hxxps://github[.]com/disepi/ambrosial/releases/download/1[.]5/Ambrosial[.]exe

General

Target

https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2B40694C-0B14-11EE-9EF6-62080863D4B5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{714AB48F-4909-477D-A2D2-904C571930EE}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe

Modifies registry class 61 IoCs

Processes:

NOTEPAD.EXENOTEPAD.EXEexplorer.exeexplorer.exeConhost.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

5084 iexplore.exe
5084 iexplore.exe
5084 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXENOTEPAD.EXENOTEPAD.EXE

pid process

5084 iexplore.exe
5084 iexplore.exe
3412 IEXPLORE.EXE
3412 IEXPLORE.EXE
2752 NOTEPAD.EXE
2752 NOTEPAD.EXE
2500 NOTEPAD.EXE

pid	process
5084	iexplore.exe
5084	iexplore.exe
5084	iexplore.exe

pid	process
5084	iexplore.exe
5084	iexplore.exe
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE
2752	NOTEPAD.EXE
2752	NOTEPAD.EXE
2500	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

iexplore.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5084 wrote to memory of 3412	5084	iexplore.exe	IEXPLORE.EXE
PID 5084 wrote to memory of 3412	5084	iexplore.exe	IEXPLORE.EXE
PID 5084 wrote to memory of 3412	5084	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 1416	1956	cmd.exe	explorer.exe
PID 1956 wrote to memory of 1416	1956	cmd.exe	explorer.exe
PID 604 wrote to memory of 1824	604	cmd.exe	cmd.exe
PID 604 wrote to memory of 1824	604	cmd.exe	cmd.exe
PID 604 wrote to memory of 1316	604	cmd.exe	explorer.exe
PID 604 wrote to memory of 1316	604	cmd.exe	explorer.exe
PID 1824 wrote to memory of 4160	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 4160	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 4408	1824	cmd.exe	Conhost.exe
PID 1824 wrote to memory of 4408	1824	cmd.exe	Conhost.exe
PID 4160 wrote to memory of 3892	4160	cmd.exe	cmd.exe
PID 4160 wrote to memory of 3892	4160	cmd.exe	cmd.exe
PID 4160 wrote to memory of 3784	4160	cmd.exe	explorer.exe
PID 4160 wrote to memory of 3784	4160	cmd.exe	explorer.exe
PID 3892 wrote to memory of 2380	3892	cmd.exe	cmd.exe
PID 3892 wrote to memory of 2380	3892	cmd.exe	cmd.exe
PID 3892 wrote to memory of 2512	3892	cmd.exe	explorer.exe
PID 3892 wrote to memory of 2512	3892	cmd.exe	explorer.exe
PID 2380 wrote to memory of 3716	2380	cmd.exe	cmd.exe
PID 2380 wrote to memory of 3716	2380	cmd.exe	cmd.exe
PID 2380 wrote to memory of 1420	2380	cmd.exe	explorer.exe
PID 2380 wrote to memory of 1420	2380	cmd.exe	explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:1416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\hello.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\explorer.exe
explorer.exe
4⤵
- Modifies registry class
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
6⤵
PID:3716

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
7⤵
PID:3704

C:\Windows\explorer.exe
explorer.exe
8⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
8⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
9⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
10⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
11⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
12⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
13⤵
PID:960

C:\Windows\explorer.exe
explorer.exe
14⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
14⤵
PID:4920

C:\Windows\explorer.exe
explorer.exe
15⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
15⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
16⤵
PID:2384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
- Modifies registry class
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
17⤵
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
18⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
19⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
20⤵
PID:8

C:\Windows\explorer.exe
explorer.exe
21⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
21⤵
PID:2912

C:\Windows\explorer.exe
explorer.exe
22⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
22⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
23⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
24⤵
PID:2064

C:\Windows\explorer.exe
explorer.exe
25⤵
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
25⤵
PID:5192

C:\Windows\explorer.exe
explorer.exe
26⤵
PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
26⤵
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
27⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
28⤵
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
29⤵
PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
30⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
31⤵
PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
32⤵
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
33⤵
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
34⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
35⤵
PID:5340

C:\Windows\explorer.exe
explorer.exe
36⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
36⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
37⤵
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
38⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
39⤵
PID:5524

C:\Windows\explorer.exe
explorer.exe
40⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
40⤵
PID:6024

C:\Windows\explorer.exe
explorer.exe
41⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
41⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
42⤵
PID:6212

C:\Windows\explorer.exe
explorer.exe
43⤵
PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
43⤵
PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
44⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
45⤵
PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
46⤵
PID:6644

C:\Windows\explorer.exe
explorer.exe
47⤵
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
47⤵
PID:6732

C:\Windows\explorer.exe
explorer.exe
48⤵
PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
48⤵
PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
49⤵
PID:6968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
50⤵
PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
51⤵
PID:6160

C:\Windows\explorer.exe
explorer.exe
52⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
52⤵
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
53⤵
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
54⤵
PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
55⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
56⤵
PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
57⤵
PID:1488

C:\Windows\explorer.exe
explorer.exe
58⤵
PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
58⤵
PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
59⤵
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
60⤵
PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
61⤵
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
62⤵
PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
63⤵
PID:7692

C:\Windows\explorer.exe
explorer.exe
64⤵
PID:7828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K hello.bat
64⤵
PID:7820

C:\Windows\explorer.exe
explorer.exe
63⤵
PID:7708

C:\Windows\explorer.exe
explorer.exe
62⤵
PID:7564

C:\Windows\explorer.exe
explorer.exe
61⤵
PID:7348

C:\Windows\explorer.exe
explorer.exe
60⤵
PID:7252

C:\Windows\explorer.exe
explorer.exe
59⤵
PID:3484

C:\Windows\explorer.exe
explorer.exe
57⤵
PID:1920

C:\Windows\explorer.exe
explorer.exe
56⤵
PID:6864

C:\Windows\explorer.exe
explorer.exe
55⤵
PID:4900

C:\Windows\explorer.exe
explorer.exe
54⤵
PID:6860

C:\Windows\explorer.exe
explorer.exe
53⤵
PID:6768

C:\Windows\explorer.exe
explorer.exe
51⤵
PID:6256

C:\Windows\explorer.exe
explorer.exe
50⤵
PID:7100

C:\Windows\explorer.exe
explorer.exe
49⤵
PID:6984

C:\Windows\explorer.exe
explorer.exe
46⤵
PID:6680

C:\Windows\explorer.exe
explorer.exe
45⤵
PID:6544

C:\Windows\explorer.exe
explorer.exe
44⤵
PID:6444

C:\Windows\explorer.exe
explorer.exe
42⤵
PID:6236

C:\Windows\explorer.exe
explorer.exe
39⤵
PID:3252

C:\Windows\explorer.exe
explorer.exe
38⤵
PID:3884

C:\Windows\explorer.exe
explorer.exe
37⤵
PID:6068

C:\Windows\explorer.exe
explorer.exe
35⤵
PID:5412

C:\Windows\explorer.exe
explorer.exe
34⤵
PID:5284

C:\Windows\explorer.exe
explorer.exe
33⤵
PID:6136

C:\Windows\explorer.exe
explorer.exe
32⤵
PID:5960

C:\Windows\explorer.exe
explorer.exe
31⤵
PID:5868

C:\Windows\explorer.exe
explorer.exe
30⤵
PID:5816

C:\Windows\explorer.exe
explorer.exe
29⤵
PID:5656

C:\Windows\explorer.exe
explorer.exe
28⤵
PID:5552

C:\Windows\explorer.exe
explorer.exe
27⤵
PID:5476

C:\Windows\explorer.exe
explorer.exe
24⤵
PID:5140

C:\Windows\explorer.exe
explorer.exe
23⤵
PID:3752

C:\Windows\explorer.exe
explorer.exe
20⤵
PID:1712

C:\Windows\explorer.exe
explorer.exe
19⤵
PID:5080

C:\Windows\explorer.exe
explorer.exe
18⤵
PID:1572

C:\Windows\explorer.exe
explorer.exe
17⤵
PID:3900

C:\Windows\explorer.exe
explorer.exe
16⤵
PID:1892

C:\Windows\explorer.exe
explorer.exe
13⤵
PID:3980

C:\Windows\explorer.exe
explorer.exe
12⤵
PID:2464

C:\Windows\explorer.exe
explorer.exe
11⤵
PID:1796

C:\Windows\explorer.exe
explorer.exe
10⤵
PID:1552

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:2264

C:\Windows\explorer.exe
explorer.exe
6⤵
PID:1420

C:\Windows\explorer.exe
explorer.exe
5⤵
- Modifies registry class
PID:2512

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:4408

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New Text Document.bat
Filesize
35B

MD5
4e9f40ca34b5349dc12fe4be0d2aba88

SHA1
ed0acbfe13e5b4baf8b3bceee9affb33f063061d

SHA256
ca0312add9dab33e477205e348cadf8bee9c442ecd71b0ae8434f26dabd554f1

SHA512
026e4944cdaab1714ac3ee97064fa32acd3eacde5891523921ac77d283ca9bf7e7d37ff9b383714dff9487c05999aa08886fee16862c262cff450ed094eb9fd8

Download Submit
C:\Users\Admin\Desktop\hello.bat
Filesize
35B

MD5
4e9f40ca34b5349dc12fe4be0d2aba88

SHA1
ed0acbfe13e5b4baf8b3bceee9affb33f063061d

SHA256
ca0312add9dab33e477205e348cadf8bee9c442ecd71b0ae8434f26dabd554f1

SHA512
026e4944cdaab1714ac3ee97064fa32acd3eacde5891523921ac77d283ca9bf7e7d37ff9b383714dff9487c05999aa08886fee16862c262cff450ed094eb9fd8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads