Malware Analysis Report

2024-11-16 12:44

Sample ID 240302-zexc2shb7s
Target MyMalwareDatabase-main (1).zip
SHA256 d9a8b6007b6a59cf3a03d2fe52fe0e9b5e718e4c74c15f788d8ee2132bd083ea
Tags
discovery evasion exploit persistence trojan ransomware bootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9a8b6007b6a59cf3a03d2fe52fe0e9b5e718e4c74c15f788d8ee2132bd083ea

Threat Level: Known bad

The file MyMalwareDatabase-main (1).zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan ransomware bootkit upx

Modifies WinLogon for persistence

UAC bypass

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Checks computer location settings

UPX packed file

Modifies system executable filetype association

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Modifies registry class

Modifies File Icons

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Control Panel

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Kills process with taskkill

Modifies registry key

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 20:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1337\Frog.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso8FDE.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

MD5 498b332266cedcf8cbd7567c4a39bcbd
SHA1 281331dc3fcdc6a821c4b15e71b7bd41603534ed
SHA256 aea78dc8b3d694a84f73eb3ff8c366874d81f74e46e92b67d12aab112f58fff9
SHA512 6abbd75cc70adf6acb10bca9d981f9eb62ccaf9125ad721fb3668d99220e70fd24467badc65168e88cbcb2850e15e294843d0b231897597239126bc9d00022f7

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

MD5 41e75c80873b0ca18d56ddaba4c5aadd
SHA1 1d0423d6e66a4739db22939e1c16bcdc7eaa9746
SHA256 b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec
SHA512 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530

memory/1732-19-0x0000000002590000-0x0000000002591000-memory.dmp

C:\Users\Admin\AppData\Roaming\1337\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

memory/1732-24-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-25-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-26-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1732-27-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-28-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-29-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-30-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-31-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-32-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-33-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-34-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-35-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-36-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1732-37-0x0000000000400000-0x000000000064F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Network

N/A

Files

memory/1648-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1648-3-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1648-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1648-5-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1648-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1648-7-0x0000000002440000-0x0000000002441000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 142.250.200.10:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

memory/760-0-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/760-3-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-5-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/760-6-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-7-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-8-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-9-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-10-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-11-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-12-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-13-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-14-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-15-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-16-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-17-0x0000000000400000-0x000000000064F000-memory.dmp

memory/760-18-0x0000000000400000-0x000000000064F000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

160s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(30).txt

Network

N/A

Files

memory/2688-0-0x0000000000EC0000-0x0000000000FCE000-memory.dmp

memory/2688-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2688-2-0x000000001B220000-0x000000001B2A0000-memory.dmp

C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 7f0df170f9cea3f0bedc79894eb44bdf
SHA1 79a083f09bf614d80543d0c455bb27b031da8adf
SHA256 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738
SHA512 f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c

memory/2688-803-0x000000001B220000-0x000000001B2A0000-memory.dmp

memory/2688-804-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2688-805-0x000000001B220000-0x000000001B2A0000-memory.dmp

memory/2688-806-0x000000001B220000-0x000000001B2A0000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240220-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Disables Task Manager via registry modification

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7327).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7905).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8453).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8904).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9829).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5801).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6638).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6270).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7288).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8602).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8988).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2827).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4276).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8526).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9429).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(357).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2189).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6165).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8463).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1179).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2492).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7487).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8661).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6176).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6545).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8707).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9612).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2871).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3612).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9775).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3484).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3910).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2124).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2234).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2550).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3277).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4538).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6340).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(316).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1335).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8879).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9163).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1201).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6133).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3242).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3783).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7431).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7946).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8359).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6269).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6941).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2178).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8917).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4792).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(844).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3274).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1852).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8224).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9945).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(953).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1611).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4442).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5106).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8289).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1408 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2300 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2144 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2552 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2552 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2552 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3004 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3004 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3004 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3004 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2552 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2552 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2552 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2552 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit

C:\Windows\SysWOW64\net.exe

net user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKCR

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /delete

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\reg.exe

reg delete HKLM

C:\Windows\SysWOW64\reg.exe

reg delete HKU

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\BCD

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\WUDFHost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\LogonUI.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\drivers

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\taskmgr.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

Network

N/A

Files

memory/1948-0-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/1948-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/1948-2-0x0000000004670000-0x00000000046B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 21ad42bd4156f914d3a265823a1c269c
SHA1 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA512 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

memory/1948-20478-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/1948-31137-0x0000000004670000-0x00000000046B0000-memory.dmp

memory/1948-80006-0x0000000004670000-0x00000000046B0000-memory.dmp

memory/1948-80027-0x0000000004670000-0x00000000046B0000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204015993.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022513.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204022685.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfcm80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80CHT.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76f2f6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204010049.0\vcomp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfc80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203940815.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ESP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80FRA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ITA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204019861.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f2fb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203938100.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204022420.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302203938100.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022685.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022420.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203938100.0\ATL80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80CHS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80DEU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80KOR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204010049.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203938100.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f2f6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204019861.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203940815.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80JPN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204019861.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204010049.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f2f9.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204010049.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022685.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204022513.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ENU.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFFF4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204015993.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022420.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204015993.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76f2f9.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302203941797.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfc80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302203940815.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF9BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302203942921.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204022513.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2404 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe C:\Windows\SysWOW64\msiexec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1080 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "0000000000000574"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 96A7B617D04703AA51E981DD67BB2914

Network

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

MD5 6dbdf338a0a25cdb236d43ea3ca2395e
SHA1 685b6ea61e574e628392eaac8b10aff4309f1081
SHA256 200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb
SHA512 6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7958f6c69c59d5497f2a966514ecb7c1
SHA1 661354645f2cf74c693996b4e20ad8ec0f49330b
SHA256 2d83d05aaeb21dc6646462cde5fc9352f3c062c65b4cf47517fcafdcb943211f
SHA512 a15ac3a2e8f7a6c4d11ca6f01e1ead43eb5e1a8015349f2226151e8035fe53be1da9efd927fbafed5b8a19923856da0b9ef8b54a777ee6280f2b86efb5c3d8f9

C:\Users\Admin\AppData\Local\Temp\CabF383.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\Installer\MSIF9BC.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

MD5 77a9bff5af149160775741e204734d47
SHA1 7b5126af69b5a79593f39db94180f1ff11b0e39d
SHA256 20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038
SHA512 bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2028-0-0x00007FF7C3360000-0x00007FF7C3386000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"

Network

N/A

Files

memory/1156-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/1156-1-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:39

Platform

win10v2004-20240226-en

Max time kernel

28s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
File opened for modification C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Mouse C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\AutoColorization = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ae855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4812-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/4812-1-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/4812-2-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/4812-3-0x0000000000400000-0x00000000005CC000-memory.dmp

C:\Users\Public\Desktop\ྺቿ⭿ၺ༾ಅ⍲൫Ჳ྾Ή᠆✋ᥦᩉᢢࣞⅱⶸ᎜⚄ᇘⒹ᪼⊲╓

MD5 e49f0a8effa6380b4518a8064f6d240b
SHA1 ba62ffe370e186b7f980922067ac68613521bd51
SHA256 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512 de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

memory/4812-179-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\REG.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 3104 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 3104 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 3104 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 3104 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150 0x3f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1048

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3104-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3104-1-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:38

Platform

win7-20240221-en

Max time kernel

0s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"

Network

N/A

Files

memory/1524-0-0x000000013FD90000-0x000000013FDB6000-memory.dmp

memory/1524-1-0x000000013FD90000-0x000000013FDB6000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

136s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:38

Platform

win10v2004-20240226-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:38

Platform

win10v2004-20240226-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4480-0-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-1-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-2-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-3-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-4-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-5-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-6-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-7-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-8-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-9-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-10-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-11-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-12-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-13-0x0000000000AE0000-0x0000000000B12000-memory.dmp

memory/4480-14-0x0000000000AE0000-0x0000000000B12000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

