b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
300s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoit2.exe
Size

380KB
MD5

6177f9bde1fd578165974ceddcade3d9
SHA1

55998f23b74366042c4628c391e94d25c39523b0
SHA256

1cfb58fcaa04794556d5195a979839b3ef74533845e6f9becf4c547f6b60f29e
SHA512

aa9bb6cfa3d0c902c463c6e13540182820d1474223fa658a82d4fbafa8c06614d34406b9ca55fc11462d44d4309fad086e2779d36d93aacc8eda164204911f3c
SSDEEP

6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIrn8m/EBLKVB:UzcRD02J4Sq2vHGB67KWKKmDT8m/ExKH

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

autoit2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit2.exe"	autoit2.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

autoit2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe
Drops startup file 1 IoCs

Processes:

autoit2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit2.exe.lnk autoit2.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

autoit2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit2.exe.lnk	autoit2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit2.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral4/memory/1928-3-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral4/memory/1928-29-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral4/memory/1928-39-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1928-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral4/memory/1928-3-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral4/memory/1928-29-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral4/memory/1928-39-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.execmd.execmd.execmd.execmd.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exeautoit2.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.execmd.execmd.execmd.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autoit2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 23 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2816	taskkill.exe
2856	taskkill.exe
1280	taskkill.exe
2364	taskkill.exe
1324	taskkill.exe
2704	taskkill.exe
2608	taskkill.exe
2324	taskkill.exe
1336	taskkill.exe
2772	taskkill.exe
1556	taskkill.exe
988	taskkill.exe
2184	taskkill.exe
2480	taskkill.exe
1448	taskkill.exe
1700	taskkill.exe
2740	taskkill.exe
316	taskkill.exe
1944	taskkill.exe
2904	taskkill.exe
1428	taskkill.exe
2828	taskkill.exe
1964	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

autoit2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main autoit2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	autoit2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

autoit2.exe

pid	process
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe
1928	autoit2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

autoit2.exe

pid process

1928 autoit2.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

autoit2.exe

pid process

1928 autoit2.exe
1928 autoit2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

autoit2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 2504	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2504	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2504	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2504	1928	autoit2.exe	cmd.exe
PID 2504 wrote to memory of 2772	2504	cmd.exe	taskkill.exe
PID 2504 wrote to memory of 2772	2504	cmd.exe	taskkill.exe
PID 2504 wrote to memory of 2772	2504	cmd.exe	taskkill.exe
PID 2504 wrote to memory of 2772	2504	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 2868	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2868	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2868	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2868	1928	autoit2.exe	cmd.exe
PID 2868 wrote to memory of 2740	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 2740	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 2740	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 2740	2868	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 2720	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2720	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2720	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2720	1928	autoit2.exe	cmd.exe
PID 2720 wrote to memory of 2704	2720	cmd.exe	taskkill.exe
PID 2720 wrote to memory of 2704	2720	cmd.exe	taskkill.exe
PID 2720 wrote to memory of 2704	2720	cmd.exe	taskkill.exe
PID 2720 wrote to memory of 2704	2720	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 2892	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2892	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2892	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2892	1928	autoit2.exe	cmd.exe
PID 2892 wrote to memory of 2608	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2608	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2608	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2608	2892	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 2660	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2660	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2660	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2660	1928	autoit2.exe	cmd.exe
PID 2660 wrote to memory of 2324	2660	cmd.exe	taskkill.exe
PID 2660 wrote to memory of 2324	2660	cmd.exe	taskkill.exe
PID 2660 wrote to memory of 2324	2660	cmd.exe	taskkill.exe
PID 2660 wrote to memory of 2324	2660	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 584	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	autoit2.exe	cmd.exe
PID 584 wrote to memory of 1964	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1964	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1964	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1964	584	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1768	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 1768	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 1768	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 1768	1928	autoit2.exe	cmd.exe
PID 1768 wrote to memory of 2816	1768	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 2816	1768	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 2816	1768	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 2816	1768	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 2116	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2116	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2116	1928	autoit2.exe	cmd.exe
PID 1928 wrote to memory of 2116	1928	autoit2.exe	cmd.exe
PID 2116 wrote to memory of 316	2116	cmd.exe	taskkill.exe
PID 2116 wrote to memory of 316	2116	cmd.exe	taskkill.exe
PID 2116 wrote to memory of 316	2116	cmd.exe	taskkill.exe
PID 2116 wrote to memory of 316	2116	cmd.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

autoit2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	autoit2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	autoit2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	autoit2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit2.exe

C:\Users\Admin\AppData\Local\Temp\autoit2.exe
"C:\Users\Admin\AppData\Local\Temp\autoit2.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1928-1-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1928-3-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1928-5-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1928-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1928-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download