Analysis
-
max time kernel
95s -
max time network
103s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 12:24
Static task
static1
Behavioral task
behavioral1
Sample
dog.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dog.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
dog.exe
-
Size
2.0MB
-
MD5
b76de9f293794dcf0acad1112d8a4081
-
SHA1
d3d2567304297b89a06829eac625e77c620683ee
-
SHA256
280e91422cd9c9bb872a2519437923c4d8e521f977931c936e437eb58ae01aac
-
SHA512
e6b3e83dc4f9f2ff99c822f289c6d5f9000459102a4304fcdec15c21422d6ec41be0712285b1b6a3b9d1a6d35deb9a3a8d4a8122b86901737b724e8b139c3c5a
Score
1/10
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900cce766a54d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000d1efe82c786f23ae28ecd1a4ed1c849cf8eff2be222f5cfe67e5a475b46ff214000000000e800000000200002000000030f5f0018c27958ca9a640c243449c0a6f4ff68f0be18825c7ede317d2cffb482000000010130e69009157548eb396e2d5cfc8e79d7e3a4dc55de227b8f0422772f8f1a540000000fd1af24c15078f33b616e19349db81a5dc57af079bcf6f33aa1db94efac80d4c898f228fcbb86f50ed55851f3703e8b9ab3dfbfc526653026a187b3dbf06d3ab iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A07A71A1-C05D-11EA-A524-D2E78375D8B5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000f1010a36ce0d19fecc612395aa55a0ea11d28b52ddec9c84f87a490f53358921000000000e800000000200002000000049d71e021199fb6a340249eddb2f1d14cfdaea336c85af7bd09fd8c6d958c39890000000518482fd06cbf941bafc9e2eee8363cd5f88e7d6804a1f5392c675c094223b7801fe882be8ff294bebf15161fc7518dc0f987eea3cb786de71647e93408ebbb9bd9dce566de0104fa532a964865152c86ef17d817341170668bb975c32176a2dd27dac0bf2a305e6667ad2497db2ae4a1fbb2efaf398bc06d69f5d80c4690debca8d21436a5b0aa3c21353034566d738400000000614a93e09bffaa2120121033e3983a53e7d8e04cffca521d75fc727c8227bb6836e82da3a77cfb683ebf9d65bc2343a03968e527c98873a9905662749eed7fb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "300896873" iexplore.exe -
Suspicious use of WriteProcessMemory 340 IoCs
description pid Process procid_target PID 1388 wrote to memory of 528 1388 dog.exe 25 PID 1388 wrote to memory of 528 1388 dog.exe 25 PID 1388 wrote to memory of 528 1388 dog.exe 25 PID 1388 wrote to memory of 528 1388 dog.exe 25 PID 528 wrote to memory of 592 528 cmd.exe 26 PID 528 wrote to memory of 592 528 cmd.exe 26 PID 528 wrote to memory of 592 528 cmd.exe 26 PID 528 wrote to memory of 592 528 cmd.exe 26 PID 1388 wrote to memory of 1492 1388 dog.exe 28 PID 1388 wrote to memory of 1492 1388 dog.exe 28 PID 1388 wrote to memory of 1492 1388 dog.exe 28 PID 1388 wrote to memory of 1492 1388 dog.exe 28 PID 1492 wrote to memory of 1484 1492 cmd.exe 29 PID 1492 wrote to memory of 1484 1492 cmd.exe 29 PID 1492 wrote to memory of 1484 1492 cmd.exe 29 PID 1492 wrote to memory of 1484 1492 cmd.exe 29 PID 1388 wrote to memory of 1688 1388 dog.exe 30 PID 1388 wrote to memory of 1688 1388 dog.exe 30 PID 1388 wrote to memory of 1688 1388 dog.exe 30 PID 1388 wrote to memory of 1688 1388 dog.exe 30 PID 1388 wrote to memory of 1364 1388 dog.exe 31 PID 1388 wrote to memory of 1364 1388 dog.exe 31 PID 1388 wrote to memory of 1364 1388 dog.exe 31 PID 1388 wrote to memory of 1364 1388 dog.exe 31 PID 1388 wrote to memory of 1160 1388 dog.exe 32 PID 1388 wrote to memory of 1160 1388 dog.exe 32 PID 1388 wrote to memory of 1160 1388 dog.exe 32 PID 1388 wrote to memory of 1160 1388 dog.exe 32 PID 1160 wrote to memory of 1788 1160 cmd.exe 33 PID 1160 wrote to memory of 1788 1160 cmd.exe 33 PID 1160 wrote to memory of 1788 1160 cmd.exe 33 PID 1160 wrote to memory of 1788 1160 cmd.exe 33 PID 1388 wrote to memory of 1824 1388 dog.exe 34 PID 1388 wrote to memory of 1824 1388 dog.exe 34 PID 1388 wrote to memory of 1824 1388 dog.exe 34 PID 1388 wrote