The #AuKill #malware we found is a custom-built utility that was used by threat actors after they had already gained a foothold inside the target's network, and administrative privileges on one or more machines.

Its singular goal is to sabotage endpoint security tools, preventing antimalware from preventing the criminals from doing harm.

The method by which it does this is somewhat unique: It abuses a now-deprecated, signed driver from Microsoft's Process Explorer to kill process names hardcoded into the malware.

They didn't even bother trying to hide it. The legitimate Process Explorer driver is named procexp152.sys, and the one used by AuKill is named #procexp.sys. It is, in fact, the driver that shipped with version 16.32 of Process Explorer.

2/