xtremerat | d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

Analysis

max time kernel
189s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Size

328KB
MD5

d5205d99667a7463991311ba1d86fbbc
SHA1

02449a330e4f0c1d499581a89a6cef3b6a719ee0
SHA256

d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38
SHA512

8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691
SSDEEP

6144:MuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLku0dCcKNUDkO:n6Wq4aaE6KwyF5L0Y2D1PqLXcu+kO

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

藈㶮က蠀C:\windrap1215.servemp3.com

Signatures

Detect XtremeRAT payload 40 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3468-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3512-139-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3468-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2404-143-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/2404-144-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3468-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3468-150-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2484-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3048-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3048-184-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1176-192-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4516-194-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1176-205-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4516-208-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5068-217-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1836-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3580-221-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1836-231-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3204-232-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/5068-242-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3204-243-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3580-244-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/532-254-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3464-266-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3580-268-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3464-277-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/532-278-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4972-279-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3204-282-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2504-293-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/364-303-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4972-306-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2504-320-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1916-328-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4164-338-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4244-339-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1916-343-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/364-345-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4156-364-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3892-366-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 64 IoCs

Processes:

qahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exe

pid	process
2280	qahamo.exe
2220	qahamo.exe
3048	qahamo.exe
2484	qahamo.exe
2116	qahamo.exe
4516	qahamo.exe
4484	qahamo.exe
1176	qahamo.exe
2752	qahamo.exe
1836	qahamo.exe
4904	qahamo.exe
5068	qahamo.exe
4416	qahamo.exe
3580	qahamo.exe
2736	qahamo.exe
3204	qahamo.exe
32	qahamo.exe
532	qahamo.exe
3452	qahamo.exe
3464	qahamo.exe
2756	qahamo.exe
4972	qahamo.exe
2116	qahamo.exe
2504	qahamo.exe
4072	qahamo.exe
364	qahamo.exe
2568	qahamo.exe
1916	qahamo.exe
1308	qahamo.exe
3116	qahamo.exe
4244	qahamo.exe
4164	qahamo.exe
1148	qahamo.exe
3548	qahamo.exe
3892	qahamo.exe
4156	qahamo.exe
1420	qahamo.exe
4952	qahamo.exe
3580	qahamo.exe
4628	qahamo.exe
1516	qahamo.exe
4728	qahamo.exe
1052	qahamo.exe
3644	qahamo.exe
3868	qahamo.exe
3448	qahamo.exe
1516	qahamo.exe
3204	qahamo.exe
4796	qahamo.exe
4424	qahamo.exe
3448	qahamo.exe
3396	qahamo.exe
2240	qahamo.exe
3204	qahamo.exe
4468	qahamo.exe
4732	qahamo.exe
364	qahamo.exe
1540	qahamo.exe
4860	qahamo.exe
4424	qahamo.exe
4576	qahamo.exe
4692	qahamo.exe
5232	qahamo.exe
5260	qahamo.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exesvchost.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exed24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6GBW00D-WQD2-6F00-8443-6542NK4T776J}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe restart"	qahamo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4928-132-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3468-134-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3468-136-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4928-137-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3468-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3468-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3468-141-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2404-144-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3468-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/3468-150-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2220-151-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2280-152-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2280-157-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2220-165-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2484-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3048-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2116-173-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2116-179-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/3048-184-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/4484-190-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1176-192-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4516-194-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2752-202-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1176-205-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/4516-208-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/4904-213-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/5068-217-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1836-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/4416-225-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/1836-231-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2736-237-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/5068-242-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3204-243-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3580-244-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/32-245-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/32-251-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/532-254-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/3452-261-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/3464-266-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3580-268-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe	upx
behavioral2/memory/2756-274-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	qahamo.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exed24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsfouli = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qahamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oulknac = "C:\\Users\\Admin\\AppData\\Roaming\\smonou\\qahamo.exe"	qahamo.exe

AutoIT Executable 28 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4928-132-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4928-137-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2220-151-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2280-152-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2280-157-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2220-165-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2116-173-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2116-179-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4484-190-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2752-202-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4904-213-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4416-225-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2736-237-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/32-245-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/32-251-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/3452-261-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2756-274-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2116-287-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4072-295-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/4072-300-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2568-308-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/2568-312-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/1308-324-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/3116-329-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/3548-357-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/1148-356-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/1420-368-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral2/memory/1420-370-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 59 IoCs

Processes:

d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exe

description	pid	process	target process
PID 4928 set thread context of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 2280 set thread context of 3048	2280	qahamo.exe	qahamo.exe
PID 2220 set thread context of 2484	2220	qahamo.exe	qahamo.exe
PID 2116 set thread context of 4516	2116	qahamo.exe	qahamo.exe
PID 4484 set thread context of 1176	4484	qahamo.exe	qahamo.exe
PID 2752 set thread context of 1836	2752	qahamo.exe	qahamo.exe
PID 4904 set thread context of 5068	4904	qahamo.exe	qahamo.exe
PID 4416 set thread context of 3580	4416	qahamo.exe	qahamo.exe
PID 2736 set thread context of 3204	2736	qahamo.exe	qahamo.exe
PID 32 set thread context of 532	32	qahamo.exe	qahamo.exe
PID 3452 set thread context of 3464	3452	qahamo.exe	qahamo.exe
PID 2756 set thread context of 4972	2756	qahamo.exe	qahamo.exe
PID 2116 set thread context of 2504	2116	qahamo.exe	qahamo.exe
PID 4072 set thread context of 364	4072	qahamo.exe	qahamo.exe
PID 2568 set thread context of 1916	2568	qahamo.exe	qahamo.exe
PID 1308 set thread context of 4244	1308	qahamo.exe	qahamo.exe
PID 3116 set thread context of 4164	3116	qahamo.exe	qahamo.exe
PID 1148 set thread context of 3892	1148	qahamo.exe	qahamo.exe
PID 3548 set thread context of 4156	3548	qahamo.exe	qahamo.exe
PID 1420 set thread context of 4952	1420	qahamo.exe	qahamo.exe
PID 3580 set thread context of 4628	3580	qahamo.exe	qahamo.exe
PID 1516 set thread context of 1052	1516	qahamo.exe	qahamo.exe
PID 4728 set thread context of 3644	4728	qahamo.exe	qahamo.exe
PID 3868 set thread context of 3448	3868	qahamo.exe	qahamo.exe
PID 1516 set thread context of 3204	1516	qahamo.exe	qahamo.exe
PID 4796 set thread context of 3448	4796	qahamo.exe	qahamo.exe
PID 4424 set thread context of 3396	4424	qahamo.exe	qahamo.exe
PID 1540 set thread context of 4860	1540	qahamo.exe	qahamo.exe
PID 364 set thread context of 4576	364	qahamo.exe	qahamo.exe
PID 4468 set thread context of 4424	4468	qahamo.exe	qahamo.exe
PID 3204 set thread context of 4692	3204	qahamo.exe	qahamo.exe
PID 2240 set thread context of 5232	2240	qahamo.exe	qahamo.exe
PID 4732 set thread context of 5248	4732	qahamo.exe	qahamo.exe
PID 5260 set thread context of 5396	5260	qahamo.exe	qahamo.exe
PID 5636 set thread context of 5672	5636	qahamo.exe	qahamo.exe
PID 5732 set thread context of 5804	5732	qahamo.exe	qahamo.exe
PID 5780 set thread context of 5848	5780	qahamo.exe	qahamo.exe
PID 4136 set thread context of 5136	4136	qahamo.exe	qahamo.exe
PID 1896 set thread context of 4256	1896	qahamo.exe	qahamo.exe
PID 5272 set thread context of 3396	5272	qahamo.exe	qahamo.exe
PID 5312 set thread context of 5372	5312	qahamo.exe	qahamo.exe
PID 5620 set thread context of 5424	5620	qahamo.exe	qahamo.exe
PID 5732 set thread context of 5796	5732	qahamo.exe	qahamo.exe
PID 5124 set thread context of 5676	5124	qahamo.exe	qahamo.exe
PID 3956 set thread context of 3704	3956	qahamo.exe	qahamo.exe
PID 2240 set thread context of 5624	2240	qahamo.exe	qahamo.exe
PID 5764 set thread context of 5856	5764	qahamo.exe	qahamo.exe
PID 5284 set thread context of 4692	5284	qahamo.exe	qahamo.exe
PID 4260 set thread context of 5696	4260	qahamo.exe	qahamo.exe
PID 4256 set thread context of 1308	4256	qahamo.exe	qahamo.exe
PID 4052 set thread context of 5408	4052	qahamo.exe	qahamo.exe
PID 5964 set thread context of 4732	5964	qahamo.exe	qahamo.exe
PID 5980 set thread context of 4324	5980	qahamo.exe	qahamo.exe
PID 1972 set thread context of 5168	1972	qahamo.exe	qahamo.exe
PID 3648 set thread context of 4908	3648	qahamo.exe	qahamo.exe
PID 4588 set thread context of 4676	4588	qahamo.exe	qahamo.exe
PID 4908 set thread context of 2744	4908	qahamo.exe	qahamo.exe
PID 2772 set thread context of 1640	2772	qahamo.exe	qahamo.exe
PID 4200 set thread context of 2324	4200	qahamo.exe	qahamo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 35 IoCs

Processes:

qahamo.exeqahamo.exeqahamo.exed24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exesvchost.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exeqahamo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qahamo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
2280	qahamo.exe
2280	qahamo.exe
2220	qahamo.exe
2220	qahamo.exe
2280	qahamo.exe
2220	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
4484	qahamo.exe
4484	qahamo.exe
4484	qahamo.exe
2752	qahamo.exe
2752	qahamo.exe
2752	qahamo.exe
4904	qahamo.exe
4904	qahamo.exe
4904	qahamo.exe
4416	qahamo.exe
4416	qahamo.exe
4416	qahamo.exe
2736	qahamo.exe
2736	qahamo.exe
2736	qahamo.exe
32	qahamo.exe
32	qahamo.exe
32	qahamo.exe
3452	qahamo.exe
3452	qahamo.exe
3452	qahamo.exe
2756	qahamo.exe
2756	qahamo.exe
2756	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
4072	qahamo.exe
4072	qahamo.exe
4072	qahamo.exe
2568	qahamo.exe
2568	qahamo.exe
2568	qahamo.exe
1308	qahamo.exe
1308	qahamo.exe
3116	qahamo.exe
3116	qahamo.exe
1308	qahamo.exe
3116	qahamo.exe
1148	qahamo.exe
1148	qahamo.exe
3548	qahamo.exe
3548	qahamo.exe
1148	qahamo.exe
3548	qahamo.exe
1420	qahamo.exe
1420	qahamo.exe
1420	qahamo.exe
3580	qahamo.exe
3580	qahamo.exe
3580	qahamo.exe
1516	qahamo.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
2280	qahamo.exe
2280	qahamo.exe
2220	qahamo.exe
2220	qahamo.exe
2280	qahamo.exe
2220	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
4484	qahamo.exe
4484	qahamo.exe
4484	qahamo.exe
2752	qahamo.exe
2752	qahamo.exe
2752	qahamo.exe
4904	qahamo.exe
4904	qahamo.exe
4904	qahamo.exe
4416	qahamo.exe
4416	qahamo.exe
4416	qahamo.exe
2736	qahamo.exe
2736	qahamo.exe
2736	qahamo.exe
32	qahamo.exe
32	qahamo.exe
32	qahamo.exe
3452	qahamo.exe
3452	qahamo.exe
3452	qahamo.exe
2756	qahamo.exe
2756	qahamo.exe
2756	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
2116	qahamo.exe
4072	qahamo.exe
4072	qahamo.exe
4072	qahamo.exe
2568	qahamo.exe
2568	qahamo.exe
2568	qahamo.exe
1308	qahamo.exe
1308	qahamo.exe
3116	qahamo.exe
3116	qahamo.exe
1308	qahamo.exe
3116	qahamo.exe
1148	qahamo.exe
1148	qahamo.exe
3548	qahamo.exe
3548	qahamo.exe
1148	qahamo.exe
3548	qahamo.exe
1420	qahamo.exe
1420	qahamo.exe
1420	qahamo.exe
3580	qahamo.exe
3580	qahamo.exe
3580	qahamo.exe
1516	qahamo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exed24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exesvchost.exeqahamo.exeqahamo.exeqahamo.exe

description	pid	process	target process
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 4928 wrote to memory of 3468	4928	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
PID 3468 wrote to memory of 3512	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	svchost.exe
PID 3468 wrote to memory of 3512	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	svchost.exe
PID 3468 wrote to memory of 3512	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	svchost.exe
PID 3468 wrote to memory of 3512	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	svchost.exe
PID 3468 wrote to memory of 3120	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 3120	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 2404	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	explorer.exe
PID 3468 wrote to memory of 2404	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	explorer.exe
PID 3468 wrote to memory of 2404	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	explorer.exe
PID 3468 wrote to memory of 2404	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	explorer.exe
PID 3468 wrote to memory of 3120	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1924	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1924	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1924	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1212	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1212	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1212	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4900	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4900	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4900	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1548	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1548	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 1548	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4480	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4480	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4480	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4076	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4076	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 4076	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 744	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 744	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	msedge.exe
PID 3468 wrote to memory of 2280	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	qahamo.exe
PID 3468 wrote to memory of 2280	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	qahamo.exe
PID 3468 wrote to memory of 2280	3468	d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe	qahamo.exe
PID 3512 wrote to memory of 2220	3512	svchost.exe	qahamo.exe
PID 3512 wrote to memory of 2220	3512	svchost.exe	qahamo.exe
PID 3512 wrote to memory of 2220	3512	svchost.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2280 wrote to memory of 3048	2280	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 2220 wrote to memory of 2484	2220	qahamo.exe	qahamo.exe
PID 3048 wrote to memory of 2724	3048	qahamo.exe	msedge.exe
PID 3048 wrote to memory of 2724	3048	qahamo.exe	msedge.exe
PID 3048 wrote to memory of 2724	3048	qahamo.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
"C:\Users\Admin\AppData\Local\Temp\d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe
"C:\Users\Admin\AppData\Local\Temp\d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38.exe"
2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1124

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4024

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:32

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4208

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1232

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4264

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4420

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3116

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
11⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2596

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4904

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1876

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
11⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4248

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:8

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4072

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4344

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1392

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4728

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2468

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4424

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
11⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3480

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4468

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
13⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4604

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1092

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2192

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1892

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:392

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4796

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3928

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3204

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1516

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2756

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2240

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
PID:5232

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4732

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5608

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5732

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1808

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Suspicious use of SetThreadContext
PID:5272

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5832

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
10⤵
- Suspicious use of SetThreadContext
PID:3956

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
11⤵
PID:3704

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:364

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5316

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1540

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5260

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5656

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5780

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4952

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Suspicious use of SetThreadContext
PID:5312

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:924

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
10⤵
- Suspicious use of SetThreadContext
PID:5124

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
11⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5876

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
12⤵
- Suspicious use of SetThreadContext
PID:5284

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
13⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4072

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
14⤵
- Suspicious use of SetThreadContext
PID:4256

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
15⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:4468

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
16⤵
- Suspicious use of SetThreadContext
PID:1972

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
17⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:5984

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
18⤵
- Suspicious use of SetThreadContext
PID:4908

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
19⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:5336

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
20⤵
- Suspicious use of SetThreadContext
PID:4200

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
21⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:4824

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:5636

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6128

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Suspicious use of SetThreadContext
PID:1896

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1320

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:4136

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5720

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5732

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4648

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Suspicious use of SetThreadContext
PID:5764

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
PID:5856

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:5620

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5768

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:2240

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
PID:5624

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:4260

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Modifies registry class
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4928

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5964

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
7⤵
- Checks computer location settings
- Modifies registry class
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4052

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
8⤵
- Suspicious use of SetThreadContext
PID:3648

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
9⤵
PID:4908

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:4052

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:776

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:5980

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1056

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:4588

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3944

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Suspicious use of SetThreadContext
PID:2772

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Modifies Installed Components in the registry
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3120

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:744

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3876

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484

C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
"C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe"
6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7i0NH7Z.cfg
Filesize
1KB

MD5
662b32417f4a5de0a0ea26ced5b57dcb

SHA1
2de8d07ab025f6b7c6fcca28e6cc927ca93fdbd3

SHA256
cc0890aeb215eb7bf5b1240bb4610471a8038222834f9c059992f15a997897d8

SHA512
0d6a1e8fc0db27b56fa46045e957e0873c308c3f27ddb954466600560292a2ef5dcbd9cd701a8e497920176d647d407f7bf381364ce238aa1a3ea4601384d123

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
C:\Users\Admin\AppData\Roaming\smonou\qahamo.exe
Filesize
328KB

MD5
d5205d99667a7463991311ba1d86fbbc

SHA1
02449a330e4f0c1d499581a89a6cef3b6a719ee0

SHA256
d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

SHA512
8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

Download Submit
memory/32-251-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/32-245-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/32-240-0x0000000000000000-mapping.dmp

Download
memory/364-447-0x0000000000000000-mapping.dmp

Download
memory/364-294-0x0000000000000000-mapping.dmp

Download
memory/364-303-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/364-345-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/532-278-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/532-246-0x0000000000000000-mapping.dmp

Download
memory/532-254-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1052-386-0x0000000000000000-mapping.dmp

Download
memory/1148-356-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1148-340-0x0000000000000000-mapping.dmp

Download
memory/1176-192-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1176-185-0x0000000000000000-mapping.dmp

Download
memory/1176-205-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1308-316-0x0000000000000000-mapping.dmp

Download
memory/1308-324-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1420-360-0x0000000000000000-mapping.dmp

Download
memory/1420-368-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1420-370-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1516-384-0x0000000000000000-mapping.dmp

Download
memory/1516-414-0x0000000000000000-mapping.dmp

Download
memory/1540-448-0x0000000000000000-mapping.dmp

Download
memory/1836-197-0x0000000000000000-mapping.dmp

Download
memory/1836-231-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1836-218-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1916-343-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1916-328-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1916-307-0x0000000000000000-mapping.dmp

Download
memory/2116-179-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2116-173-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2116-171-0x0000000000000000-mapping.dmp

Download
memory/2116-287-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2116-280-0x0000000000000000-mapping.dmp

Download
memory/2220-148-0x0000000000000000-mapping.dmp

Download
memory/2220-151-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2220-165-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2240-441-0x0000000000000000-mapping.dmp

Download
memory/2280-146-0x0000000000000000-mapping.dmp

Download
memory/2280-152-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2280-157-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2404-143-0x0000000000000000-mapping.dmp

Download
memory/2404-144-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2484-169-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2484-160-0x0000000000000000-mapping.dmp

Download
memory/2504-283-0x0000000000000000-mapping.dmp

Download
memory/2504-320-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2504-293-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2568-312-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2568-308-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2568-304-0x0000000000000000-mapping.dmp

Download
memory/2736-229-0x0000000000000000-mapping.dmp

Download
memory/2736-237-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2752-195-0x0000000000000000-mapping.dmp

Download
memory/2752-202-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2756-274-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2756-265-0x0000000000000000-mapping.dmp

Download
memory/3048-170-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3048-153-0x0000000000000000-mapping.dmp

Download
memory/3048-184-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3116-329-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3116-318-0x0000000000000000-mapping.dmp

Download
memory/3204-442-0x0000000000000000-mapping.dmp

Download
memory/3204-415-0x0000000000000000-mapping.dmp

Download
memory/3204-243-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3204-232-0x0000000000000000-mapping.dmp

Download
memory/3204-282-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3396-432-0x0000000000000000-mapping.dmp

Download
memory/3448-426-0x0000000000000000-mapping.dmp

Download
memory/3448-404-0x0000000000000000-mapping.dmp

Download
memory/3452-255-0x0000000000000000-mapping.dmp

Download
memory/3452-261-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3464-266-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3464-257-0x0000000000000000-mapping.dmp

Download
memory/3464-277-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-150-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-136-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-134-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-138-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-141-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3468-133-0x0000000000000000-mapping.dmp

Download
memory/3468-145-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3468-140-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3512-139-0x0000000000000000-mapping.dmp

Download
memory/3548-357-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3548-342-0x0000000000000000-mapping.dmp

Download
memory/3580-375-0x0000000000000000-mapping.dmp

Download
memory/3580-268-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3580-221-0x0000000000000000-mapping.dmp

Download
memory/3580-244-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3644-395-0x0000000000000000-mapping.dmp

Download
memory/3868-401-0x0000000000000000-mapping.dmp

Download
memory/3892-366-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3892-346-0x0000000000000000-mapping.dmp

Download
memory/4072-300-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4072-290-0x0000000000000000-mapping.dmp

Download
memory/4072-295-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4156-364-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4156-348-0x0000000000000000-mapping.dmp

Download
memory/4164-325-0x0000000000000000-mapping.dmp

Download
memory/4164-338-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4244-321-0x0000000000000000-mapping.dmp

Download
memory/4244-339-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4416-219-0x0000000000000000-mapping.dmp

Download
memory/4416-225-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4424-451-0x0000000000000000-mapping.dmp

Download
memory/4424-424-0x0000000000000000-mapping.dmp

Download
memory/4468-443-0x0000000000000000-mapping.dmp

Download
memory/4484-181-0x0000000000000000-mapping.dmp

Download
memory/4484-190-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4516-208-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4516-194-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4516-174-0x0000000000000000-mapping.dmp

Download
memory/4576-450-0x0000000000000000-mapping.dmp

Download
memory/4628-378-0x0000000000000000-mapping.dmp

Download
memory/4728-385-0x0000000000000000-mapping.dmp

Download
memory/4732-446-0x0000000000000000-mapping.dmp

Download
memory/4796-422-0x0000000000000000-mapping.dmp

Download
memory/4860-449-0x0000000000000000-mapping.dmp

Download
memory/4904-206-0x0000000000000000-mapping.dmp

Download
memory/4904-213-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4928-137-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4928-132-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4952-365-0x0000000000000000-mapping.dmp

Download
memory/4972-279-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4972-269-0x0000000000000000-mapping.dmp

Download
memory/4972-306-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5068-242-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5068-209-0x0000000000000000-mapping.dmp

Download
memory/5068-217-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download