to memory of 1824 1388 dog.exe 34 PID 1824 wrote to memory of 1848 1824 cmd.exe 35 PID 1824 wrote to memory of 1848 1824 cmd.exe 35 PID 1824 wrote to memory of 1848 1824 cmd.exe 35 PID 1824 wrote to memory of 1848 1824 cmd.exe 35 PID 1388 wrote to memory of 1876 1388 dog.exe 36 PID 1388 wrote to memory of 1876 1388 dog.exe 36 PID 1388 wrote to memory of 1876 1388 dog.exe 36 PID 1388 wrote to memory of 1876 1388 dog.exe 36 PID 1876 wrote to memory of 1732 1876 cmd.exe 37 PID 1876 wrote to memory of 1732 1876 cmd.exe 37 PID 1876 wrote to memory of 1732 1876 cmd.exe 37 PID 1876 wrote to memory of 1732 1876 cmd.exe 37 PID 1388 wrote to memory of 1764 1388 dog.exe 38 PID 1388 wrote to memory of 1764 1388 dog.exe 38 PID 1388 wrote to memory of 1764 1388 dog.exe 38 PID 1388 wrote to memory of 1764 1388 dog.exe 38 PID 1764 wrote to memory of 1656 1764 cmd.exe 39 PID 1764 wrote to memory of 1656 1764 cmd.exe 39 PID 1764 wrote to memory of 1656 1764 cmd.exe 39 PID 1764 wrote to memory of 1656 1764 cmd.exe 39 PID 1388 wrote to memory of 1592 1388 dog.exe 40 PID 1388 wrote to memory of 1592 1388 dog.exe 40 PID 1388 wrote to memory of 1592 1388 dog.exe 40 PID 1388 wrote to memory of 1592 1388 dog.exe 40 PID 1592 wrote to memory of 1620 1592 cmd.exe 41 PID 1592 wrote to memory of 1620 1592 cmd.exe 41 PID 1592 wrote to memory of 1620 1592 cmd.exe 41 PID 1592 wrote to memory of 1620 1592 cmd.exe 41 PID 1388 wrote to memory of 1568 1388 dog.exe 42 PID 1388 wrote to memory of 1568 1388 dog.exe 42 PID 1388 wrote to memory of 1568 1388 dog.exe 42 PID 1388 wrote to memory of 1568 1388 dog.exe 42 PID 1568 wrote to memory of 268 1568 cmd.exe 43 PID 1568 wrote to memory of 268 1568 cmd.exe 43 PID 1568 wrote to memory of 268 1568 cmd.exe 43 PID 1568 wrote to memory of 268 1568 cmd.exe 43 PID 1388 wrote to memory of 1916 1388 dog.exe 44 PID 1388 wrote to memory of 1916 1388 dog.exe 44 PID 1388 wrote to memory of 1916 1388 dog.exe 44 PID 1388 wrote to memory of 1916 1388 dog.exe 44 PID 1916 wrote to memory of 1940 1916 cmd.exe 45 PID 1916 wrote to memory of 1940 1916 cmd.exe 45 PID 1916 wrote to memory of 1940 1916 cmd.exe 45 PID 1916 wrote to memory of 1940 1916 cmd.exe 45 PID 1388 wrote to memory of 2004 1388 dog.exe 46 PID 1388 wrote to memory of 2004 1388 dog.exe 46 PID 1388 wrote to memory of 2004 1388 dog.exe 46 PID 1388 wrote to memory of 2004 1388 dog.exe 46 PID 2004 wrote to memory of 2012 2004 cmd.exe 47 PID 2004 wrote to memory of 2012 2004 cmd.exe 47 PID 2004 wrote to memory of 2012 2004 cmd.exe 47 PID 2004 wrote to memory of 2012 2004 cmd.exe 47 PID 1388 wrote to memory of 1972 1388 dog.exe 48 PID 1388 wrote to memory of 1972 1388 dog.exe 48 PID 1388 wrote to memory of 1972 1388 dog.exe 48 PID 1388 wrote to memory of 1972 1388 dog.exe 48 PID 1972 wrote to memory of 1152 1972 cmd.exe 49 PID 1972 wrote to memory of 1152 1972 cmd.exe 49 PID 1972 wrote to memory of 1152 1972 cmd.exe 49 PID 1972 wrote to memory of 1152 1972 cmd.exe 49 PID 1388 wrote to memory of 1516 1388 dog.exe 50 PID 1388 wrote to memory of 1516 1388 dog.exe 50 PID 1388 wrote to memory of 1516 1388 dog.exe 50 PID 1388 wrote to memory of 1516 1388 dog.exe 50 PID 1516 wrote to memory of 568 1516 cmd.exe 51 PID 1516 wrote to memory of 568 1516 cmd.exe 51 PID 1516 wrote to memory of 568 1516 cmd.exe 51 PID 1516 wrote to memory of 568 1516 cmd.exe 51 PID 1388 wrote to memory of 800 1388 dog.exe 52 PID 1388 wrote to memory of 800 1388 dog.exe 52 PID 1388 wrote to memory of 800 1388 dog.exe 52 PID 1388 wrote to memory of 800 1388 dog.exe 52 PID 800 wrote to memory of 1256 800 cmd.exe 53 PID 800 wrote to memory of 1256 800 cmd.exe 53 PID 800 wrote to memory of 1256 800 cmd.exe 53 PID 800 wrote to memory of 1256 800 cmd.exe 53 PID 1388 wrote to memory of 1072 1388 dog.exe 54 PID 1388 wrote to memory of 1072 1388 dog.exe 54 PID 1388 wrote to memory of 1072 1388 dog.exe 54 PID 1388 wrote to memory of 1072 1388 dog.exe 54 PID 1072 wrote to memory of 1296 1072 cmd.exe 55 PID 1072 wrote to memory of 1296 1072 cmd.exe 55 PID 1072 wrote to memory of 1296 1072 cmd.exe 55 PID 1072 wrote to memory of 1296 1072 cmd.exe 55 PID 1388 wrote to memory of 1560 1388 dog.exe 56 PID 1388 wrote to memory of 1560 1388 dog.exe 56 PID 1388 wrote to memory of 1560 1388 dog.exe 56 PID 1388 wrote to memory of 1560 1388 dog.exe 56 PID 1560 wrote to memory of 908 1560 cmd.exe 57 PID 1560 wrote to memory of 908 1560 cmd.exe 57 PID 1560 wrote to memory of 908 1560 cmd.exe 57 PID 1560 wrote to memory of 908 1560 cmd.exe 57 PID 1388 wrote to memory of 324 1388 dog.exe 58 PID 1388 wrote to memory of 324 1388 dog.exe 58 PID 1388 wrote to memory of 324 1388 dog.exe 58 PID 1388 wrote to memory of 324 1388 dog.exe 58 PID 324 wrote to memory of 1460 324 cmd.exe 59 PID 324 wrote to memory of 1460 324 cmd.exe 59 PID 324 wrote to memory of 1460 324 cmd.exe 59 PID 324 wrote to memory of 1460 324 cmd.exe 59 PID 1388 wrote to memory of 1688 1388 dog.exe 60 PID 1388 wrote to memory of 1688 1388 dog.exe 60 PID 1388 wrote to memory of 1688 1388 dog.exe 60 PID 1388 wrote to memory of 1688 1388 dog.exe 60 PID 1688 wrote to memory of 1364 1688 cmd.exe 61 PID 1688 wrote to memory of 1364 1688 cmd.exe 61 PID 1688 wrote to memory of 1364 1688 cmd.exe 61 PID 1688 wrote to memory of 1364 1688 cmd.exe 61 PID 1388 wrote to memory of 1804 1388 dog.exe 62 PID 1388 wrote to memory of 1804 1388 dog.exe 62 PID 1388 wrote to memory of 1804 1388 dog.exe 62 PID 1388 wrote to memory of 1804 1388 dog.exe 62 PID 1804 wrote to memory of 1160 1804 cmd.exe 63 PID 1804 wrote to memory of 1160 1804 cmd.exe 63 PID 1804 wrote to memory of 1160 1804 cmd.exe 63 PID 1804 wrote to memory of 1160 1804 cmd.exe 63 PID 1388 wrote to memory of 1860 1388 dog.exe 64 PID 1388 wrote to memory of 1860 1388 dog.exe 64 PID 1388 wrote to memory of 1860 1388 dog.exe 64 PID 1388 wrote to memory of 1860 1388 dog.exe 64 PID 1860 wrote to memory of 1824 1860 cmd.exe 65 PID 1860 wrote to memory of 1824 1860 cmd.exe 65 PID 1860 wrote to memory of 1824 1860 cmd.exe 65 PID 1860 wrote to memory of 1824 1860 cmd.exe 65 PID 1388 wrote to memory of 1780 1388 dog.exe 66 PID 1388 wrote to memory of 1780 1388 dog.exe 66 PID 1388 wrote to memory of 1780 1388 dog.exe 66 PID 1388 wrote to memory of 1780 1388 dog.exe 66 PID 1780 wrote to memory of 1876 1780 cmd.exe 67 PID 1780 wrote to memory of 1876 1780 cmd.exe 67 PID 1780 wrote to memory of 1876 1780 cmd.exe 67 PID 1780 wrote to memory of 1876 1780 cmd.exe 67 PID 1388 wrote to memory of 1896 1388 dog.exe 68 PID 1388 wrote to memory of 1896 1388 dog.exe 68 PID 1388 wrote to memory of 1896 1388 dog.exe 68 PID 1388 wrote to memory of 1896 1388 dog.exe 68 PID 1896 wrote to memory of 1764 1896 cmd.exe 69 PID 1896 wrote to memory of 1764 1896 cmd.exe 69 PID 1896 wrote to memory of 1764 1896 cmd.exe 69 PID 1896 wrote to memory of 1764 1896 cmd.exe 69 PID 1388 wrote to memory of 1628 1388 dog.exe 70 PID 1388 wrote to memory of 1628 1388 dog.exe 70 PID 1388 wrote to memory of 1628 1388 dog.exe 70 PID 1388 wrote to memory of 1628 1388 dog.exe 70 PID 1628 wrote to memory of 1592 1628 cmd.exe 71 PID 1628 wrote to memory of 1592 1628 cmd.exe 71 PID 1628 wrote to memory of 1592 1628 cmd.exe 71 PID 1628 wrote to memory of 1592 1628 cmd.exe 71 PID 1388 wrote to memory of 468 1388 dog.exe 72 PID 1388 wrote to memory of 468 1388 dog.exe 72 PID 1388 wrote to memory of 468 1388 dog.exe 72 PID 1388 wrote to memory of 468 1388 dog.exe 72 PID 468 wrote to memory of 1568 468 cmd.exe 73 PID 468 wrote to memory of 1568 468 cmd.exe 73 PID 468 wrote to memory of 1568 468 cmd.exe 73 PID 468 wrote to memory of 1568 468 cmd.exe 73 PID 1388 wrote to memory of 1944 1388 dog.exe 74 PID 1388 wrote to memory of 1944 1388 dog.exe 74 PID 1388 wrote to memory of 1944 1388 dog.exe 74 PID 1388 wrote to memory of 1944 1388 dog.exe 74 PID 1944 wrote to memory of 1916 1944 cmd.exe 75 PID 1944 wrote to memory of 1916 1944 cmd.exe 75 PID 1944 wrote to memory of 1916 1944 cmd.exe 75 PID 1944 wrote to memory of 1916 1944 cmd.exe 75 PID 1388 wrote to memory of 1968 1388 dog.exe 76 PID 1388 wrote to memory of 1968 1388 dog.exe 76 PID 1388 wrote to memory of 1968 1388 dog.exe 76 PID 1388 wrote to memory of 1968 1388 dog.exe 76 PID 1968 wrote to memory of 2004 1968 cmd.exe 77 PID 1968 wrote to memory of 2004 1968 cmd.exe 77 PID 1968 wrote to memory of 2004 1968 cmd.exe 77 PID 1968 wrote to memory of 2004 1968 cmd.exe 77 PID 1388 wrote to memory of 328 1388 dog.exe 78 PID 1388 wrote to memory of 328 1388 dog.exe 78 PID 1388 wrote to memory of 328 1388 dog.exe 78 PID 1388 wrote to memory of 328 1388 dog.exe 78 PID 328 wrote to memory of 1972 328 cmd.exe 79 PID 328 wrote to memory of 1972 328 cmd.exe 79 PID 328 wrote to memory of 1972 328 cmd.exe 79 PID 328 wrote to memory of 1972 328 cmd.exe 79 PID 1388 wrote to memory of 1332 1388 dog.exe 80 PID 1388 wrote to memory of 1332 1388 dog.exe 80 PID 1388 wrote to memory of 1332 1388 dog.exe 80 PID 1388 wrote to memory of 1332 1388 dog.exe 80 PID 1332 wrote to memory of 1516 1332 cmd.exe 81 PID 1332 wrote to memory of 1516 1332 cmd.exe 81 PID 1332 wrote to memory of 1516 1332 cmd.exe 81 PID 1332 wrote to memory of 1516 1332 cmd.exe 81 PID 1388 wrote to memory of 1084 1388 dog.exe 82 PID 1388 wrote to memory of 1084 1388 dog.exe 82 PID 1388 wrote to memory of 1084 1388 dog.exe 82 PID 1388 wrote to memory of 1084 1388 dog.exe 82 PID 1084 wrote to memory of 800 1084 cmd.exe 83 PID 1084 wrote to memory of 800 1084 cmd.exe 83 PID 1084 wrote to memory of 800 1084 cmd.exe 83 PID 1084 wrote to memory of 800 1084 cmd.exe 83 PID 1388 wrote to memory of 1088 1388 dog.exe 84 PID 1388 wrote to memory of 1088 1388 dog.exe 84 PID 1388 wrote to memory of 1088 1388 dog.exe 84 PID 1388 wrote to memory of 1088 1388 dog.exe 84 PID 1088 wrote to memory of 1072 1088 cmd.exe 85 PID 1088 wrote to memory of 1072 1088 cmd.exe 85 PID 1088 wrote to memory of 1072 1088 cmd.exe 85 PID 1088 wrote to memory of 1072 1088 cmd.exe 85 PID 1388 wrote to memory of 1032 1388 dog.exe 86 PID 1388 wrote to memory of 1032 1388 dog.exe 86 PID 1388 wrote to memory of 1032 1388 dog.exe 86 PID 1388 wrote to memory of 1032 1388 dog.exe 86 PID 1032 wrote to memory of 1560 1032 cmd.exe 87 PID 1032 wrote to memory of 1560 1032 cmd.exe 87 PID 1032 wrote to memory of 1560 1032 cmd.exe 87 PID 1032 wrote to memory of 1560 1032 cmd.exe 87 PID 1388 wrote to memory of 1660 1388 dog.exe 88 PID 1388 wrote to memory of 1660 1388 dog.exe 88 PID 1388 wrote to memory of 1660 1388 dog.exe 88 PID 1388 wrote to memory of 1660 1388 dog.exe 88 PID 1660 wrote to memory of 324 1660 cmd.exe 89 PID 1660 wrote to memory of 324 1660 cmd.exe 89 PID 1660 wrote to memory of 324 1660 cmd.exe 89 PID 1660 wrote to memory of 324 1660 cmd.exe 89 PID 1388 wrote to memory of 1784 1388 dog.exe 90 PID 1388 wrote to memory of 1784 1388 dog.exe 90 PID 1388 wrote to memory of 1784 1388 dog.exe 90 PID 1388 wrote to memory of 1784 1388 dog.exe 90 PID 1784 wrote to memory of 1688 1784 cmd.exe 91 PID 1784 wrote to memory of 1688 1784 cmd.exe 91 PID 1784 wrote to memory of 1688 1784 cmd.exe 91 PID 1784 wrote to memory of 1688 1784 cmd.exe 91 PID 1388 wrote to memory of 1840 1388 dog.exe 92 PID 1388 wrote to memory of 1840 1388 dog.exe 92 PID 1388 wrote to memory of 1840 1388 dog.exe 92 PID 1388 wrote to memory of 1840 1388 dog.exe 92 PID 1840 wrote to memory of 1804 1840 cmd.exe 93 PID 1840 wrote to memory of 1804 1840 cmd.exe 93 PID 1840 wrote to memory of 1804 1840 cmd.exe 93 PID 1840 wrote to memory of 1804 1840 cmd.exe 93 PID 1388 wrote to memory of 1872 1388 dog.exe 94 PID 1388 wrote to memory of 1872 1388 dog.exe 94 PID 1388 wrote to memory of 1872 1388 dog.exe 94 PID 1388 wrote to memory of 1872 1388 dog.exe 94 PID 1872 wrote to memory of 1860 1872 cmd.exe 95 PID 1872 wrote to memory of 1860 1872 cmd.exe 95 PID 1872 wrote to memory of 1860 1872 cmd.exe 95 PID 1872 wrote to memory of 1860 1872 cmd.exe 95 PID 1388 wrote to memory of 520 1388 dog.exe 96 PID 1388 wrote to memory of 520 1388 dog.exe 96 PID 1388 wrote to memory of 520 1388 dog.exe 96 PID 1388 wrote to memory of 520 1388 dog.exe 96 PID 520 wrote to memory of 1780 520 cmd.exe 97 PID 520 wrote to memory of 1780 520 cmd.exe 97 PID 520 wrote to memory of 1780 520 cmd.exe 97 PID 520 wrote to memory of 1780 520 cmd.exe 97 PID 1388 wrote to memory of 1616 1388 dog.exe 98 PID 1388 wrote to memory of 1616 1388 dog.exe 98 PID 1388 wrote to memory of 1616 1388 dog.exe 98 PID 1388 wrote to memory of 1616 1388 dog.exe 98 PID 1616 wrote to memory of 1896 1616 cmd.exe 99 PID 1616 wrote to memory of 1896 1616 cmd.exe 99 PID 1616 wrote to memory of 1896 1616 cmd.exe 99 PID 1616 wrote to memory of 1896 1616 cmd.exe 99 PID 1388 wrote to memory of 1912 1388 dog.exe 100 PID 1388 wrote to memory of 1912 1388 dog.exe 100 PID 1388 wrote to memory of 1912 1388 dog.exe 100 PID 1388 wrote to memory of 1912 1388 dog.exe 100 PID 1912 wrote to memory of 1628 1912 cmd.exe 101 PID 1912 wrote to memory of 1628 1912 cmd.exe 101 PID 1912 wrote to memory of 1628 1912 cmd.exe 101 PID 1912 wrote to memory of 1628 1912 cmd.exe 101 PID 1388 wrote to memory of 1924 1388 dog.exe 102 PID 1388 wrote to memory of 1924 1388 dog.exe 102 PID 1388 wrote to memory of 1924 1388 dog.exe 102 PID 1388 wrote to memory of 1924 1388 dog.exe 102 PID 1924 wrote to memory of 468 1924 cmd.exe 103 PID 1924 wrote to memory of 468 1924 cmd.exe 103 PID 1924 wrote to memory of 468 1924 cmd.exe 103 PID 1924 wrote to memory of 468 1924 cmd.exe 103 PID 1388 wrote to memory of 2000 1388 dog.exe 104 PID 1388 wrote to memory of 2000 1388 dog.exe 104 PID 1388 wrote to memory of 2000 1388 dog.exe 104 PID 1388 wrote to memory of 2000 1388 dog.exe 104 PID 2000 wrote to memory of 1944 2000 cmd.exe 105 PID 2000 wrote to memory of 1944 2000 cmd.exe 105 PID 2000 wrote to memory of 1944 2000 cmd.exe 105 PID 2000 wrote to memory of 1944 2000 cmd.exe 105 PID 1388 wrote to memory of 556 1388 dog.exe 106 PID 1388 wrote to memory of 556 1388 dog.exe 106 PID 1388 wrote to memory of 556 1388 dog.exe 106 PID 1388 wrote to memory of 556 1388 dog.exe 106 PID 556 wrote to memory of 1968 556 cmd.exe 107 PID 556 wrote to memory of 1968 556 cmd.exe 107 PID 556 wrote to memory of 1968 556 cmd.exe 107 PID 556 wrote to memory of 1968 556 cmd.exe 107 PID 1388 wrote to memory of 1512 1388 dog.exe 108 PID 1388 wrote to memory of 1512 1388 dog.exe 108 PID 1388 wrote to memory of 1512 1388 dog.exe 108 PID 1388 wrote to memory of 1512 1388 dog.exe 108 PID 1512 wrote to memory of 328 1512 cmd.exe 109 PID 1512 wrote to memory of 328 1512 cmd.exe 109 PID 1512 wrote to memory of 328 1512 cmd.exe 109 PID 1512 wrote to memory of 328 1512 cmd.exe 109 PID 760 wrote to memory of 1988 760 iexplore.exe 116 PID 760 wrote to memory of 1988 760 iexplore.exe 116 PID 760 wrote to memory of 1988 760 iexplore.exe 116 PID 760 wrote to memory of 1988 760 iexplore.exe 116 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 592 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 268 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1152 taskkill.exe Token: SeDebugPrivilege 568 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 908 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 1160 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 1516 taskkill.exe Token: SeDebugPrivilege 800 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 324 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 1896 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 328 whoami.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 760 iexplore.exe 760 iexplore.exe 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 760 iexplore.exe -
Kills process with taskkill 39 IoCs
pid Process 324 taskkill.exe 1804 taskkill.exe 1896 taskkill.exe 1848 taskkill.exe 1732 taskkill.exe 2012 taskkill.exe 1364 taskkill.exe 1824 taskkill.exe 1516 taskkill.exe 1860 taskkill.exe 592 taskkill.exe 1916 taskkill.exe 468 taskkill.exe 1620 taskkill.exe 1592 taskkill.exe 1072 taskkill.exe 1688 taskkill.exe 1940 taskkill.exe 1160 taskkill.exe 1568 taskkill.exe 1560 taskkill.exe 1628 taskkill.exe 1656 taskkill.exe 568 taskkill.exe 908 taskkill.exe 2004 taskkill.exe 268 taskkill.exe 1152 taskkill.exe 1256 taskkill.exe 1296 taskkill.exe 1972 taskkill.exe 800 taskkill.exe 1788 taskkill.exe 1876 taskkill.exe 1764 taskkill.exe 1780 taskkill.exe 1944 taskkill.exe 1968 taskkill.exe 1460 taskkill.exe -
Checks whether UAC is enabled 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\dog.exe"C:\Users\Admin\AppData\Local\Temp\dog.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im msftesql.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msftesql.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:592
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "schtasks /delete /tn WM /F "2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn WM /F3⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "del C:\e.bat"2⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "del C:\a.bat"2⤵PID:1364
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqlagent.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlagent.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqlbrowser.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlbrowser.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqlservr.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqlwriter.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im oracle.exe "2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im ocssd.exe "2⤵PID:1568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ocssd.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im dbsnmp.exe "2⤵PID:1916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dbsnmp.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im synctime.exe "2⤵PID:2004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im synctime.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mydesktopqos.exe "2⤵PID:1972
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mydesktopqos.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im agntsvc.exeisqlplussvc.exe "2⤵PID:1516
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im agntsvc.exeisqlplussvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:568
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im xfssvccon.exe "2⤵PID:800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im xfssvccon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1256
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mydesktopservice.exe "2⤵PID:1072
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mydesktopservice.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im ocautoupds.exe "2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ocautoupds.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:908
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im agntsvc.exeagntsvc.exe "2⤵PID:324
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im agntsvc.exeagntsvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im agntsvc.exeencsvc.exe "2⤵PID:1688
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im agntsvc.exeencsvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im firefoxconfig.exe "2⤵PID:1804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefoxconfig.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im tbirdconfig.exe "2⤵PID:1860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tbirdconfig.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im ocomm.exe "2⤵PID:1780
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ocomm.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mysqld.exe "2⤵PID:1896
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysqld.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mysqld-nt.exe "2⤵PID:1628
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysqld-nt.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mysqld-opt.exe "2⤵PID:468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysqld-opt.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im dbeng50.exe "2⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dbeng50.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqbcoreservice.exe "2⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqbcoreservice.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im excel.exe "2⤵PID:328
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im infopath.exe "2⤵PID:1332
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im infopath.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im msaccess.exe "2⤵PID:1084
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:800
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im mspub.exe "2⤵PID:1088
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mspub.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im onenote.exe "2⤵PID:1032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im outlook.exe "2⤵PID:1660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:324
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im powerpnt.exe "2⤵PID:1784
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im steam.exe "2⤵PID:1840
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im steam.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im sqlservr.exe "2⤵PID:1872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im thebat.exe "2⤵PID:520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thebat.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im thebat64.exe "2⤵PID:1616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thebat64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im thunderbird.exe "2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im visio.exe "2⤵PID:1924
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im visio.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:468
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im winword.exe "2⤵PID:2000
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "taskkill /f /im wordpad.exe"2⤵PID:556
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "whoami >>C:\ProgramData\chPnO.txt"2⤵PID:1512
-
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:908
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\README.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:760 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:1988
-