c1738c61a6faf8fffe26fe1781adb6f6c7d7da65f0c7b3ad57f19924112d2ecd

Analysis

max time kernel
22s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 17:03

Target

kill oculus vr processes.cmd
Size

886B
MD5

818aeaf9c4cedd60ac6b1759ed759891
SHA1

370f052c2b44a413f8a5c6502bb1b8760d62cd34
SHA256

c1738c61a6faf8fffe26fe1781adb6f6c7d7da65f0c7b3ad57f19924112d2ecd
SHA512

d69ade3bd13a843bbeec7cae452722317d5effb6a30a79c5492151181695484b72b735c8ebb96ba2ec449c291296fa505b99fa5459a5f02c2c0384b51746ada8

Score

1^/10

Kills process with taskkill 6 IoCs

evasion

Suspicious use of AdjustPrivilegeToken 6 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2332	780	cmd.exe	96
PID 780 wrote to memory of 2332	780	cmd.exe	96
PID 780 wrote to memory of 2152	780	cmd.exe	97
PID 780 wrote to memory of 2152	780	cmd.exe	97
PID 780 wrote to memory of 3964	780	cmd.exe	98
PID 780 wrote to memory of 3964	780	cmd.exe	98
PID 780 wrote to memory of 2020	780	cmd.exe	99
PID 780 wrote to memory of 2020	780	cmd.exe	99
PID 780 wrote to memory of 3208	780	cmd.exe	100
PID 780 wrote to memory of 3208	780	cmd.exe	100
PID 780 wrote to memory of 1172	780	cmd.exe	101
PID 780 wrote to memory of 1172	780	cmd.exe	101

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kill oculus vr processes.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRRedir.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRServiceLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OVRServer_x64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OculusDash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM oculus-platform-runtime.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OculusClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172