gh0strat | a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005

Resubmissions

01/05/2024, 15:02

240501-sewm7ahf3v 10

19/03/2024, 11:01

240319-m4tl8sad46 10

Analysis

max time kernel
68s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
Size

1.0MB
MD5

4531c46b0844e49db3b482ab0a8aaa99
SHA1

8bafe779083ca8a8c1edd9dc7995b1aaec75ccdb
SHA256

a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005
SHA512

a9671f57c624d73266f36449bada1be9fe51e138a35d941ec725f628584fb72961ca5b6ea1e3c943baa3e0f492a56859fe8dd661c7d61309fa9e5dd0c96f0c55
SSDEEP

12288:M+UsITPsJnAyGnAMmyZE+qwc1/ConIsrwk9:M+fITPTywNi+qksi

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2436-3-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat
behavioral2/memory/2700-29-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ogqgwg.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Ogqgwg.exe

Executes dropped EXE 64 IoCs

pid	Process
636	Ogqgwg.exe
4880	Ogqgwg.exe
2380	Ogqgwg.exe
3732	Ogqgwg.exe
1924	Ogqgwg.exe
1524	Ogqgwg.exe
2152	Ogqgwg.exe
3432	Ogqgwg.exe
812	Ogqgwg.exe
3588	Ogqgwg.exe
3208	Ogqgwg.exe
4256	Ogqgwg.exe
1504	Ogqgwg.exe
4012	Ogqgwg.exe
1328	Ogqgwg.exe
5040	Ogqgwg.exe
4260	Ogqgwg.exe
2024	Ogqgwg.exe
2168	Ogqgwg.exe
1668	Ogqgwg.exe
616	Ogqgwg.exe
4980	Ogqgwg.exe
532	Ogqgwg.exe
4372	Ogqgwg.exe
2780	Ogqgwg.exe
4632	Ogqgwg.exe
4360	Ogqgwg.exe
992	Ogqgwg.exe
3308	Ogqgwg.exe
1772	Ogqgwg.exe
3028	Ogqgwg.exe
844	Ogqgwg.exe
64	Ogqgwg.exe
2368	Ogqgwg.exe
2024	Ogqgwg.exe
1376	Ogqgwg.exe
4784	Ogqgwg.exe
4268	Ogqgwg.exe
2140	Ogqgwg.exe
1868	Ogqgwg.exe
2284	Ogqgwg.exe
1552	Ogqgwg.exe
2780	Ogqgwg.exe
3336	Ogqgwg.exe
2352	Ogqgwg.exe
848	Ogqgwg.exe
3104	Ogqgwg.exe
3720	Ogqgwg.exe
4272	Ogqgwg.exe
4380	Ogqgwg.exe
3612	Ogqgwg.exe
2128	Ogqgwg.exe
4844	Ogqgwg.exe
4424	Ogqgwg.exe
2364	Ogqgwg.exe
4696	Ogqgwg.exe
2228	Ogqgwg.exe
2720	Ogqgwg.exe
5108	Ogqgwg.exe
5104	Ogqgwg.exe
5088	Ogqgwg.exe
808	Ogqgwg.exe
1964	Ogqgwg.exe
360	Ogqgwg.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rsaalc oxprrxfg = "C:\\windows\\Ogqgwg.exe"	Ogqgwg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Ogqgwg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\Ogqgwg.exe	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe
File created	C:\windows\Ogqgwg.exe	Ogqgwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3196	4372	WerFault.exe	119