161s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x38c 0x384

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/5064-1-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/5064-0-0x0000000000A00000-0x0000000000A46000-memory.dmp

memory/5064-2-0x0000000005A60000-0x0000000006004000-memory.dmp

memory/5064-3-0x00000000054B0000-0x0000000005542000-memory.dmp

memory/5064-4-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-5-0x0000000005450000-0x000000000545A000-memory.dmp

memory/5064-6-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-7-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/5064-8-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-9-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-10-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-11-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-12-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/5064-13-0x00000000053C0000-0x00000000053D0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"

Network

N/A

Files

memory/2932-0-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-1-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-2-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-3-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-4-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-5-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-6-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-7-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-8-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-9-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-10-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-11-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-12-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-13-0x0000000001340000-0x0000000001372000-memory.dmp

memory/2932-14-0x0000000001340000-0x0000000001372000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

157s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso9B96.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

\Users\Admin\AppData\Roaming\1337\Frog.exe

MD5 41e75c80873b0ca18d56ddaba4c5aadd
SHA1 1d0423d6e66a4739db22939e1c16bcdc7eaa9746
SHA256 b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec
SHA512 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530

memory/1724-15-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\1337\php5ts.dll

MD5 3795c616673a8c7cca3569f1e349878a
SHA1 a460cbf89201a8206c5f20c6bc5f1de9493560c8
SHA256 a3b1386d520ee5fc50f99070d31580f42ef654bddc8e0392d162f53387803720
SHA512 09309711bdc4f0a93879e43f5061a77cd54c7a33e6dc98b159c87f5f5eb4aa676763dab6538bb4ce95a983727496f4dba21d5883efe277b7a354b5032ee6ac9d

\Users\Admin\AppData\Roaming\1337\php5ts.dll

MD5 87ebee0820c5b78783d40d0a11a14cb1
SHA1 4f20d54b8ab61d05b106573e4c5cc2220759c0ab
SHA256 fb25bbd896683326478b14173386fa3cbc2aeafc6cbb16f641a3936a0dc505e5
SHA512 f6cb9e9f60f5486ab5e6ca4a84a054f58f7706f00c8c8b34126dc2318eb8810bce822e1af55f80da1cc6f5ff0c10cfceba8605575bd6870488ad2c8a9ef75e8b

memory/1724-21-0x0000000005900000-0x0000000005901000-memory.dmp

memory/1724-22-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1724-24-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1724-25-0x0000000005900000-0x0000000005901000-memory.dmp

memory/1724-29-0x0000000000400000-0x000000000064F000-memory.dmp

memory/1724-31-0x0000000000400000-0x000000000064F000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/448-0-0x000001E4879B0000-0x000001E487ABE000-memory.dmp

memory/448-1-0x00007FF8561B0000-0x00007FF856C71000-memory.dmp

memory/448-2-0x000001E487ED0000-0x000001E487EE0000-memory.dmp

C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 7f0df170f9cea3f0bedc79894eb44bdf
SHA1 79a083f09bf614d80543d0c455bb27b031da8adf
SHA256 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738
SHA512 f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c

memory/448-1202-0x00007FF8561B0000-0x00007FF856C71000-memory.dmp

memory/448-1203-0x000001E487ED0000-0x000001E487EE0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6873).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7244).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9349).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(47).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(753).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2943).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5354).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1504).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4001).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6777).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7255).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8356).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8889).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(427).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1721).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5731).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7904).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6054).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8721).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7809).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9018).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2655).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3496).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5096).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6206).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8738).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(71).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2622).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3951).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6635).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9927).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(127).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4813).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6120).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8168).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7988).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(998).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1411).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4121).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7871).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6016).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9571).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7102).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1054).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1949).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2064).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6608).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2101).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2369).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5780).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7808).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2429).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3897).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4877).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5301).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2277).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7242).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8020).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2156).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4408).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5476).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5650).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6074).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6196).txt C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{541AAFB6-0992-404A-8AD9-71F50A10B1A4} C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3768 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3768 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2080 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3628 wrote to memory of 1368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3628 wrote to memory of 1368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3628 wrote to memory of 1368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4016 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2272 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2272 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2272 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3156 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3156 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3156 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 1736 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1736 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1736 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3668 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3668 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3928 wrote to memory of 8652 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 8652 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 8652 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 7152 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 7152 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 7152 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 8652 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 8652 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 8652 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3928 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 8200 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 8200 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 8200 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit

C:\Windows\SysWOW64\net.exe

net user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKCR

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKU

C:\Windows\SysWOW64\reg.exe

reg delete HKLM

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\LogonUI.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\taskmgr.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\drivers

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\BCD

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\WUDFHost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp

Files

memory/3928-0-0x0000000000080000-0x0000000000090000-memory.dmp

memory/3928-1-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3928-2-0x0000000005130000-0x00000000056D4000-memory.dmp

memory/3928-3-0x0000000004A90000-0x0000000004B22000-memory.dmp

memory/3928-4-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/3928-5-0x0000000004A80000-0x0000000004A8A000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 21ad42bd4156f914d3a265823a1c269c
SHA1 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA512 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

memory/3928-12131-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3928-15840-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/3928-120019-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/3928-120041-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 3928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 3928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 3928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3928 -ip 3928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

127s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\REG.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 2192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 2192 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 596

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2192-1-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"

Network

N/A

Files

memory/2792-0-0x0000000000A70000-0x0000000000AB6000-memory.dmp

memory/2792-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

memory/2792-2-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2792-3-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2792-4-0x0000000074600000-0x0000000074CEE000-memory.dmp

memory/2792-5-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2792-6-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2792-7-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2792-8-0x0000000004420000-0x0000000004460000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:38

Platform

win7-20240215-en

Max time kernel

0s

Max time network

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-02 20:38

Reported

2024-03-02 20:41

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80CHS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80KOR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204028300.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6374.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027456.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80FRA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029034.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204029034.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e593afc.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ESP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029065.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027456.0\ATL80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027612.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204027987.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfc80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028925.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e593afc.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfc80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ITA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028800.0\vcomp.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204028925.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204029065.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027612.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ENU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029065.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029081.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204028800.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80CHT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80JPN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e593b00.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80DEU.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfcm80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028800.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204027612.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204028909.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027987.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028800.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028909.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029034.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204027456.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4ABB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204027456.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028300.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204029081.0\8.0.50727.6195.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028925.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240302204029081.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240302204028909.0\8.0.50727.6195.policy C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8C9A65F413261ED591506F5284930E3E

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

MD5 6dbdf338a0a25cdb236d43ea3ca2395e
SHA1 685b6ea61e574e628392eaac8b10aff4309f1081
SHA256 200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb
SHA512 6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

MD5 77a9bff5af149160775741e204734d47
SHA1 7b5126af69b5a79593f39db94180f1ff11b0e39d
SHA256 20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038
SHA512 bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6b29cfd3-6321-4d17-8f1a-b2f16793647c}_OnDiskSnapshotProp

MD5 26e3163d2852579352226843c0d0ed46
SHA1 bf067bee0b7afd6f40ccd35d256fd9e760f754f9
SHA256 0f5738a007c7acef43a1db7358850e20b338584ac560976d979f821a56c8b906
SHA512 ee65e329a06eef3be82fee4a4d0e4ae1e0ca509893d78978f7bd9a797cd38fe867bb5a12f03ba578264aa964ca2026ea1f70c277f880ba34b7c742996ecaaeb2

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 534625a0b5278734b90392ed8e39974a
SHA1 7f2685e90075841309fa04dc7dd75f7f39537b55
SHA256 eb004621b13f6de9279c4689a3d66370ce674d77154ce430da4d0d6dc8a99dc9
SHA512 911bb03b8dd43d331f11a2ea9ad216ce7b62a73ec4ca42307d872f05367a7d126a5e80a6cda1dd66c1e730e5f9e41148a1aecc4c07cd894fe4b5d473a6599392

C:\Windows\Installer\MSI4ABB.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d