Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
autoit3.exe
-
Size
380KB
-
MD5
d68dda9d50ec5f965948e8b2d9ad17b9
-
SHA1
e16d8603132c4763e4fa87bf806d491920548686
-
SHA256
28bf399a594b68b00aeede888e147f1602eede821ec9780418e739f31b3eded6
-
SHA512
092e6d9b8868b85f45732b43b98ab91b8ac8000e03601810e0b54abb84a45a80c3c020db219be358900d1ad6ceb76de329b0f6007cb2928b3d469e07a86c593d
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwI6yGdMKxVusp:UzcRD02J4Sq2vHGB67KWKKmDkMKTuqRf
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autoit3.exe" autoit3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit3.exe.lnk autoit3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral9/memory/2288-3-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral9/memory/2288-32-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral9/memory/2288-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral9/memory/2288-3-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral9/memory/2288-32-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 24 IoCs
pid Process 1436 taskkill.exe 1800 taskkill.exe 2020 taskkill.exe 1204 taskkill.exe 1016 taskkill.exe 696 taskkill.exe 1712 taskkill.exe 772 taskkill.exe 2220 taskkill.exe 2076 taskkill.exe 1916 taskkill.exe 2176 taskkill.exe 2208 taskkill.exe 2764 taskkill.exe 1888 taskkill.exe 2392 taskkill.exe 1920 taskkill.exe 2812 taskkill.exe 2820 taskkill.exe 2728 taskkill.exe 572 taskkill.exe 2848 taskkill.exe 352 taskkill.exe 532 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main autoit3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe 2288 autoit3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2288 autoit3.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 2812 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 2848 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 352 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1204 taskkill.exe Token: SeDebugPrivilege 696 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 1712 taskkill.exe Token: SeDebugPrivilege 772 taskkill.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 2220 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2288 autoit3.exe 2288 autoit3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2440 2288 autoit3.exe 31 PID 2288 wrote to memory of 2440 2288 autoit3.exe 31 PID 2288 wrote to memory of 2440 2288 autoit3.exe 31 PID 2288 wrote to memory of 2440 2288 autoit3.exe 31 PID 2440 wrote to memory of 2076 2440 cmd.exe 33 PID 2440 wrote to memory of 2076 2440 cmd.exe 33 PID 2440 wrote to memory of 2076 2440 cmd.exe 33 PID 2440 wrote to memory of 2076 2440 cmd.exe 33 PID 2288 wrote to memory of 2700 2288 autoit3.exe 35 PID 2288 wrote to memory of 2700 2288 autoit3.exe 35 PID 2288 wrote to memory of 2700 2288 autoit3.exe 35 PID 2288 wrote to memory of 2700 2288 autoit3.exe 35 PID 2700 wrote to memory of 2812 2700 cmd.exe 37 PID 2700 wrote to memory of 2812 2700 cmd.exe 37 PID 2700 wrote to memory of 2812 2700 cmd.exe 37 PID 2700 wrote to memory of 2812 2700 cmd.exe 37 PID 2288 wrote to memory of 2784 2288 autoit3.exe 38 PID 2288 wrote to memory of 2784 2288 autoit3.exe 38 PID 2288 wrote to memory of 2784 2288 autoit3.exe 38 PID 2288 wrote to memory of 2784 2288 autoit3.exe 38 PID 2784 wrote to memory of 2820 2784 cmd.exe 40 PID 2784 wrote to memory of 2820 2784 cmd.exe 40 PID 2784 wrote to memory of 2820 2784 cmd.exe 40 PID 2784 wrote to memory of 2820 2784 cmd.exe 40 PID 2288 wrote to memory of 2932 2288 autoit3.exe 41 PID 2288 wrote to memory of 2932 2288 autoit3.exe 41 PID 2288 wrote to memory of 2932 2288 autoit3.exe 41 PID 2288 wrote to memory of 2932 2288 autoit3.exe 41 PID 2932 wrote to memory of 2848 2932 cmd.exe 43 PID 2932 wrote to memory of 2848 2932 cmd.exe 43 PID 2932 wrote to memory of 2848 2932 cmd.exe 43 PID 2932 wrote to memory of 2848 2932 cmd.exe 43 PID 2288 wrote to memory of 2888 2288 autoit3.exe 44 PID 2288 wrote to memory of 2888 2288 autoit3.exe 44 PID 2288 wrote to memory of 2888 2288 autoit3.exe 44 PID 2288 wrote to memory of 2888 2288 autoit3.exe 44 PID 2888 wrote to memory of 2728 2888 cmd.exe 46 PID 2888 wrote to memory of 2728 2888 cmd.exe 46 PID 2888 wrote to memory of 2728 2888 cmd.exe 46 PID 2888 wrote to memory of 2728 2888 cmd.exe 46 PID 2288 wrote to memory of 3044 2288 autoit3.exe 47 PID 2288 wrote to memory of 3044 2288 autoit3.exe 47 PID 2288 wrote to memory of 3044 2288 autoit3.exe 47 PID 2288 wrote to memory of 3044 2288 autoit3.exe 47 PID 3044 wrote to memory of 2208 3044 cmd.exe 49 PID 3044 wrote to memory of 2208 3044 cmd.exe 49 PID 3044 wrote to memory of 2208 3044 cmd.exe 49 PID 3044 wrote to memory of 2208 3044 cmd.exe 49 PID 2288 wrote to memory of 2084 2288 autoit3.exe 50 PID 2288 wrote to memory of 2084 2288 autoit3.exe 50 PID 2288 wrote to memory of 2084 2288 autoit3.exe 50 PID 2288 wrote to memory of 2084 2288 autoit3.exe 50 PID 2084 wrote to memory of 2764 2084 cmd.exe 52 PID 2084 wrote to memory of 2764 2084 cmd.exe 52 PID 2084 wrote to memory of 2764 2084 cmd.exe 52 PID 2084 wrote to memory of 2764 2084 cmd.exe 52 PID 2288 wrote to memory of 568 2288 autoit3.exe 53 PID 2288 wrote to memory of 568 2288 autoit3.exe 53 PID 2288 wrote to memory of 568 2288 autoit3.exe 53 PID 2288 wrote to memory of 568 2288 autoit3.exe 53 PID 568 wrote to memory of 1800 568 cmd.exe 55 PID 568 wrote to memory of 1800 568 cmd.exe 55 PID 568 wrote to memory of 1800 568 cmd.exe 55 PID 568 wrote to memory of 1800 568 cmd.exe 55 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System autoit3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" autoit3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer autoit3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" autoit3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\autoit3.exe"C:\Users\Admin\AppData\Local\Temp\autoit3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4