Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
autoit3.exe
-
Size
380KB
-
MD5
d68dda9d50ec5f965948e8b2d9ad17b9
-
SHA1
e16d8603132c4763e4fa87bf806d491920548686
-
SHA256
28bf399a594b68b00aeede888e147f1602eede821ec9780418e739f31b3eded6
-
SHA512
092e6d9b8868b85f45732b43b98ab91b8ac8000e03601810e0b54abb84a45a80c3c020db219be358900d1ad6ceb76de329b0f6007cb2928b3d469e07a86c593d
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwI6yGdMKxVusp:UzcRD02J4Sq2vHGB67KWKKmDkMKTuqRf
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit3.exe" autoit3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral10/memory/5064-1-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral10/memory/5064-2-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral10/memory/5064-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral10/memory/5064-1-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral10/memory/5064-2-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 21 IoCs
pid Process 3340 taskkill.exe 2316 taskkill.exe 3152 taskkill.exe 1436 taskkill.exe 3960 taskkill.exe 2632 taskkill.exe 3244 taskkill.exe 1908 taskkill.exe 2636 taskkill.exe 1292 taskkill.exe 972 taskkill.exe 1376 taskkill.exe 3472 taskkill.exe 3092 taskkill.exe 632 taskkill.exe 2124 taskkill.exe 1236 taskkill.exe 3312 taskkill.exe 768 taskkill.exe 3992 taskkill.exe 856 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe 5064 autoit3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5064 autoit3.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 3340 taskkill.exe Token: SeDebugPrivilege 632 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 2124 taskkill.exe Token: SeDebugPrivilege 1236 taskkill.exe Token: SeDebugPrivilege 3960 taskkill.exe Token: SeDebugPrivilege 3312 taskkill.exe Token: SeDebugPrivilege 2632 taskkill.exe Token: SeDebugPrivilege 3244 taskkill.exe Token: SeDebugPrivilege 768 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 3992 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 3152 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 3092 taskkill.exe Token: SeDebugPrivilege 3472 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5064 autoit3.exe 5064 autoit3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4596 5064 autoit3.exe 86 PID 5064 wrote to memory of 4596 5064 autoit3.exe 86 PID 5064 wrote to memory of 4596 5064 autoit3.exe 86 PID 4596 wrote to memory of 3340 4596 cmd.exe 88 PID 4596 wrote to memory of 3340 4596 cmd.exe 88 PID 4596 wrote to memory of 3340 4596 cmd.exe 88 PID 5064 wrote to memory of 1152 5064 autoit3.exe 89 PID 5064 wrote to memory of 1152 5064 autoit3.exe 89 PID 5064 wrote to memory of 1152 5064 autoit3.exe 89 PID 1152 wrote to memory of 632 1152 cmd.exe 92 PID 1152 wrote to memory of 632 1152 cmd.exe 92 PID 1152 wrote to memory of 632 1152 cmd.exe 92 PID 5064 wrote to memory of 3128 5064 autoit3.exe 93 PID 5064 wrote to memory of 3128 5064 autoit3.exe 93 PID 5064 wrote to memory of 3128 5064 autoit3.exe 93 PID 3128 wrote to memory of 1908 3128 cmd.exe 95 PID 3128 wrote to memory of 1908 3128 cmd.exe 95 PID 3128 wrote to memory of 1908 3128 cmd.exe 95 PID 5064 wrote to memory of 2544 5064 autoit3.exe 96 PID 5064 wrote to memory of 2544 5064 autoit3.exe 96 PID 5064 wrote to memory of 2544 5064 autoit3.exe 96 PID 2544 wrote to memory of 2124 2544 cmd.exe 98 PID 2544 wrote to memory of 2124 2544 cmd.exe 98 PID 2544 wrote to memory of 2124 2544 cmd.exe 98 PID 5064 wrote to memory of 4628 5064 autoit3.exe 99 PID 5064 wrote to memory of 4628 5064 autoit3.exe 99 PID 5064 wrote to memory of 4628 5064 autoit3.exe 99 PID 4628 wrote to memory of 1236 4628 cmd.exe 101 PID 4628 wrote to memory of 1236 4628 cmd.exe 101 PID 4628 wrote to memory of 1236 4628 cmd.exe 101 PID 5064 wrote to memory of 968 5064 autoit3.exe 102 PID 5064 wrote to memory of 968 5064 autoit3.exe 102 PID 5064 wrote to memory of 968 5064 autoit3.exe 102 PID 968 wrote to memory of 3960 968 cmd.exe 104 PID 968 wrote to memory of 3960 968 cmd.exe 104 PID 968 wrote to memory of 3960 968 cmd.exe 104 PID 5064 wrote to memory of 3456 5064 autoit3.exe 105 PID 5064 wrote to memory of 3456 5064 autoit3.exe 105 PID 5064 wrote to memory of 3456 5064 autoit3.exe 105 PID 3456 wrote to memory of 3312 3456 cmd.exe 107 PID 3456 wrote to memory of 3312 3456 cmd.exe 107 PID 3456 wrote to memory of 3312 3456 cmd.exe 107 PID 5064 wrote to memory of 3224 5064 autoit3.exe 108 PID 5064 wrote to memory of 3224 5064 autoit3.exe 108 PID 5064 wrote to memory of 3224 5064 autoit3.exe 108 PID 3224 wrote to memory of 2632 3224 cmd.exe 110 PID 3224 wrote to memory of 2632 3224 cmd.exe 110 PID 3224 wrote to memory of 2632 3224 cmd.exe 110 PID 5064 wrote to memory of 2880 5064 autoit3.exe 111 PID 5064 wrote to memory of 2880 5064 autoit3.exe 111 PID 5064 wrote to memory of 2880 5064 autoit3.exe 111 PID 2880 wrote to memory of 3244 2880 cmd.exe 113 PID 2880 wrote to memory of 3244 2880 cmd.exe 113 PID 2880 wrote to memory of 3244 2880 cmd.exe 113 PID 5064 wrote to memory of 3444 5064 autoit3.exe 114 PID 5064 wrote to memory of 3444 5064 autoit3.exe 114 PID 5064 wrote to memory of 3444 5064 autoit3.exe 114 PID 3444 wrote to memory of 768 3444 cmd.exe 116 PID 3444 wrote to memory of 768 3444 cmd.exe 116 PID 3444 wrote to memory of 768 3444 cmd.exe 116 PID 5064 wrote to memory of 5092 5064 autoit3.exe 117 PID 5064 wrote to memory of 5092 5064 autoit3.exe 117 PID 5064 wrote to memory of 5092 5064 autoit3.exe 117 PID 5092 wrote to memory of 2636 5092 cmd.exe 119 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer autoit3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" autoit3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System autoit3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\autoit3.exe"C:\Users\Admin\AppData\Local\Temp\autoit3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3