Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
autoit2.exe
-
Size
380KB
-
MD5
6177f9bde1fd578165974ceddcade3d9
-
SHA1
55998f23b74366042c4628c391e94d25c39523b0
-
SHA256
1cfb58fcaa04794556d5195a979839b3ef74533845e6f9becf4c547f6b60f29e
-
SHA512
aa9bb6cfa3d0c902c463c6e13540182820d1474223fa658a82d4fbafa8c06614d34406b9ca55fc11462d44d4309fad086e2779d36d93aacc8eda164204911f3c
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIrn8m/EBLKVB:UzcRD02J4Sq2vHGB67KWKKmDT8m/ExKH
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit2.exe" autoit2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit2.exe.lnk autoit2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral7/memory/1448-3-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral7/memory/1448-38-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral7/memory/1448-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral7/memory/1448-3-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral7/memory/1448-38-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 23 IoCs
pid Process 2396 taskkill.exe 616 taskkill.exe 1976 taskkill.exe 1704 taskkill.exe 3016 taskkill.exe 2964 taskkill.exe 2416 taskkill.exe 920 taskkill.exe 2772 taskkill.exe 2580 taskkill.exe 848 taskkill.exe 2352 taskkill.exe 2528 taskkill.exe 2100 taskkill.exe 1100 taskkill.exe 1700 taskkill.exe 960 taskkill.exe 1452 taskkill.exe 1784 taskkill.exe 2368 taskkill.exe 1364 taskkill.exe 408 taskkill.exe 2020 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main autoit2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe 1448 autoit2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1448 autoit2.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2772 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 3016 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 2352 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 1700 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 2964 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 2416 taskkill.exe Token: SeDebugPrivilege 408 taskkill.exe Token: SeDebugPrivilege 1452 taskkill.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1448 autoit2.exe 1448 autoit2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2840 1448 autoit2.exe 30 PID 1448 wrote to memory of 2840 1448 autoit2.exe 30 PID 1448 wrote to memory of 2840 1448 autoit2.exe 30 PID 1448 wrote to memory of 2840 1448 autoit2.exe 30 PID 2840 wrote to memory of 2772 2840 cmd.exe 32 PID 2840 wrote to memory of 2772 2840 cmd.exe 32 PID 2840 wrote to memory of 2772 2840 cmd.exe 32 PID 2840 wrote to memory of 2772 2840 cmd.exe 32 PID 1448 wrote to memory of 2792 1448 autoit2.exe 33 PID 1448 wrote to memory of 2792 1448 autoit2.exe 33 PID 1448 wrote to memory of 2792 1448 autoit2.exe 33 PID 1448 wrote to memory of 2792 1448 autoit2.exe 33 PID 2792 wrote to memory of 2580 2792 cmd.exe 36 PID 2792 wrote to memory of 2580 2792 cmd.exe 36 PID 2792 wrote to memory of 2580 2792 cmd.exe 36 PID 2792 wrote to memory of 2580 2792 cmd.exe 36 PID 1448 wrote to memory of 2568 1448 autoit2.exe 37 PID 1448 wrote to memory of 2568 1448 autoit2.exe 37 PID 1448 wrote to memory of 2568 1448 autoit2.exe 37 PID 1448 wrote to memory of 2568 1448 autoit2.exe 37 PID 2568 wrote to memory of 848 2568 cmd.exe 39 PID 2568 wrote to memory of 848 2568 cmd.exe 39 PID 2568 wrote to memory of 848 2568 cmd.exe 39 PID 2568 wrote to memory of 848 2568 cmd.exe 39 PID 1448 wrote to memory of 1952 1448 autoit2.exe 40 PID 1448 wrote to memory of 1952 1448 autoit2.exe 40 PID 1448 wrote to memory of 1952 1448 autoit2.exe 40 PID 1448 wrote to memory of 1952 1448 autoit2.exe 40 PID 1952 wrote to memory of 1704 1952 cmd.exe 42 PID 1952 wrote to memory of 1704 1952 cmd.exe 42 PID 1952 wrote to memory of 1704 1952 cmd.exe 42 PID 1952 wrote to memory of 1704 1952 cmd.exe 42 PID 1448 wrote to memory of 2904 1448 autoit2.exe 43 PID 1448 wrote to memory of 2904 1448 autoit2.exe 43 PID 1448 wrote to memory of 2904 1448 autoit2.exe 43 PID 1448 wrote to memory of 2904 1448 autoit2.exe 43 PID 2904 wrote to memory of 3016 2904 cmd.exe 45 PID 2904 wrote to memory of 3016 2904 cmd.exe 45 PID 2904 wrote to memory of 3016 2904 cmd.exe 45 PID 2904 wrote to memory of 3016 2904 cmd.exe 45 PID 1448 wrote to memory of 620 1448 autoit2.exe 46 PID 1448 wrote to memory of 620 1448 autoit2.exe 46 PID 1448 wrote to memory of 620 1448 autoit2.exe 46 PID 1448 wrote to memory of 620 1448 autoit2.exe 46 PID 620 wrote to memory of 2368 620 cmd.exe 48 PID 620 wrote to memory of 2368 620 cmd.exe 48 PID 620 wrote to memory of 2368 620 cmd.exe 48 PID 620 wrote to memory of 2368 620 cmd.exe 48 PID 1448 wrote to memory of 2888 1448 autoit2.exe 49 PID 1448 wrote to memory of 2888 1448 autoit2.exe 49 PID 1448 wrote to memory of 2888 1448 autoit2.exe 49 PID 1448 wrote to memory of 2888 1448 autoit2.exe 49 PID 2888 wrote to memory of 2352 2888 cmd.exe 51 PID 2888 wrote to memory of 2352 2888 cmd.exe 51 PID 2888 wrote to memory of 2352 2888 cmd.exe 51 PID 2888 wrote to memory of 2352 2888 cmd.exe 51 PID 1448 wrote to memory of 2440 1448 autoit2.exe 52 PID 1448 wrote to memory of 2440 1448 autoit2.exe 52 PID 1448 wrote to memory of 2440 1448 autoit2.exe 52 PID 1448 wrote to memory of 2440 1448 autoit2.exe 52 PID 2440 wrote to memory of 1100 2440 cmd.exe 54 PID 2440 wrote to memory of 1100 2440 cmd.exe 54 PID 2440 wrote to memory of 1100 2440 cmd.exe 54 PID 2440 wrote to memory of 1100 2440 cmd.exe 54 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer autoit2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" autoit2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System autoit2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\autoit2.exe"C:\Users\Admin\AppData\Local\Temp\autoit2.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4