c1738c61a6faf8fffe26fe1781adb6f6c7d7da65f0c7b3ad57f19924112d2ecd

Analysis

max time kernel
8s
max time network
0s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 17:03

Target

kill oculus vr processes.cmd
Size

886B
MD5

818aeaf9c4cedd60ac6b1759ed759891
SHA1

370f052c2b44a413f8a5c6502bb1b8760d62cd34
SHA256

c1738c61a6faf8fffe26fe1781adb6f6c7d7da65f0c7b3ad57f19924112d2ecd
SHA512

d69ade3bd13a843bbeec7cae452722317d5effb6a30a79c5492151181695484b72b735c8ebb96ba2ec449c291296fa505b99fa5459a5f02c2c0384b51746ada8

Score

1^/10

Kills process with taskkill 6 IoCs

evasion

Suspicious use of AdjustPrivilegeToken 6 IoCs

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2088	2360	cmd.exe	32
PID 2360 wrote to memory of 2088	2360	cmd.exe	32
PID 2360 wrote to memory of 2088	2360	cmd.exe	32
PID 2360 wrote to memory of 2928	2360	cmd.exe	34
PID 2360 wrote to memory of 2928	2360	cmd.exe	34
PID 2360 wrote to memory of 2928	2360	cmd.exe	34
PID 2360 wrote to memory of 2772	2360	cmd.exe	35
PID 2360 wrote to memory of 2772	2360	cmd.exe	35
PID 2360 wrote to memory of 2772	2360	cmd.exe	35
PID 2360 wrote to memory of 2844	2360	cmd.exe	36
PID 2360 wrote to memory of 2844	2360	cmd.exe	36
PID 2360 wrote to memory of 2844	2360	cmd.exe	36
PID 2360 wrote to memory of 2816	2360	cmd.exe	37
PID 2360 wrote to memory of 2816	2360	cmd.exe	37
PID 2360 wrote to memory of 2816	2360	cmd.exe	37
PID 2360 wrote to memory of 2732	2360	cmd.exe	38
PID 2360 wrote to memory of 2732	2360	cmd.exe	38
PID 2360 wrote to memory of 2732	2360	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\kill oculus vr processes.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRRedir.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRServiceLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRServer_x64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OculusDash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM oculus-platform-runtime.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OculusClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2732