280e91422cd9c9bb872a2519437923c4d8e521f977931c936e437eb58ae01aac

Analysis

max time kernel
75s
max time network
136s
platform
windows10_x64
resource
win10
submitted
07-07-2020 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dog.exe
Size

2.0MB
MD5

b76de9f293794dcf0acad1112d8a4081
SHA1

d3d2567304297b89a06829eac625e77c620683ee
SHA256

280e91422cd9c9bb872a2519437923c4d8e521f977931c936e437eb58ae01aac
SHA512

e6b3e83dc4f9f2ff99c822f289c6d5f9000459102a4304fcdec15c21422d6ec41be0712285b1b6a3b9d1a6d35deb9a3a8d4a8122b86901737b724e8b139c3c5a

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 252 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3820	3068	dog.exe	68
PID 3068 wrote to memory of 3820	3068	dog.exe	68
PID 3068 wrote to memory of 3820	3068	dog.exe	68
PID 3820 wrote to memory of 3956	3820	cmd.exe	69
PID 3820 wrote to memory of 3956	3820	cmd.exe	69
PID 3820 wrote to memory of 3956	3820	cmd.exe	69
PID 3068 wrote to memory of 688	3068	dog.exe	71
PID 3068 wrote to memory of 688	3068	dog.exe	71
PID 3068 wrote to memory of 688	3068	dog.exe	71
PID 688 wrote to memory of 492	688	cmd.exe	72
PID 688 wrote to memory of 492	688	cmd.exe	72
PID 688 wrote to memory of 492	688	cmd.exe	72
PID 3068 wrote to memory of 756	3068	dog.exe	73
PID 3068 wrote to memory of 756	3068	dog.exe	73
PID 3068 wrote to memory of 756	3068	dog.exe	73
PID 3068 wrote to memory of 2644	3068	dog.exe	74
PID 3068 wrote to memory of 2644	3068	dog.exe	74
PID 3068 wrote to memory of 2644	3068	dog.exe	74
PID 3068 wrote to memory of 3040	3068	dog.exe	75
PID 3068 wrote to memory of 3040	3068	dog.exe	75
PID 3068 wrote to memory of 3040	3068	dog.exe	75
PID 3040 wrote to memory of 2916	3040	cmd.exe	76
PID 3040 wrote to memory of 2916	3040	cmd.exe	76
PID 3040 wrote to memory of 2916	3040	cmd.exe	76
PID 3068 wrote to memory of 3872	3068	dog.exe	77
PID 3068 wrote to memory of 3872	3068	dog.exe	77
PID 3068 wrote to memory of 3872	3068	dog.exe	77
PID 3872 wrote to memory of 3832	3872	cmd.exe	78
PID 3872 wrote to memory of 3832	3872	cmd.exe	78
PID 3872 wrote to memory of 3832	3872	cmd.exe	78
PID 3068 wrote to memory of 2108	3068	dog.exe	79
PID 3068 wrote to memory of 2108	3068	dog.exe	79
PID 3068 wrote to memory of 2108	3068	dog.exe	79
PID 2108 wrote to memory of 2064	2108	cmd.exe	80
PID 2108 wrote to memory of 2064	2108	cmd.exe	80
PID 2108 wrote to memory of 2064	2108	cmd.exe	80
PID 3068 wrote to memory of 3312	3068	dog.exe	81
PID 3068 wrote to memory of 3312	3068	dog.exe	81
PID 3068 wrote to memory of 3312	3068	dog.exe	81
PID 3312 wrote to memory of 3760	3312	cmd.exe	82
PID 3312 wrote to memory of 3760	3312	cmd.exe	82
PID 3312 wrote to memory of 3760	3312	cmd.exe	82
PID 3068 wrote to memory of 3828	3068	dog.exe	83
PID 3068 wrote to memory of 3828	3068	dog.exe	83
PID 3068 wrote to memory of 3828	3068	dog.exe	83
PID 3828 wrote to memory of 3796	3828	cmd.exe	84
PID 3828 wrote to memory of 3796	3828	cmd.exe	84
PID 3828 wrote to memory of 3796	3828	cmd.exe	84
PID 3068 wrote to memory of 648	3068	dog.exe	85
PID 3068 wrote to memory of 648	3068	dog.exe	85
PID 3068 wrote to memory of 648	3068	dog.exe	85
PID 648 wrote to memory of 896	648	cmd.exe	86
PID 648 wrote to memory of 896	648	cmd.exe	86
PID 648 wrote to memory of 896	648	cmd.exe	86
