Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
autoit2.exe
-
Size
380KB
-
MD5
6177f9bde1fd578165974ceddcade3d9
-
SHA1
55998f23b74366042c4628c391e94d25c39523b0
-
SHA256
1cfb58fcaa04794556d5195a979839b3ef74533845e6f9becf4c547f6b60f29e
-
SHA512
aa9bb6cfa3d0c902c463c6e13540182820d1474223fa658a82d4fbafa8c06614d34406b9ca55fc11462d44d4309fad086e2779d36d93aacc8eda164204911f3c
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIrn8m/EBLKVB:UzcRD02J4Sq2vHGB67KWKKmDT8m/ExKH
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit2.exe" autoit2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral8/memory/2100-1-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral8/memory/2100-2-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral8/memory/2100-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral8/memory/2100-1-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral8/memory/2100-2-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 18 IoCs
pid Process 4196 taskkill.exe 5108 taskkill.exe 532 taskkill.exe 2744 taskkill.exe 2700 taskkill.exe 784 taskkill.exe 2120 taskkill.exe 4116 taskkill.exe 3480 taskkill.exe 2284 taskkill.exe 3776 taskkill.exe 2084 taskkill.exe 3532 taskkill.exe 1672 taskkill.exe 3448 taskkill.exe 1800 taskkill.exe 3412 taskkill.exe 3700 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe 2100 autoit2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2100 autoit2.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 3412 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 3448 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 2120 taskkill.exe Token: SeDebugPrivilege 5108 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 3480 taskkill.exe Token: SeDebugPrivilege 2284 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 3776 taskkill.exe Token: SeDebugPrivilege 2084 taskkill.exe Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 4196 taskkill.exe Token: SeDebugPrivilege 784 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2100 autoit2.exe 2100 autoit2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 4384 2100 autoit2.exe 86 PID 2100 wrote to memory of 4384 2100 autoit2.exe 86 PID 2100 wrote to memory of 4384 2100 autoit2.exe 86 PID 4384 wrote to memory of 3412 4384 cmd.exe 88 PID 4384 wrote to memory of 3412 4384 cmd.exe 88 PID 4384 wrote to memory of 3412 4384 cmd.exe 88 PID 2100 wrote to memory of 436 2100 autoit2.exe 90 PID 2100 wrote to memory of 436 2100 autoit2.exe 90 PID 2100 wrote to memory of 436 2100 autoit2.exe 90 PID 436 wrote to memory of 1672 436 cmd.exe 92 PID 436 wrote to memory of 1672 436 cmd.exe 92 PID 436 wrote to memory of 1672 436 cmd.exe 92 PID 2100 wrote to memory of 4972 2100 autoit2.exe 93 PID 2100 wrote to memory of 4972 2100 autoit2.exe 93 PID 2100 wrote to memory of 4972 2100 autoit2.exe 93 PID 4972 wrote to memory of 3448 4972 cmd.exe 95 PID 4972 wrote to memory of 3448 4972 cmd.exe 95 PID 4972 wrote to memory of 3448 4972 cmd.exe 95 PID 2100 wrote to memory of 3840 2100 autoit2.exe 96 PID 2100 wrote to memory of 3840 2100 autoit2.exe 96 PID 2100 wrote to memory of 3840 2100 autoit2.exe 96 PID 3840 wrote to memory of 1800 3840 cmd.exe 98 PID 3840 wrote to memory of 1800 3840 cmd.exe 98 PID 3840 wrote to memory of 1800 3840 cmd.exe 98 PID 2100 wrote to memory of 3508 2100 autoit2.exe 99 PID 2100 wrote to memory of 3508 2100 autoit2.exe 99 PID 2100 wrote to memory of 3508 2100 autoit2.exe 99 PID 3508 wrote to memory of 2120 3508 cmd.exe 101 PID 3508 wrote to memory of 2120 3508 cmd.exe 101 PID 3508 wrote to memory of 2120 3508 cmd.exe 101 PID 2100 wrote to memory of 3816 2100 autoit2.exe 102 PID 2100 wrote to memory of 3816 2100 autoit2.exe 102 PID 2100 wrote to memory of 3816 2100 autoit2.exe 102 PID 3816 wrote to memory of 5108 3816 cmd.exe 104 PID 3816 wrote to memory of 5108 3816 cmd.exe 104 PID 3816 wrote to memory of 5108 3816 cmd.exe 104 PID 2100 wrote to memory of 3740 2100 autoit2.exe 105 PID 2100 wrote to memory of 3740 2100 autoit2.exe 105 PID 2100 wrote to memory of 3740 2100 autoit2.exe 105 PID 3740 wrote to memory of 4116 3740 cmd.exe 107 PID 3740 wrote to memory of 4116 3740 cmd.exe 107 PID 3740 wrote to memory of 4116 3740 cmd.exe 107 PID 2100 wrote to memory of 2956 2100 autoit2.exe 108 PID 2100 wrote to memory of 2956 2100 autoit2.exe 108 PID 2100 wrote to memory of 2956 2100 autoit2.exe 108 PID 2956 wrote to memory of 532 2956 cmd.exe 110 PID 2956 wrote to memory of 532 2956 cmd.exe 110 PID 2956 wrote to memory of 532 2956 cmd.exe 110 PID 2100 wrote to memory of 608 2100 autoit2.exe 111 PID 2100 wrote to memory of 608 2100 autoit2.exe 111 PID 2100 wrote to memory of 608 2100 autoit2.exe 111 PID 608 wrote to memory of 3480 608 cmd.exe 113 PID 608 wrote to memory of 3480 608 cmd.exe 113 PID 608 wrote to memory of 3480 608 cmd.exe 113 PID 2100 wrote to memory of 1448 2100 autoit2.exe 114 PID 2100 wrote to memory of 1448 2100 autoit2.exe 114 PID 2100 wrote to memory of 1448 2100 autoit2.exe 114 PID 1448 wrote to memory of 2284 1448 cmd.exe 116 PID 1448 wrote to memory of 2284 1448 cmd.exe 116 PID 1448 wrote to memory of 2284 1448 cmd.exe 116 PID 2100 wrote to memory of 3120 2100 autoit2.exe 117 PID 2100 wrote to memory of 3120 2100 autoit2.exe 117 PID 2100 wrote to memory of 3120 2100 autoit2.exe 117 PID 3120 wrote to memory of 2700 3120 cmd.exe 121 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer autoit2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" autoit2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System autoit2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\autoit2.exe"C:\Users\Admin\AppData\Local\Temp\autoit2.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:3788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3