leaving the OS in a corrupted state. 🚩 Key Indicators of Compromise (IoCs) File Name : Endermanch@000.exe Type : Generic CIL Executable (.NET/Mono)
According to malware analysis reports from ANY.RUN , the executable performs the following actions:
: Modern EDR tools can flag the suspicious use of WMIC.EXE and TASKKILL.EXE that this malware relies on.
: Frequently identified under PID 2900 or 1876 in sandboxed environments.
: It modifies the Windows Registry to change the login/logoff helper path and creates files in the Startup directory to ensure it runs every time the computer boots.
: Since this malware targets system files and startup configurations, having a clean system image is the fastest way to recover.
: In many instances, the final stage of the payload involves a forced system shutdown or reboot , often leaving the OS in a corrupted state. 🚩 Key Indicators of Compromise (IoCs) File Name : Endermanch@000.exe Type : Generic CIL Executable (.NET/Mono)