PID 3068 wrote to memory of 3892	3068	dog.exe	87
PID 3068 wrote to memory of 3892	3068	dog.exe	87
PID 3068 wrote to memory of 3892	3068	dog.exe	87
PID 3892 wrote to memory of 3820	3892	cmd.exe	88
PID 3892 wrote to memory of 3820	3892	cmd.exe	88
PID 3892 wrote to memory of 3820	3892	cmd.exe	88
PID 3068 wrote to memory of 732	3068	dog.exe	89
PID 3068 wrote to memory of 732	3068	dog.exe	89
PID 3068 wrote to memory of 732	3068	dog.exe	89
PID 732 wrote to memory of 1816	732	cmd.exe	90
PID 732 wrote to memory of 1816	732	cmd.exe	90
PID 732 wrote to memory of 1816	732	cmd.exe	90
PID 3068 wrote to memory of 2940	3068	dog.exe	91
PID 3068 wrote to memory of 2940	3068	dog.exe	91
PID 3068 wrote to memory of 2940	3068	dog.exe	91
PID 2940 wrote to memory of 1008	2940	cmd.exe	92
PID 2940 wrote to memory of 1008	2940	cmd.exe	92
PID 2940 wrote to memory of 1008	2940	cmd.exe	92
PID 3068 wrote to memory of 3284	3068	dog.exe	93
PID 3068 wrote to memory of 3284	3068	dog.exe	93
PID 3068 wrote to memory of 3284	3068	dog.exe	93
PID 3284 wrote to memory of 3040	3284	cmd.exe	94
PID 3284 wrote to memory of 3040	3284	cmd.exe	94
PID 3284 wrote to memory of 3040	3284	cmd.exe	94
PID 3068 wrote to memory of 380	3068	dog.exe	95
PID 3068 wrote to memory of 380	3068	dog.exe	95
PID 3068 wrote to memory of 380	3068	dog.exe	95
PID 380 wrote to memory of 2344	380	cmd.exe	96
PID 380 wrote to memory of 2344	380	cmd.exe	96
PID 380 wrote to memory of 2344	380	cmd.exe	96
PID 3068 wrote to memory of 1060	3068	dog.exe	97
PID 3068 wrote to memory of 1060	3068	dog.exe	97
PID 3068 wrote to memory of 1060	3068	dog.exe	97
PID 1060 wrote to memory of 3668	1060	cmd.exe	98
PID 1060 wrote to memory of 3668	1060	cmd.exe	98
PID 1060 wrote to memory of 3668	1060	cmd.exe	98
PID 3068 wrote to memory of 3688	3068	dog.exe	99
PID 3068 wrote to memory of 3688	3068	dog.exe	99
PID 3068 wrote to memory of 3688	3068	dog.exe	99
PID 3688 wrote to memory of 2068	3688	cmd.exe	100
PID 3688 wrote to memory of 2068	3688	cmd.exe	100
PID 3688 wrote to memory of 2068	3688	cmd.exe	100
PID 3068 wrote to memory of 3764	3068	dog.exe	101
PID 3068 wrote to memory of 3764	3068	dog.exe	101
PID 3068 wrote to memory of 3764	3068	dog.exe	101
PID 3764 wrote to memory of 3844	3764	cmd.exe	102
PID 3764 wrote to memory of 3844	3764	cmd.exe	102
PID 3764 wrote to memory of 3844	3764	cmd.exe	102
PID 3068 wrote to memory of 3756	3068	dog.exe	103
PID 3068 wrote to memory of 3756	3068	dog.exe	103
PID 3068 wrote to memory of 3756	3068	dog.exe	103
PID 3756 wrote to memory of 504	3756	cmd.exe	104
PID 3756 wrote to memory of 504	3756	cmd.exe	104
PID 3756 wrote to memory of 504	3756	cmd.exe	104
PID 3068 wrote to memory of 1428	3068	dog.exe	105
PID 3068 wrote to memory of 1428	3068	dog.exe	105
PID 3068 wrote to memory of 1428	3068	dog.exe	105
PID 1428 wrote to memory of 3828	1428	cmd.exe	106
PID 1428 wrote to memory of 3828	1428	cmd.exe	106
PID 1428 wrote to memory of 3828	1428	cmd.exe	106
PID 3068 wrote to memory of 1488	3068	dog.exe	107
PID 3068 wrote to memory of 1488	3068	dog.exe	107
PID 3068 wrote to memory of 1488	3068	dog.exe	107
PID 1488 wrote to memory of 796	1488	cmd.exe	108
PID 1488 wrote to memory of 796	1488	cmd.exe	108
PID 1488 wrote to memory of 796	1488	cmd.exe	108
PID 3068 wrote to memory of 836	3068	dog.exe	109
PID 3068 wrote to memory of 836	3068	dog.exe	109
PID 3068 wrote to memory of 836	3068	dog.exe	109
PID 836 wrote to memory of 892	836	cmd.exe	110
PID 836 wrote to memory of 892	836	cmd.exe	110
PID 836 wrote to memory of 892	836	cmd.exe	110
PID 3068 wrote to memory of 3892	3068	dog.exe	111
PID 3068 wrote to memory of 3892	3068	dog.exe	111
PID 3068 wrote to memory of 3892	3068	dog.exe	111
PID 3892 wrote to memory of 1644	3892	cmd.exe	112
PID 3892 wrote to memory of 1644	3892	cmd.exe	112
PID 3892 wrote to memory of 1644	3892	cmd.exe	112
PID 3068 wrote to memory of 688	3068	dog.exe	113
PID 3068 wrote to memory of 688	3068	dog.exe	113
PID 3068 wrote to memory of 688	3068	dog.exe	113
PID 688 wrote to memory of 732	688	cmd.exe	114
PID 688 wrote to memory of 732	688	cmd.exe	114
PID 688 wrote to memory of 732	688	cmd.exe	114
PID 3068 wrote to memory of 3100	3068	dog.exe	115
PID 3068 wrote to memory of 3100	3068	dog.exe	115
PID 3068 wrote to memory of 3100	3068	dog.exe	115
PID 3100 wrote to memory of 1008	3100	cmd.exe	116
PID 3100 wrote to memory of 1008	3100	cmd.exe	116
PID 3100 wrote to memory of 1008	3100	cmd.exe	116
PID 3068 wrote to memory of 356	3068	dog.exe	117
PID 3068 wrote to memory of 356	3068	dog.exe	117
PID 3068 wrote to memory of 356	3068	dog.exe	117
PID 356 wrote to memory of 1908	356	cmd.exe	118
PID 356 wrote to memory of 1908	356	cmd.exe	118
PID 356 wrote to memory of 1908	356	cmd.exe	118
PID 3068 wrote to memory of 3088	3068	dog.exe	119
PID 3068 wrote to memory of 3088	3068	dog.exe	119
PID 3068 wrote to memory of 3088	3068	dog.exe	119
PID 3088 wrote to memory of 2340	3088	cmd.exe	120
PID 3088 wrote to memory of 2340	3088	cmd.exe	120
PID 3088 wrote to memory of 2340	3088	cmd.exe	120
PID 3068 wrote to memory of 3832	3068	dog.exe	121
PID 3068 wrote to memory of 3832	3068	dog.exe	121
PID 3068 wrote to memory of 3832	3068	dog.exe	121
PID 3832 wrote to memory of 380	3832	cmd.exe	122
PID 3832 wrote to memory of 380	3832	cmd.exe	122
PID 3832 wrote to memory of 380	3832	cmd.exe	122
PID 3068 wrote to memory of 1156	3068	dog.exe	123
PID 3068 wrote to memory of 1156	3068	dog.exe	123
PID 3068 wrote to memory of 1156	3068	dog.exe	123
PID 1156 wrote to memory of 1060	1156	cmd.exe	124
PID 1156 wrote to memory of 1060	1156	cmd.exe	124
PID 1156 wrote to memory of 1060	1156	cmd.exe	124
PID 3068 wrote to memory of 2092	3068	dog.exe	125
PID 3068 wrote to memory of 2092	3068	dog.exe	125
PID 3068 wrote to memory of 2092	3068	dog.exe	125
PID 2092 wrote to memory of 3688	2092	cmd.exe	126
PID 2092 wrote to memory of 3688	2092	cmd.exe	126
PID 2092 wrote to memory of 3688	2092	cmd.exe	126
PID 3068 wrote to memory of 2136	3068	dog.exe	127
PID 3068 wrote to memory of 2136	3068	dog.exe	127
PID 3068 wrote to memory of 2136	3068	dog.exe	127
PID 2136 wrote to memory of 2152	2136	cmd.exe	128
PID 2136 wrote to memory of 2152	2136	cmd.exe	128
PID 2136 wrote to memory of 2152	2136	cmd.exe	128
PID 3068 wrote to memory of 1332	3068	dog.exe	129
PID 3068 wrote to memory of 1332	3068	dog.exe	129
PID 3068 wrote to memory of 1332	3068	dog.exe	129
PID 1332 wrote to memory of 1304	1332	cmd.exe	130
PID 1332 wrote to memory of 1304	1332	cmd.exe	130
PID 1332 wrote to memory of 1304	1332	cmd.exe	130
PID 3068 wrote to memory of 3796	3068	dog.exe	131
PID 3068 wrote to memory of 3796	3068	dog.exe	131
PID 3068 wrote to memory of 3796	3068	dog.exe	131
PID 3796 wrote to memory of 572	3796	cmd.exe	132
PID 3796 wrote to memory of 572	3796	cmd.exe	132
PID 3796 wrote to memory of 572	3796	cmd.exe	132
PID 3068 wrote to memory of 1840	3068	dog.exe	133
PID 3068 wrote to memory of 1840	3068	dog.exe	133
PID 3068 wrote to memory of 1840	3068	dog.exe	133
PID 1840 wrote to memory of 3036	1840	cmd.exe	134
PID 1840 wrote to memory of 3036	1840	cmd.exe	134
PID 1840 wrote to memory of 3036	1840	cmd.exe	134
PID 3068 wrote to memory of 3952	3068	dog.exe	135
PID 3068 wrote to memory of 3952	3068	dog.exe	135
PID 3068 wrote to memory of 3952	3068	dog.exe	135
PID 3952 wrote to memory of 1500	3952	cmd.exe	136
PID 3952 wrote to memory of 1500	3952	cmd.exe	136
PID 3952 wrote to memory of 1500	3952	cmd.exe	136
PID 3068 wrote to memory of 2540	3068	dog.exe	137
PID 3068 wrote to memory of 2540	3068	dog.exe	137
PID 3068 wrote to memory of 2540	3068	dog.exe	137
PID 2540 wrote to memory of 728	2540	cmd.exe	138
PID 2540 wrote to memory of 728	2540	cmd.exe	138
PID 2540 wrote to memory of 728	2540	cmd.exe	138
PID 3068 wrote to memory of 764	3068	dog.exe	139
PID 3068 wrote to memory of 764	3068	dog.exe	139
PID 3068 wrote to memory of 764	3068	dog.exe	139
PID 764 wrote to memory of 756	764	cmd.exe	140
PID 764 wrote to memory of 756	764	cmd.exe	140
PID 764 wrote to memory of 756	764	cmd.exe	140
PID 3068 wrote to memory of 492	3068	dog.exe	141
PID 3068 wrote to memory of 492	3068	dog.exe	141
PID 3068 wrote to memory of 492	3068	dog.exe	141
PID 492 wrote to memory of 2688	492	cmd.exe	142
PID 492 wrote to memory of 2688	492	cmd.exe	142
PID 492 wrote to memory of 2688	492	cmd.exe	142
PID 3068 wrote to memory of 3908	3068	dog.exe	143
PID 3068 wrote to memory of 3908	3068	dog.exe	143
PID 3068 wrote to memory of 3908	3068	dog.exe	143
PID 3908 wrote to memory of 1816	3908	cmd.exe	144
PID 3908 wrote to memory of 1816	3908	cmd.exe	144
PID 3908 wrote to memory of 1816	3908	cmd.exe	144
PID 3068 wrote to memory of 2820	3068	dog.exe	145
PID 3068 wrote to memory of 2820	3068	dog.exe	145
PID 3068 wrote to memory of 2820	3068	dog.exe	145
PID 2820 wrote to memory of 2644	2820	cmd.exe	146
PID 2820 wrote to memory of 2644	2820	cmd.exe	146
PID 2820 wrote to memory of 2644	2820	cmd.exe	146
PID 3068 wrote to memory of 2888	3068	dog.exe	147
PID 3068 wrote to memory of 2888	3068	dog.exe	147
PID 3068 wrote to memory of 2888	3068	dog.exe	147
PID 2888 wrote to memory of 424	2888	cmd.exe	148
PID 2888 wrote to memory of 424	2888	cmd.exe	148
PID 2888 wrote to memory of 424	2888	cmd.exe	148
PID 3068 wrote to memory of 356	3068	dog.exe	149
PID 3068 wrote to memory of 356	3068	dog.exe	149
PID 3068 wrote to memory of 356	3068	dog.exe	149
PID 356 wrote to memory of 3976	356	cmd.exe	150
PID 356 wrote to memory of 3976	356	cmd.exe	150
PID 356 wrote to memory of 3976	356	cmd.exe	150
PID 3068 wrote to memory of 3088	3068	dog.exe	151
PID 3068 wrote to memory of 3088	3068	dog.exe	151
PID 3068 wrote to memory of 3088	3068	dog.exe	151
PID 3088 wrote to memory of 3032	3088	cmd.exe	152
PID 3088 wrote to memory of 3032	3088	cmd.exe	152
PID 3088 wrote to memory of 3032	3088	cmd.exe	152

