b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
300s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoit3.exe
Size

380KB
MD5

d68dda9d50ec5f965948e8b2d9ad17b9
SHA1

e16d8603132c4763e4fa87bf806d491920548686
SHA256

28bf399a594b68b00aeede888e147f1602eede821ec9780418e739f31b3eded6
SHA512

092e6d9b8868b85f45732b43b98ab91b8ac8000e03601810e0b54abb84a45a80c3c020db219be358900d1ad6ceb76de329b0f6007cb2928b3d469e07a86c593d
SSDEEP

6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwI6yGdMKxVusp:UzcRD02J4Sq2vHGB67KWKKmDkMKTuqRf

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

autoit3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit3.exe"	autoit3.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

autoit3.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe
Drops startup file 1 IoCs

Processes:

autoit3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit3.exe.lnk autoit3.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

autoit3.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit3.exe.lnk	autoit3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit3.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral5/memory/2960-3-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral5/memory/2960-35-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/2960-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral5/memory/2960-3-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral5/memory/2960-35-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.execmd.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exeautoit3.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.execmd.execmd.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 23 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2072	taskkill.exe
1152	taskkill.exe
2024	taskkill.exe
2060	taskkill.exe
760	taskkill.exe
2556	taskkill.exe
2128	taskkill.exe
2136	taskkill.exe
2888	taskkill.exe
1236	taskkill.exe
2000	taskkill.exe
992	taskkill.exe
1536	taskkill.exe
2780	taskkill.exe
2676	taskkill.exe
860	taskkill.exe
940	taskkill.exe
1700	taskkill.exe
2180	taskkill.exe
2152	taskkill.exe
532	taskkill.exe
2652	taskkill.exe
628	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

autoit3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main autoit3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

autoit3.exe

pid	process
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe
2960	autoit3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

autoit3.exe

pid process

2960 autoit3.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

autoit3.exe

pid process

2960 autoit3.exe
2960 autoit3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

autoit3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2960 wrote to memory of 2388	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2388	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2388	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2388	2960	autoit3.exe	cmd.exe
PID 2388 wrote to memory of 2652	2388	cmd.exe	taskkill.exe
PID 2388 wrote to memory of 2652	2388	cmd.exe	taskkill.exe
PID 2388 wrote to memory of 2652	2388	cmd.exe	taskkill.exe
PID 2388 wrote to memory of 2652	2388	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 2808	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2808	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2808	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2808	2960	autoit3.exe	cmd.exe
PID 2808 wrote to memory of 2780	2808	cmd.exe	taskkill.exe
PID 2808 wrote to memory of 2780	2808	cmd.exe	taskkill.exe
PID 2808 wrote to memory of 2780	2808	cmd.exe	taskkill.exe
PID 2808 wrote to memory of 2780	2808	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 2688	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2688	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2688	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2688	2960	autoit3.exe	cmd.exe
PID 2688 wrote to memory of 2676	2688	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2676	2688	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2676	2688	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2676	2688	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 2852	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2852	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2852	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2852	2960	autoit3.exe	cmd.exe
PID 2852 wrote to memory of 2136	2852	cmd.exe	taskkill.exe
PID 2852 wrote to memory of 2136	2852	cmd.exe	taskkill.exe
PID 2852 wrote to memory of 2136	2852	cmd.exe	taskkill.exe
PID 2852 wrote to memory of 2136	2852	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 2672	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2672	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2672	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 2672	2960	autoit3.exe	cmd.exe
PID 2672 wrote to memory of 2556	2672	cmd.exe	taskkill.exe
PID 2672 wrote to memory of 2556	2672	cmd.exe	taskkill.exe
PID 2672 wrote to memory of 2556	2672	cmd.exe	taskkill.exe
PID 2672 wrote to memory of 2556	2672	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 1336	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 1336	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 1336	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 1336	2960	autoit3.exe	cmd.exe
PID 1336 wrote to memory of 2128	1336	cmd.exe	taskkill.exe
PID 1336 wrote to memory of 2128	1336	cmd.exe	taskkill.exe
PID 1336 wrote to memory of 2128	1336	cmd.exe	taskkill.exe
PID 1336 wrote to memory of 2128	1336	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 3056	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 3056	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 3056	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 3056	2960	autoit3.exe	cmd.exe
PID 3056 wrote to memory of 628	3056	cmd.exe	taskkill.exe
PID 3056 wrote to memory of 628	3056	cmd.exe	taskkill.exe
PID 3056 wrote to memory of 628	3056	cmd.exe	taskkill.exe
PID 3056 wrote to memory of 628	3056	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 372	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 372	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 372	2960	autoit3.exe	cmd.exe
PID 2960 wrote to memory of 372	2960	autoit3.exe	cmd.exe
PID 372 wrote to memory of 2152	372	cmd.exe	taskkill.exe
PID 372 wrote to memory of 2152	372	cmd.exe	taskkill.exe
PID 372 wrote to memory of 2152	372	cmd.exe	taskkill.exe
PID 372 wrote to memory of 2152	372	cmd.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

autoit3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	autoit3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	autoit3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	autoit3.exe

C:\Users\Admin\AppData\Local\Temp\autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\autoit3.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2960-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2960-1-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/2960-3-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2960-5-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/2960-35-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download