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	636	Ogqgwg.exe
Token: SeIncBasePriorityPrivilege	636	Ogqgwg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
1524	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 636	2436	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	82
PID 2436 wrote to memory of 636	2436	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	82
PID 2436 wrote to memory of 636	2436	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	82
PID 2700 wrote to memory of 4880	2700	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	96
PID 2700 wrote to memory of 4880	2700	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	96
PID 2700 wrote to memory of 4880	2700	a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe	96
PID 4880 wrote to memory of 2380	4880	Ogqgwg.exe	97
PID 4880 wrote to memory of 2380	4880	Ogqgwg.exe	97
PID 4880 wrote to memory of 2380	4880	Ogqgwg.exe	97
PID 2380 wrote to memory of 3732	2380	Ogqgwg.exe	98
PID 2380 wrote to memory of 3732	2380	Ogqgwg.exe	98
PID 2380 wrote to memory of 3732	2380	Ogqgwg.exe	98
PID 3732 wrote to memory of 1924	3732	Ogqgwg.exe	99
PID 3732 wrote to memory of 1924	3732	Ogqgwg.exe	99
PID 3732 wrote to memory of 1924	3732	Ogqgwg.exe	99
PID 1924 wrote to memory of 1524	1924	Ogqgwg.exe	100
PID 1924 wrote to memory of 1524	1924	Ogqgwg.exe	100
PID 1924 wrote to memory of 1524	1924	Ogqgwg.exe	100
PID 1524 wrote to memory of 2152	1524	Ogqgwg.exe	101
PID 1524 wrote to memory of 2152	1524	Ogqgwg.exe	101
PID 1524 wrote to memory of 2152	1524	Ogqgwg.exe	101
PID 2152 wrote to memory of 3432	2152	Ogqgwg.exe	102
PID 2152 wrote to memory of 3432	2152	Ogqgwg.exe	102
PID 2152 wrote to memory of 3432	2152	Ogqgwg.exe	102
PID 3432 wrote to memory of 812	3432	Ogqgwg.exe	103
PID 3432 wrote to memory of 812	3432	Ogqgwg.exe	103
PID 3432 wrote to memory of 812	3432	Ogqgwg.exe	103
PID 812 wrote to memory of 3588	812	Ogqgwg.exe	104
PID 812 wrote to memory of 3588	812	Ogqgwg.exe	104
PID 812 wrote to memory of 3588	812	Ogqgwg.exe	104
PID 3588 wrote to memory of 3208	3588	Ogqgwg.exe	105
PID 3588 wrote to memory of 3208	3588	Ogqgwg.exe	105
PID 3588 wrote to memory of 3208	3588	Ogqgwg.exe	105
PID 3208 wrote to memory of 4256	3208	Ogqgwg.exe	106
PID 3208 wrote to memory of 4256	3208	Ogqgwg.exe	106
PID 3208 wrote to memory of 4256	3208	Ogqgwg.exe	106
PID 4256 wrote to memory of 1504	4256	Ogqgwg.exe	107
PID 4256 wrote to memory of 1504	4256	Ogqgwg.exe	107
PID 4256 wrote to memory of 1504	4256	Ogqgwg.exe	107
PID 1504 wrote to memory of 4012	1504	Ogqgwg.exe	108
PID 1504 wrote to memory of 4012	1504	Ogqgwg.exe	108
PID 1504 wrote to memory of 4012	1504	Ogqgwg.exe	108
PID 4012 wrote to memory of 1328	4012	Ogqgwg.exe	109
PID 4012 wrote to memory of 1328	4012	Ogqgwg.exe	109
PID 4012 wrote to memory of 1328	4012	Ogqgwg.exe	109
PID 1328 wrote to memory of 5040	1328	Ogqgwg.exe	110
PID 1328 wrote to memory of 5040	1328	Ogqgwg.exe	110
PID 1328 wrote to memory of 5040	1328	Ogqgwg.exe	110
PID 5040 wrote to memory of 4260	5040	Ogqgwg.exe	111
PID 5040 wrote to memory of 4260	5040	Ogqgwg.exe	111
PID 5040 wrote to memory of 4260	5040	Ogqgwg.exe	111
PID 4260 wrote to memory of 2024	4260	Ogqgwg.exe	112
PID 4260 wrote to memory of 2024	4260	Ogqgwg.exe	112
PID 4260 wrote to memory of 2024	4260	Ogqgwg.exe	112
PID 2024 wrote to memory of 2168	2024	Ogqgwg.exe	113
PID 2024 wrote to memory of 2168	2024	Ogqgwg.exe	113
PID 2024 wrote to memory of 2168	2024	Ogqgwg.exe	113
PID 2168 wrote to memory of 1668	2168	Ogqgwg.exe	114
PID 2168 wrote to memory of 1668	2168	Ogqgwg.exe	114
PID 2168 wrote to memory of 1668	2168	Ogqgwg.exe	114
PID 1668 wrote to memory of 616	1668	Ogqgwg.exe	115
PID 1668 wrote to memory of 616	1668	Ogqgwg.exe	115
PID 1668 wrote to memory of 616	1668	Ogqgwg.exe	115
PID 616 wrote to memory of 4980	616	Ogqgwg.exe	116

C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
"C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2436
- C:\windows\Ogqgwg.exe
  "C:\windows\Ogqgwg.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
"C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\windows\Ogqgwg.exe
  "C:\windows\Ogqgwg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\windows\Ogqgwg.exe
    "C:\windows\Ogqgwg.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\windows\Ogqgwg.exe
      "C:\windows\Ogqgwg.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4980
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        24⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 364
        25⤵
        Program crash
        
        PID:3196

C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe
"C:\Users\Admin\AppData\Local\Temp\a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1524
- C:\windows\Ogqgwg.exe
  "C:\windows\Ogqgwg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:2780
- - C:\windows\Ogqgwg.exe
    "C:\windows\Ogqgwg.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4632
  - - C:\windows\Ogqgwg.exe
      "C:\windows\Ogqgwg.exe"
      4⤵
      Executes dropped EXE
      PID:4360
    - - C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:992
      - C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3308
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3028
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:844
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2368
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2024
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1376
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4784
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2140
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1868
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2284
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1552
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2780
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3336
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2352
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:848
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3104
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3720
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4272
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4380
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2128
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4844
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4424
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2364
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4696
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2228
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5108
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5104
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5088
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:808
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1964
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:360
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1912
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        43⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3672
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        44⤵
        Adds Run key to start application
        
        PID:4012
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        45⤵
        
        PID:2452
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        46⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4316
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        47⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1752
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        48⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1800
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        49⤵
        
        PID:2488
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        50⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4108
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        51⤵
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5052
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        52⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:616
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        53⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1888
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        54⤵
        Adds Run key to start application
        
        PID:3976
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        55⤵
        Drops file in System32 directory
        
        PID:3404
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        56⤵
        
        PID:4152
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        57⤵
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4312
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        58⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4528
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        59⤵
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4588
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        60⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4060
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        61⤵
        Checks computer location settings
        
        PID:848
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        62⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3104
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        63⤵
        
        PID:3800
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        64⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1772
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        65⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4380
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4372
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4240
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        68⤵
        Checks computer location settings
        
        PID:2856
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        69⤵
        Checks computer location settings
        
        PID:4732
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        70⤵
        Drops file in Windows directory
        
        PID:3188
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4620
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5048
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2608
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        74⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3552
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        75⤵
        Drops file in Windows directory
        
        PID:2708
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        76⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4472
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        77⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2640
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        79⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3292
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        80⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4216
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        81⤵
        
        PID:4592
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        82⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2624
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        83⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2264
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        84⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        85⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1988
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3520
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        87⤵
        
        PID:768
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        88⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3164
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        89⤵
        Checks computer location settings
        
        PID:3168
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2268
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1532
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        92⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4820
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        93⤵
        Drops file in Windows directory
        
        PID:3432
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        94⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3552
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        95⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3936
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        96⤵
        Drops file in Windows directory
        
        PID:1384
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        97⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:992
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        98⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        99⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        100⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        101⤵
        Checks computer location settings
        
        PID:2864
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        102⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4796
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        103⤵
        