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	504	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3032	whoami.exe

Kills process with taskkill 39 IoCs

evasion

pid	Process
2916	taskkill.exe
3844	taskkill.exe
504	taskkill.exe
732	taskkill.exe
1008	taskkill.exe
1060	taskkill.exe
2644	taskkill.exe
2344	taskkill.exe
796	taskkill.exe
1816	taskkill.exe
1304	taskkill.exe
3956	taskkill.exe
2064	taskkill.exe
896	taskkill.exe
1008	taskkill.exe
2068	taskkill.exe
3828	taskkill.exe
3688	taskkill.exe
572	taskkill.exe
3036	taskkill.exe
1816	taskkill.exe
1908	taskkill.exe
756	taskkill.exe
424	taskkill.exe
3040	taskkill.exe
380	taskkill.exe
1500	taskkill.exe
3760	taskkill.exe
3796	taskkill.exe
1644	taskkill.exe
2340	taskkill.exe
3832	taskkill.exe
3820	taskkill.exe
3668	taskkill.exe
892	taskkill.exe
2688	taskkill.exe
3976	taskkill.exe
2152	taskkill.exe
728	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\dog.exe
"C:\Users\Admin\AppData\Local\Temp\dog.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im msftesql.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msftesql.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "schtasks /delete /tn WM /F "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn WM /F
    3⤵
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "del C:\e.bat"
  2⤵
  PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "del C:\a.bat"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqlagent.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlagent.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqlbrowser.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlbrowser.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqlservr.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlservr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqlwriter.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im oracle.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oracle.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im ocssd.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocssd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im dbsnmp.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dbsnmp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im synctime.exe "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im synctime.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mydesktopqos.exe "
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mydesktopqos.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im agntsvc.exeisqlplussvc.exe "
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeisqlplussvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im xfssvccon.exe "
  2⤵
  PID:380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im xfssvccon.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mydesktopservice.exe "
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mydesktopservice.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im ocautoupds.exe "
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocautoupds.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im agntsvc.exeagntsvc.exe "
  2⤵
  PID:3764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeagntsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im agntsvc.exeencsvc.exe "
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeencsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im firefoxconfig.exe "
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firefoxconfig.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im tbirdconfig.exe "
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tbirdconfig.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im ocomm.exe "
  2⤵
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocomm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mysqld.exe "
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mysqld-nt.exe "
  2⤵
  PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld-nt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mysqld-opt.exe "
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld-opt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im dbeng50.exe "
  2⤵
  PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dbeng50.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqbcoreservice.exe "
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqbcoreservice.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im excel.exe "
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im infopath.exe "
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im infopath.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im msaccess.exe "
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msaccess.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mspub.exe "
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mspub.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im onenote.exe "
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im onenote.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im outlook.exe "
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outlook.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im powerpnt.exe "
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im powerpnt.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im steam.exe "
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im sqlservr.exe "
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlservr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im thebat.exe "
  2⤵
  PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thebat.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im thebat64.exe "
  2⤵
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thebat64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im thunderbird.exe "
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thunderbird.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im visio.exe "
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im visio.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im winword.exe "
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im wordpad.exe"
  2⤵
  PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wordpad.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "whoami >>C:\ProgramData\YTkam.txt"
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads