Analysis Overview
SHA256
d9a8b6007b6a59cf3a03d2fe52fe0e9b5e718e4c74c15f788d8ee2132bd083ea
Threat Level: Known bad
The file MyMalwareDatabase-main (1).zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Possible privilege escalation attempt
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Checks computer location settings
UPX packed file
Modifies system executable filetype association
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates connected drives
Checks whether UAC is enabled
Drops desktop.ini file(s)
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Modifies registry class
Modifies File Icons
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies Control Panel
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Kills process with taskkill
Modifies registry key
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 20:38
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 4704 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 4704 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso8FDE.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
| MD5 | 498b332266cedcf8cbd7567c4a39bcbd |
| SHA1 | 281331dc3fcdc6a821c4b15e71b7bd41603534ed |
| SHA256 | aea78dc8b3d694a84f73eb3ff8c366874d81f74e46e92b67d12aab112f58fff9 |
| SHA512 | 6abbd75cc70adf6acb10bca9d981f9eb62ccaf9125ad721fb3668d99220e70fd24467badc65168e88cbcb2850e15e294843d0b231897597239126bc9d00022f7 |
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
| MD5 | 41e75c80873b0ca18d56ddaba4c5aadd |
| SHA1 | 1d0423d6e66a4739db22939e1c16bcdc7eaa9746 |
| SHA256 | b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec |
| SHA512 | 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530 |
memory/1732-19-0x0000000002590000-0x0000000002591000-memory.dmp
C:\Users\Admin\AppData\Roaming\1337\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
memory/1732-24-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-25-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-26-0x0000000002590000-0x0000000002591000-memory.dmp
memory/1732-27-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-28-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-29-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-30-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-31-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-32-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-33-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-34-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-35-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-36-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1732-37-0x0000000000400000-0x000000000064F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"
Network
Files
memory/1648-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1648-3-0x0000000002440000-0x0000000002441000-memory.dmp
memory/1648-4-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1648-5-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1648-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1648-7-0x0000000002440000-0x0000000002441000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| GB | 142.250.200.10:443 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
Files
memory/760-0-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/760-3-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-4-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-5-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/760-6-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-7-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-8-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-9-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-10-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-11-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-12-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-13-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-14-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-15-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-16-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-17-0x0000000000400000-0x000000000064F000-memory.dmp
memory/760-18-0x0000000000400000-0x000000000064F000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
160s
Max time network
136s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(30).txt
Network
Files
memory/2688-0-0x0000000000EC0000-0x0000000000FCE000-memory.dmp
memory/2688-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
memory/2688-2-0x000000001B220000-0x000000001B2A0000-memory.dmp
C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 7f0df170f9cea3f0bedc79894eb44bdf |
| SHA1 | 79a083f09bf614d80543d0c455bb27b031da8adf |
| SHA256 | 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738 |
| SHA512 | f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c |
memory/2688-803-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2688-804-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
memory/2688-805-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2688-806-0x000000001B220000-0x000000001B2A0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240220-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7327).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7905).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8453).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8904).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9829).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5801).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6638).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6270).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7288).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8602).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8988).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2827).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4276).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8526).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9429).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(357).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2189).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6165).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8463).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1179).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2492).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7487).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8661).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6176).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6545).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8707).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9612).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2871).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3612).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9775).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3484).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3910).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2124).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2234).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2550).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3277).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4538).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6340).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(316).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1335).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8879).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9163).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1201).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6133).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3242).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3783).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7431).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7946).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8359).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6269).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6941).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2178).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8917).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4792).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(844).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3274).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1852).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8224).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9945).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(953).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1611).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4442).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5106).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8289).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Modifies registry class
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
C:\Windows\SysWOW64\net.exe
net user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKCR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /delete
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\reg.exe
reg delete HKLM
C:\Windows\SysWOW64\reg.exe
reg delete HKU
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\BCD
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\System32\WUDFHost.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\LogonUI.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\drivers
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\taskmgr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
Network
Files
memory/1948-0-0x0000000000AE0000-0x0000000000AF0000-memory.dmp
memory/1948-1-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/1948-2-0x0000000004670000-0x00000000046B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 21ad42bd4156f914d3a265823a1c269c |
| SHA1 | 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f |
| SHA256 | 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2 |
| SHA512 | 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a |
memory/1948-20478-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/1948-31137-0x0000000004670000-0x00000000046B0000-memory.dmp
memory/1948-80006-0x0000000004670000-0x00000000046B0000-memory.dmp
memory/1948-80027-0x0000000004670000-0x00000000046B0000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204015993.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022513.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204022685.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfcm80u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80CHT.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76f2f6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204010049.0\vcomp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfc80u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203940815.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcm80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ESP.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80FRA.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ITA.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204019861.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f2fb.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203938100.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204022420.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302203938100.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022685.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022420.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203938100.0\ATL80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcp80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80CHS.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80DEU.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80KOR.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204010049.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203938100.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f2f6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204019861.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203940815.0\msvcr80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203940815.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80JPN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204019861.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204010049.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f2f9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204010049.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022685.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204022513.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203942921.0\mfc80ENU.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFFF4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204015993.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022420.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204015993.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76f2f9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302203941797.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfcm80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302203941797.0\mfc80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302203940815.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF9BC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302203942921.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204022513.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "0000000000000574"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 96A7B617D04703AA51E981DD67BB2914
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi
| MD5 | 6dbdf338a0a25cdb236d43ea3ca2395e |
| SHA1 | 685b6ea61e574e628392eaac8b10aff4309f1081 |
| SHA256 | 200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb |
| SHA512 | 6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7958f6c69c59d5497f2a966514ecb7c1 |
| SHA1 | 661354645f2cf74c693996b4e20ad8ec0f49330b |
| SHA256 | 2d83d05aaeb21dc6646462cde5fc9352f3c062c65b4cf47517fcafdcb943211f |
| SHA512 | a15ac3a2e8f7a6c4d11ca6f01e1ead43eb5e1a8015349f2226151e8035fe53be1da9efd927fbafed5b8a19923856da0b9ef8b54a777ee6280f2b86efb5c3d8f9 |
C:\Users\Admin\AppData\Local\Temp\CabF383.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Windows\Installer\MSIF9BC.tmp
| MD5 | 85221b3bcba8dbe4b4a46581aa49f760 |
| SHA1 | 746645c92594bfc739f77812d67cfd85f4b92474 |
| SHA256 | f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f |
| SHA512 | 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab
| MD5 | 77a9bff5af149160775741e204734d47 |
| SHA1 | 7b5126af69b5a79593f39db94180f1ff11b0e39d |
| SHA256 | 20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038 |
| SHA512 | bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 1516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2028-0-0x00007FF7C3360000-0x00007FF7C3386000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"
Network
Files
memory/1156-0-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/1156-1-0x0000000000400000-0x00000000005CC000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:39
Platform
win10v2004-20240226-en
Max time kernel
28s
Max time network
37s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnt32.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| File opened for modification | C:\Windows\winnt32.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Mouse | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\AutoColorization = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NoEscape (1).exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ae855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4812-0-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/4812-1-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/4812-2-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/4812-3-0x0000000000400000-0x00000000005CC000-memory.dmp
C:\Users\Public\Desktop\ྺቿ⭿ၺ༾ಅ⍲൫Ჳ྾Ή᠆✋ᥦᩉᢢࣞⅱⶸ⚄ᇘⒹ᪼⊲╓
| MD5 | e49f0a8effa6380b4518a8064f6d240b |
| SHA1 | ba62ffe370e186b7f980922067ac68613521bd51 |
| SHA256 | 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13 |
| SHA512 | de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4 |
memory/4812-179-0x0000000000400000-0x00000000005CC000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\REG.exe | N/A |
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3f0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1048
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/3104-0-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3104-1-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:38
Platform
win7-20240221-en
Max time kernel
0s
Max time network
5s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Losange\Losange.exe"
Network
Files
memory/1524-0-0x000000013FD90000-0x000000013FDB6000-memory.dmp
memory/1524-1-0x000000013FD90000-0x000000013FDB6000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
136s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:38
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:38
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/4480-0-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-1-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-2-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-3-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-4-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-5-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-6-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-7-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-8-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-9-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-10-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-11-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-12-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-13-0x0000000000AE0000-0x0000000000B12000-memory.dmp
memory/4480-14-0x0000000000AE0000-0x0000000000B12000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\REGFuck.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
115s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x384
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/5064-1-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/5064-0-0x0000000000A00000-0x0000000000A46000-memory.dmp
memory/5064-2-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/5064-3-0x00000000054B0000-0x0000000005542000-memory.dmp
memory/5064-4-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-5-0x0000000005450000-0x000000000545A000-memory.dmp
memory/5064-6-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-7-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/5064-8-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-9-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-10-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-11-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-12-0x00000000053C0000-0x00000000053D0000-memory.dmp
memory/5064-13-0x00000000053C0000-0x00000000053D0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Hydromatic (1).exe"
Network
Files
memory/2932-0-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-1-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-2-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-3-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-4-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-5-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-6-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-7-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-8-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-9-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-10-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-11-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-12-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-13-0x0000000001340000-0x0000000001372000-memory.dmp
memory/2932-14-0x0000000001340000-0x0000000001372000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
157s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2224 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2224 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2224 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Frog.exe"
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso9B96.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
\Users\Admin\AppData\Roaming\1337\Frog.exe
| MD5 | 41e75c80873b0ca18d56ddaba4c5aadd |
| SHA1 | 1d0423d6e66a4739db22939e1c16bcdc7eaa9746 |
| SHA256 | b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec |
| SHA512 | 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530 |
memory/1724-15-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Roaming\1337\php5ts.dll
| MD5 | 3795c616673a8c7cca3569f1e349878a |
| SHA1 | a460cbf89201a8206c5f20c6bc5f1de9493560c8 |
| SHA256 | a3b1386d520ee5fc50f99070d31580f42ef654bddc8e0392d162f53387803720 |
| SHA512 | 09309711bdc4f0a93879e43f5061a77cd54c7a33e6dc98b159c87f5f5eb4aa676763dab6538bb4ce95a983727496f4dba21d5883efe277b7a354b5032ee6ac9d |
\Users\Admin\AppData\Roaming\1337\php5ts.dll
| MD5 | 87ebee0820c5b78783d40d0a11a14cb1 |
| SHA1 | 4f20d54b8ab61d05b106573e4c5cc2220759c0ab |
| SHA256 | fb25bbd896683326478b14173386fa3cbc2aeafc6cbb16f641a3936a0dc505e5 |
| SHA512 | f6cb9e9f60f5486ab5e6ca4a84a054f58f7706f00c8c8b34126dc2318eb8810bce822e1af55f80da1cc6f5ff0c10cfceba8605575bd6870488ad2c8a9ef75e8b |
memory/1724-21-0x0000000005900000-0x0000000005901000-memory.dmp
memory/1724-22-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1724-24-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1724-25-0x0000000005900000-0x0000000005901000-memory.dmp
memory/1724-29-0x0000000000400000-0x000000000064F000-memory.dmp
memory/1724-31-0x0000000000400000-0x000000000064F000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 228
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\GonnaCry\GonnaCry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/448-0-0x000001E4879B0000-0x000001E487ABE000-memory.dmp
memory/448-1-0x00007FF8561B0000-0x00007FF856C71000-memory.dmp
memory/448-2-0x000001E487ED0000-0x000001E487EE0000-memory.dmp
C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 7f0df170f9cea3f0bedc79894eb44bdf |
| SHA1 | 79a083f09bf614d80543d0c455bb27b031da8adf |
| SHA256 | 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738 |
| SHA512 | f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c |
memory/448-1202-0x00007FF8561B0000-0x00007FF856C71000-memory.dmp
memory/448-1203-0x000001E487ED0000-0x000001E487EE0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Monoxidex64.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
115s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Recovery | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Recovery\ReAgent.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6873).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7244).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9349).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(47).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(753).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2943).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5354).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1504).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4001).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6777).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7255).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8356).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8889).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(427).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1721).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5731).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7904).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6054).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8721).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7809).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9018).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2655).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3496).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5096).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6206).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8738).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(71).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2622).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3951).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6635).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9927).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(127).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4813).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6120).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8168).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7988).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(998).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1411).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4121).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7871).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6016).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9571).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7102).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1054).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1949).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2064).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6608).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2101).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2369).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5780).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7808).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2429).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3897).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4877).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5301).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2277).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7242).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8020).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2156).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4408).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5476).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5650).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6074).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6196).txt | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Modifies registry class
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
C:\Windows\SysWOW64\net.exe
net user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKCR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKU
C:\Windows\SysWOW64\reg.exe
reg delete HKLM
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\LogonUI.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\taskmgr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\drivers
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\BCD
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\System32\WUDFHost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
Files
memory/3928-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/3928-1-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3928-2-0x0000000005130000-0x00000000056D4000-memory.dmp
memory/3928-3-0x0000000004A90000-0x0000000004B22000-memory.dmp
memory/3928-4-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/3928-5-0x0000000004A80000-0x0000000004A8A000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 21ad42bd4156f914d3a265823a1c269c |
| SHA1 | 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f |
| SHA256 | 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2 |
| SHA512 | 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a |
memory/3928-12131-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3928-15840-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/3928-120019-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/3928-120041-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 3928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2576 wrote to memory of 3928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2576 wrote to memory of 3928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3928 -ip 3928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
127s
Max time network
121s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\REG.exe | N/A |
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Protactinium (1).exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 596
Network
Files
memory/2192-0-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2192-1-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\Saturn.exe"
Network
Files
memory/2792-0-0x0000000000A70000-0x0000000000AB6000-memory.dmp
memory/2792-1-0x0000000074600000-0x0000000074CEE000-memory.dmp
memory/2792-2-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2792-3-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2792-4-0x0000000074600000-0x0000000074CEE000-memory.dmp
memory/2792-5-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2792-6-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2792-7-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2792-8-0x0000000004420000-0x0000000004460000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:38
Platform
win7-20240215-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 20:38
Reported
2024-03-02 20:41
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80CHS.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80KOR.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204028300.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6374.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027456.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80FRA.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029034.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204029034.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e593afc.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ESP.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029065.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027456.0\ATL80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027612.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcm80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204027987.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfc80u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028925.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e593afc.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfc80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ITA.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028800.0\vcomp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204028925.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204029065.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027612.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80ENU.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029065.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029081.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204028800.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfcm80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80CHT.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80JPN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcr80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e593b00.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\mfc80DEU.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\mfcm80u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028800.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204027612.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204028909.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027612.0\msvcp80.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027987.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028800.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028909.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029034.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204027456.0 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4ABB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204027456.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028300.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204029081.0\8.0.50727.6195.cat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028925.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\InstallTemp\20240302204029081.0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\WinSxS\InstallTemp\20240302204028909.0\8.0.50727.6195.policy | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 228 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 228 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 228 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4000 wrote to memory of 1456 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
| PID 4000 wrote to memory of 1456 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
| PID 4000 wrote to memory of 1268 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 4000 wrote to memory of 1268 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 4000 wrote to memory of 1268 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\vcredist_x64.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8C9A65F413261ED591506F5284930E3E
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi
| MD5 | 6dbdf338a0a25cdb236d43ea3ca2395e |
| SHA1 | 685b6ea61e574e628392eaac8b10aff4309f1081 |
| SHA256 | 200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb |
| SHA512 | 6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab
| MD5 | 77a9bff5af149160775741e204734d47 |
| SHA1 | 7b5126af69b5a79593f39db94180f1ff11b0e39d |
| SHA256 | 20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038 |
| SHA512 | bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b |
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6b29cfd3-6321-4d17-8f1a-b2f16793647c}_OnDiskSnapshotProp
| MD5 | 26e3163d2852579352226843c0d0ed46 |
| SHA1 | bf067bee0b7afd6f40ccd35d256fd9e760f754f9 |
| SHA256 | 0f5738a007c7acef43a1db7358850e20b338584ac560976d979f821a56c8b906 |
| SHA512 | ee65e329a06eef3be82fee4a4d0e4ae1e0ca509893d78978f7bd9a797cd38fe867bb5a12f03ba578264aa964ca2026ea1f70c277f880ba34b7c742996ecaaeb2 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 534625a0b5278734b90392ed8e39974a |
| SHA1 | 7f2685e90075841309fa04dc7dd75f7f39537b55 |
| SHA256 | eb004621b13f6de9279c4689a3d66370ce674d77154ce430da4d0d6dc8a99dc9 |
| SHA512 | 911bb03b8dd43d331f11a2ea9ad216ce7b62a73ec4ca42307d872f05367a7d126a5e80a6cda1dd66c1e730e5f9e41148a1aecc4c07cd894fe4b5d473a6599392 |
C:\Windows\Installer\MSI4ABB.tmp
| MD5 | 85221b3bcba8dbe4b4a46581aa49f760 |
| SHA1 | 746645c92594bfc739f77812d67cfd85f4b92474 |
| SHA256 | f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f |
| SHA512 | 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d |