        PID:2452
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        104⤵
        
        PID:3748
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        105⤵
        
        PID:836
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        106⤵
        
        PID:2532
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        107⤵
        
        PID:2060
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        108⤵
        
        PID:5056
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        109⤵
        
        PID:1972
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        110⤵
        
        PID:4336
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        111⤵
        
        PID:440
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        112⤵
        
        PID:3124
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        113⤵
        
        PID:3404
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        114⤵
        
        PID:1524
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        115⤵
        
        PID:60
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        116⤵
        
        PID:2888
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        117⤵
        
        PID:2420
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        118⤵
        
        PID:3184
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        119⤵
        
        PID:924
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        120⤵
        
        PID:848
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        121⤵
        
        PID:3720
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        122⤵
        
        PID:4592
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        123⤵
        
        PID:2408
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        124⤵
        
        PID:2028
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        125⤵
        
        PID:5076
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        126⤵
        
        PID:2128
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        127⤵
        
        PID:4844
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        128⤵
        
        PID:2700
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        129⤵
        
        PID:4284
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        130⤵
        
        PID:4268
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        131⤵
        
        PID:3736
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        132⤵
        
        PID:2996
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        133⤵
        
        PID:3976
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        134⤵
        
        PID:3652
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        135⤵
        
        PID:2720
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        136⤵
        
        PID:3600
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        137⤵
        
        PID:3084
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        138⤵
        
        PID:2800
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        139⤵
        
        PID:1504
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        140⤵
        
        PID:2560
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        141⤵
        
        PID:2836
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        142⤵
        
        PID:3800
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        143⤵
        
        PID:2588
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        144⤵
        
        PID:2408
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        145⤵
        
        PID:1716
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        146⤵
        
        PID:4248
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        147⤵
        
        PID:4568
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        148⤵
        
        PID:2168
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        149⤵
        
        PID:2060
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        150⤵
        
        PID:4196
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        151⤵
        
        PID:2884
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        152⤵
        
        PID:4504
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        153⤵
        
        PID:1216
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        154⤵
        
        PID:1120
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        155⤵
        
        PID:1868
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        156⤵
        
        PID:2152
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        157⤵
        
        PID:808
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        158⤵
        
        PID:2164
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        159⤵
        
        PID:2420
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        160⤵
        
        PID:3184
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        161⤵
        
        PID:2324
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        162⤵
        
        PID:4992
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        163⤵
        
        PID:1784
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        164⤵
        
        PID:4592
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        165⤵
        
        PID:4868
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        166⤵
        
        PID:856
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        167⤵
        
        PID:4512
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        168⤵
        
        PID:4392
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        169⤵
        
        PID:8
        
        C:\windows\Ogqgwg.exe
        
        "C:\windows\Ogqgwg.exe"
        170⤵
        
        PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4372 -ip 4372
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Ogqgwg.exe

Filesize
1.0MB

MD5
4531c46b0844e49db3b482ab0a8aaa99

SHA1
8bafe779083ca8a8c1edd9dc7995b1aaec75ccdb

SHA256
a0d89a8cb7cc1539cae2e1c6e7dee4835506179deab6e5183000ffe30e5f9005

SHA512
a9671f57c624d73266f36449bada1be9fe51e138a35d941ec725f628584fb72961ca5b6ea1e3c943baa3e0f492a56859fe8dd661c7d61309fa9e5dd0c96f0c55

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
19B

MD5
fe9af7587d65300338177538aa72f924

SHA1
c8ae231d3ae13f9db8b9f16e188e951e7cb76377

SHA256
556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

SHA512
3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
89B

MD5
e2555d379b0018e0b1f8fe315023250a

SHA1
cfa43b3fc28727f953ba42af1e482f9a45dd540a

SHA256
699307237384d698fc314b68120f27604fc4628b0e4d72de3bc630c6befad427

SHA512
db8b454ab6ce5f604d228932d2aaccfcada174d9771101d2e9bb262c491814e4773e09a7c33bf5b89c89ff196515f5338f512fc9bac896c5f22f148ba7d76527

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
54B

MD5
1cf99c06ae7383e7d3a3abc1de054a63

SHA1
b56d19408601be47bd026d41ccad02264a2b0980

SHA256
27371eab4a770fa61c816a5c4942d378793d82d8257304ad727b13a12774c163

SHA512
2e4a2392763de7fd69a9f1a6129bce362a1a5854cf53ca1947136b6e213aee6e3a333318e1d137fe5727adedbc2de7d82ba250f603cabf9ec0772b6caf8ddeb7

Download Submit
C:\input.txt

Filesize
5B

MD5
9efb1a59d7b58e69996cf0e32cb71098

SHA1
360997578b0deee1bcba6eedcf6a1af132f4bd2c

SHA256
9d35c7bac3de81b5750ab79dad019772e7195e8db2f9a6ffdbdd37509147f713

SHA512
ba02f3ceace5ff9026da5f9eb40015163c2ee8fc19a80e9e225ef05f634b58b82a58b93d6d77eb4548e7555cab48a53e005ff87ea5c43daa8be36acf8c96496f

Download Submit
memory/2436-3-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download
memory/2700-29-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads