Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 04:50
Static task
static1
Behavioral task
behavioral1
Sample
a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe
-
Size
95KB
-
MD5
a9a6e3d32934da8a40bb2d9cf4330e5d
-
SHA1
d670d6307988225505e5d355b8f995aec6dec5d3
-
SHA256
982173af7432cf1f421272547e88fa2bcec49bd03f1090a2987ed0f5c9d226a5
-
SHA512
e3b0ce97ee129d5ef13322fe66a08137d250cfe917741ec6c284f5762d05265bb14c7214e3e3455f5bbf0c37dc9221a3372dcac92572ca3a756737389d286a1b
-
SSDEEP
1536:AWqjQlCaPmJsbc//////mPLaO/MfAmjpebuwcfYHDzv3DkkSq7XD8hDdA2bSCQM1:aECuVbc//////hO/ZopqHDdSqLUDdA2b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3248 SETUP.EXE -
Loads dropped DLL 2 IoCs
pid Process 3248 SETUP.EXE 3248 SETUP.EXE -
resource yara_rule behavioral2/files/0x00090000000233d9-2.dat upx behavioral2/memory/3248-3-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3248-14-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 696 sc.exe 3540 sc.exe 4008 sc.exe 3328 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SETUP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 8 IoCs
pid Process 2560 taskkill.exe 1048 taskkill.exe 2016 taskkill.exe 3996 taskkill.exe 3692 taskkill.exe 1188 taskkill.exe 3504 taskkill.exe 2216 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 3248 SETUP.EXE 3248 SETUP.EXE 3248 SETUP.EXE 3248 SETUP.EXE 3248 SETUP.EXE 3248 SETUP.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe Token: SeDebugPrivilege 1048 taskkill.exe Token: SeDebugPrivilege 1188 taskkill.exe Token: SeDebugPrivilege 2216 taskkill.exe Token: SeDebugPrivilege 3504 taskkill.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 2560 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 3996 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3248 SETUP.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3792 wrote to memory of 4840 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 84 PID 3792 wrote to memory of 4840 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 84 PID 3792 wrote to memory of 4840 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 84 PID 3792 wrote to memory of 4996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 85 PID 3792 wrote to memory of 4996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 85 PID 3792 wrote to memory of 4996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 85 PID 3792 wrote to memory of 4028 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 86 PID 3792 wrote to memory of 4028 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 86 PID 3792 wrote to memory of 4028 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 86 PID 3792 wrote to memory of 3540 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 87 PID 3792 wrote to memory of 3540 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 87 PID 3792 wrote to memory of 3540 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 87 PID 3792 wrote to memory of 1048 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 88 PID 3792 wrote to memory of 1048 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 88 PID 3792 wrote to memory of 1048 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 88 PID 3792 wrote to memory of 2560 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 89 PID 3792 wrote to memory of 2560 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 89 PID 3792 wrote to memory of 2560 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 89 PID 3792 wrote to memory of 696 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 90 PID 3792 wrote to memory of 696 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 90 PID 3792 wrote to memory of 696 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 90 PID 3792 wrote to memory of 2216 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 91 PID 3792 wrote to memory of 2216 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 91 PID 3792 wrote to memory of 2216 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 91 PID 3792 wrote to memory of 3504 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 92 PID 3792 wrote to memory of 3504 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 92 PID 3792 wrote to memory of 3504 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 92 PID 3792 wrote to memory of 1064 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 93 PID 3792 wrote to memory of 1064 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 93 PID 3792 wrote to memory of 1064 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 93 PID 3792 wrote to memory of 3456 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 94 PID 3792 wrote to memory of 3456 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 94 PID 3792 wrote to memory of 3456 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 94 PID 3792 wrote to memory of 4148 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 95 PID 3792 wrote to memory of 4148 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 95 PID 3792 wrote to memory of 4148 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 95 PID 3792 wrote to memory of 3328 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 96 PID 3792 wrote to memory of 3328 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 96 PID 3792 wrote to memory of 3328 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 96 PID 3792 wrote to memory of 2016 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 97 PID 3792 wrote to memory of 2016 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 97 PID 3792 wrote to memory of 2016 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 97 PID 3792 wrote to memory of 3996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 98 PID 3792 wrote to memory of 3996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 98 PID 3792 wrote to memory of 3996 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 98 PID 3792 wrote to memory of 4008 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 100 PID 3792 wrote to memory of 4008 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 100 PID 3792 wrote to memory of 4008 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 100 PID 3792 wrote to memory of 1188 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 101 PID 3792 wrote to memory of 1188 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 101 PID 3792 wrote to memory of 1188 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 101 PID 3792 wrote to memory of 3692 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 102 PID 3792 wrote to memory of 3692 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 102 PID 3792 wrote to memory of 3692 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 102 PID 3792 wrote to memory of 3248 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 112 PID 3792 wrote to memory of 3248 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 112 PID 3792 wrote to memory of 3248 3792 a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe 112 PID 4840 wrote to memory of 2392 4840 net.exe 121 PID 4840 wrote to memory of 2392 4840 net.exe 121 PID 4840 wrote to memory of 2392 4840 net.exe 121 PID 4148 wrote to memory of 708 4148 NET.exe 122 PID 4148 wrote to memory of 708 4148 NET.exe 122 PID 4148 wrote to memory of 708 4148 NET.exe 122 PID 4028 wrote to memory of 1472 4028 NET.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
C:\Windows\SysWOW64\net.exenet sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"2⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"3⤵
- System Location Discovery: System Language Discovery
PID:4268
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP sYStem Restore Service2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP sYStem Restore Service3⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\SysWOW64\sc.exesc config NOD32kRn start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nod32krn.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nod32kui.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:4532
-
-
-
C:\Windows\SysWOW64\net.exenet sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"2⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"3⤵
- System Location Discovery: System Language Discovery
PID:428
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP sYStem Restore Service2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP sYStem Restore Service3⤵
- System Location Discovery: System Language Discovery
PID:708
-
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3328
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\SysWOW64\sc.exesc config NOD32kRn start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nod32krn.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nod32kui.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\SETUP.EXEC:\Users\Admin\AppData\Local\Temp\SETUP.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\NTDUBECT.EXE2⤵
- System Location Discovery: System Language Discovery
PID:4340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD561213073c273df8eb02735d2171bd0c4
SHA13880c6a20f9bec59a85bc4130149683cec52ddf6
SHA25658d00b39db9e1e0cc17d33e20f2f2e0c87e8ce12c860a22a1c772e170b4894f4
SHA512f226cdbd4bb9f60bfe71fba8456b54cdae64026e0633e49af8a9c0354fdde71d3e42531bd5dabd71ffa8c0a0f36d2c85915c294a2baf50d5d6bd2df36dd97023
-
Filesize
41KB
MD532e9935a7fb2b750c4432b01b67da483
SHA15e6b8a0b44a2d605387a6cce090b832ff12ac25e
SHA2563b1aad0ca2b88dd5fa7b1095345c28b46a90fd6ba0a3f0eea3cec25d1b811a4f
SHA5128dbe88e9d4b2d5fb492e99eb642993b63b51ddb489c283ca9b9307968d8282587965c89d653cea0174da2f3eb42e1b81b49b87f6572910b6fa9d618803250793