cybergate | 177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad

General

Target

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Size

1.8MB
MD5

04d799029ab0e86964b91d200a7d669b
SHA1

d2686050393e7891a3727a1cf8850c24df87e722
SHA256

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad
SHA512

f7eec1d88f017064d21929a9640e8e1839ea53bf57e0f96d657528d83491ed4d792205832ab3a9cb907317befdaf1e3c2d52d7926ff27ad9ff0552d51461daf7
SSDEEP

49152:ydSpWnEMLne6wVT0W9/1qw/rZZaUH8iwi:ydS58neiwD2UciT

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

cabrakan.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Net Framework 3,5 yükleyiniz.
message_box_title
Net Framework
password
abcd1234
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4148 svchost.exe
3896 svchost.exe
4452 svchost.exe

pid	process
4148	svchost.exe
3896	svchost.exe
4452	svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64SB02AP-4N26-IC34-U8DH-02FMB6VK7H73}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{64SB02AP-4N26-IC34-U8DH-02FMB6VK7H73}	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4392-196-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4392-202-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1324-205-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1324-210-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1324-277-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\install\svchost.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
File opened for modification	C:\Windows\SysWOW64\install\	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exesvchost.exe

description	pid	process	target process
PID 1584 set thread context of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 3896 set thread context of 4452	3896	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 29 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exesvchost.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\InprocServer32\ThreadingModel = "both"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\rasffr = "S~j\|QxhwYp[TpGfH{Q`Z@vxtaT"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ = "DataCollectorSet"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ProgID	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\bsai = "^LBOq\x7ftXQoJOGmHL{f\x7f"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\PAjbnfkWdjDgw = "bASBWPLTBqSDpK\\znK[gTk"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\aiBLnxVpMpl = "@EuN\|OeCqpcT[a]z^nbzxfUka"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\rasffr = "S~j\|QxhwYp[TpGfH{Q`Z@vxtQT"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\InprocServer32	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\TypeLib	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\VersionIndependentProgID	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\jMVzjzoczbzDz = "zt{NnzBl]e^ip`zCzKt"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\Version\ = "1.0"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\aiBLnxVpMpl = "@EuN\|OUCqpcT[a]z^nbzxfUka"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\AppID = "{03837503-098b-11d8-9414-505054503030}"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ruszyvlsSwoV = "O^RfkecXLy`\|e\|uI^sVgDhV~bg\x7fc"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ucziJnEjn = "SMCnyfEn`aRpgYVhg"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ProgID\ = "PLA.DataCollectorSet.1"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\VersionIndependentProgID\ = "PLA.DataCollectorSet"	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\aiBLnxVpMpl = "@EuN\|OUCqpcT[amz^nbzxfUka"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ucziJnEjn = "SMCnyfen`aRpy]bVg"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\LocalServer32	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\Version	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C722779B-A227-A465-A02A-0B28089C9DC4}\ucziJnEjn = "SMCnyfUn`aRqVAIhi"	svchost.exe

NTFS ADS 2 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\ProgramData\TEMP:DD901ECB svchost.exe
File created C:\ProgramData\TEMP:DD901ECB svchost.exe

description	ioc	process
File opened for modification	C:\ProgramData\TEMP:DD901ECB	svchost.exe
File created	C:\ProgramData\TEMP:DD901ECB	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exesvchost.exe

pid	process
4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
4452	svchost.exe
4452	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

pid process

1324 177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

pid	process
1324	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exesvchost.exe

description	pid	process
Token: 33	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: SeIncBasePriorityPrivilege	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: 33	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: SeIncBasePriorityPrivilege	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: SeDebugPrivilege	1324	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: SeDebugPrivilege	1324	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
Token: 33	3896	svchost.exe
Token: SeIncBasePriorityPrivilege	3896	svchost.exe
Token: 33	3896	svchost.exe
Token: SeIncBasePriorityPrivilege	3896	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exesvchost.exe

pid process

1584 177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
3896 svchost.exe

pid	process
1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
3896	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe

C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
"C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
"C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe"
2⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
"C:\Users\Admin\AppData\Local\Temp\177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\SysWOW64\install\svchost.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
b74a6f1a0e835942ea3a5426bba9f832

SHA1
0c0094999d11dc7010fa09dc95ff928030111f76

SHA256
f3ec1e6b3c3baba8666b1f450570a2177f50ab6cff7c1a87d89aea9acdd32819

SHA512
67f1a496a761e8cb3e8605845e7b1e6e1b5e8b29793129dc1da00a9adbafad9cda5dda5533de6bbbafb11fad01f9bc4035e2c6cafaef4bdd6db203fd0405b647

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
1.8MB

MD5
04d799029ab0e86964b91d200a7d669b

SHA1
d2686050393e7891a3727a1cf8850c24df87e722

SHA256
177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad

SHA512
f7eec1d88f017064d21929a9640e8e1839ea53bf57e0f96d657528d83491ed4d792205832ab3a9cb907317befdaf1e3c2d52d7926ff27ad9ff0552d51461daf7

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
1.8MB

MD5
04d799029ab0e86964b91d200a7d669b

SHA1
d2686050393e7891a3727a1cf8850c24df87e722

SHA256
177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad

SHA512
f7eec1d88f017064d21929a9640e8e1839ea53bf57e0f96d657528d83491ed4d792205832ab3a9cb907317befdaf1e3c2d52d7926ff27ad9ff0552d51461daf7

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
1.8MB

MD5
04d799029ab0e86964b91d200a7d669b

SHA1
d2686050393e7891a3727a1cf8850c24df87e722

SHA256
177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad

SHA512
f7eec1d88f017064d21929a9640e8e1839ea53bf57e0f96d657528d83491ed4d792205832ab3a9cb907317befdaf1e3c2d52d7926ff27ad9ff0552d51461daf7

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
1.8MB

MD5
04d799029ab0e86964b91d200a7d669b

SHA1
d2686050393e7891a3727a1cf8850c24df87e722

SHA256
177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad

SHA512
f7eec1d88f017064d21929a9640e8e1839ea53bf57e0f96d657528d83491ed4d792205832ab3a9cb907317befdaf1e3c2d52d7926ff27ad9ff0552d51461daf7

Download Submit
memory/1324-277-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1324-200-0x0000000000000000-mapping.dmp

Download
memory/1324-209-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1324-210-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1324-205-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1584-161-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/1584-169-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-151-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/1584-154-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/1584-155-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/1584-156-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1584-157-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/1584-158-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/1584-159-0x000000000040A000-0x000000000040B000-memory.dmp

Filesize
4KB

Download
memory/1584-160-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/1584-149-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1584-162-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1584-163-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/1584-164-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/1584-166-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1584-167-0x0000000000451000-0x0000000000452000-memory.dmp

Filesize
4KB

Download
memory/1584-168-0x0000000000452000-0x0000000000453000-memory.dmp

Filesize
4KB

Download
memory/1584-152-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/1584-170-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/1584-171-0x0000000000453000-0x0000000000454000-memory.dmp

Filesize
4KB

Download
memory/1584-172-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/1584-173-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/1584-174-0x0000000000454000-0x0000000000455000-memory.dmp

Filesize
4KB

Download
memory/1584-148-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1584-146-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-177-0x0000000000455000-0x0000000000456000-memory.dmp

Filesize
4KB

Download
memory/1584-145-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-178-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/1584-144-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-143-0x00000000024B1000-0x000000000259F000-memory.dmp

Filesize
952KB

Download
memory/1584-142-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-136-0x00000000024B0000-0x00000000025E8000-memory.dmp

Filesize
1.2MB

Download
memory/1584-134-0x0000000000000000-mapping.dmp

Download
memory/3896-214-0x0000000000000000-mapping.dmp

Download
memory/3896-218-0x0000000002C00000-0x0000000002D38000-memory.dmp

Filesize
1.2MB

Download
memory/3896-267-0x0000000002C01000-0x0000000002CEF000-memory.dmp

Filesize
952KB

Download
memory/3896-228-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/3896-227-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/3896-226-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/3896-225-0x0000000002C01000-0x0000000002CEF000-memory.dmp

Filesize
952KB

Download
memory/3896-224-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/4148-211-0x0000000000000000-mapping.dmp

Download
memory/4148-215-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/4148-264-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/4392-196-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4392-175-0x0000000000000000-mapping.dmp

Download
memory/4392-206-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4392-181-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4392-202-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4392-194-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4392-176-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4392-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4452-255-0x0000000000000000-mapping.dmp

Download
memory/4452-276-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4452-278-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5012-132-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/5012-193-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/5012-153-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download

description	pid	process	target process
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 1584 wrote to memory of 4392	1584	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 5012 wrote to memory of 1584	5012	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe
PID 4392 wrote to memory of 1160	4392	177a2d0e340135f5961c5bad463a499ad0efa9dea5668bd320ccb12074b4d3ad.exe	iexplore.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads