d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2

Analysis

max time kernel
83s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe
Size

561KB
MD5

d74a629d470aa97bbeb55ca06d69cb20
SHA1

19ef1bd3a23da8feee860cf6e62c6a2470dded77
SHA256

d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2
SHA512

9c5b9f47e90577253426d198bec19b840723f1aaa55c2b0b98ffa5734e15fcb0adb092bb29e57150190b8385f740f8ffa00fbe53aee07a3a1be35a8dade33214
SSDEEP

3072:dCaoAs101Pol0xPTM7mRCAdJSSxPUkl3VyFNdQMQTCk/dN92sdNhavtrVdewnAx8:dqDAwl0xPTMiR9JSSxPUKYGdodH3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemgtwtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemuacse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqempotzw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemicypx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqcwnw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemsiuzj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqrbbu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemrnytv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqempeolo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemgepxn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqdcaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemartxq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemuefsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemzombn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemupvsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemydwtx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemirgbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqempczns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemfknle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemcoonh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemjxvjj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemoccgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemzzyrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqembwipm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemtltla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemofnnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqoehd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemmidjn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemcrvvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemrwyvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemjpwuy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemytbew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemhssnp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemwvenc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemyzuhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemvksfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemfqxfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemwgyza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemdqwoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqxnwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemarvki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemfgprv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemvuzsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemeubtw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemhjmbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqempkgyz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemqvxfn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemyuatg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemwwpae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemttxgq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemnawhn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqempkvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemrnnyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemzgedu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemlzthr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemamkxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemxmwbz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemmvvym.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemndrvt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemhadtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemtvplw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemdiawl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemdscor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Sysqemiudim.exe

Executes dropped EXE 64 IoCs

pid	Process
1448	Sysqemofnnf.exe
1792	Sysqemyuatg.exe
3352	Sysqemlzthr.exe
2832	Sysqemvksfy.exe
1548	Sysqemdodxt.exe
1008	Sysqemamkxu.exe
4712	Sysqemwwpae.exe
3356	Sysqemttxgq.exe
4236	Sysqemdiawl.exe
2120	Sysqemfgprv.exe
3036	Sysqemqoehd.exe
2372	Sysqemartxq.exe
3260	Sysqemvuzsc.exe
2624	Sysqemgtwtl.exe
2976	Sysqemytbew.exe
3268	Sysqemnfgjz.exe
4500	Sysqemlzdkj.exe
1580	Sysqemfqxfy.exe
320	Sysqemaownn.exe
2060	Sysqemxmwbz.exe
1648	Sysqemdscor.exe
4524	Sysqemczbmk.exe
2584	Sysqemsiuzj.exe
2836	Sysqemvdyhy.exe
404	Sysqemiudim.exe
1728	Sysqempczns.exe
3468	Sysqemfknle.exe
1792	Sysqemqrbbu.exe
1576	Sysqemnawhn.exe
2720	Sysqemihnhb.exe
3184	Sysqemnxtij.exe
3344	Sysqemdrctd.exe
4484	Sysqemeubtw.exe
548	Sysqemhmdct.exe
4244	Sysqemklsfd.exe
3780	Sysqemmvvym.exe
2116	Sysqemhjmbs.exe
1840	Sysqemmzkba.exe
3808	Sysqemuefsi.exe
3244	Sysqemndrvt.exe
2868	Sysqemuacse.exe
2112	Sysqempkvvi.exe
4244	Sysqemrnytv.exe
1644	Sysqemmidjn.exe
3276	Sysqempkgyz.exe
1876	Sysqempotzw.exe
1136	Sysqemxepwu.exe
1792	Sysqemhssnp.exe
2868	Sysqemcrvvy.exe
3608	Sysqemmmudr.exe
4044	Sysqemhadtl.exe
4744	Sysqempeolo.exe
5060	Sysqemzombn.exe
4500	Sysqemrhbhg.exe
532	Sysqemhxmkk.exe
2560	Sysqemcoonh.exe
2116	Sysqemrwyvu.exe
3112	Sysqemwvenc.exe
2820	Sysqemjlade.exe
4800	Sysqemyxfji.exe
2060	Sysqemjpwuy.exe
2188	Sysqemjxvjj.exe
492	Sysqemupvsn.exe
5040	Sysqemoccgt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvdyhy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempczns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrnnyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemaownn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhssnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhxmkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemarvki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvksfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdscor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnawhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuqcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhjmbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuefsi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcoonh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtltla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyuatg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemartxq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfqxfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcrvvy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemicypx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcrdji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemofnnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjxvjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemoccgt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlsknf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmmudr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlzdkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnxtij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxepwu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrwyvu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgesli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemibnmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemamkxu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfgprv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxmwbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdrctd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyxfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemttxgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfknle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrnytv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhadtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjpwuy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemydwtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiudim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqrbbu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemihnhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeubtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmzkba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnfgjz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemytbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzombn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzzyrg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqcwnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyzuhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdqwoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqxnwj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwwpae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempkvvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempotzw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembwipm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuacse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdiawl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgtwtl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1448	3356	d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe	88
PID 3356 wrote to memory of 1448	3356	d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe	88
PID 3356 wrote to memory of 1448	3356	d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe	88
PID 1448 wrote to memory of 1792	1448	Sysqemofnnf.exe	92
PID 1448 wrote to memory of 1792	1448	Sysqemofnnf.exe	92
PID 1448 wrote to memory of 1792	1448	Sysqemofnnf.exe	92
PID 1792 wrote to memory of 3352	1792	Sysqemyuatg.exe	96
PID 1792 wrote to memory of 3352	1792	Sysqemyuatg.exe	96
PID 1792 wrote to memory of 3352	1792	Sysqemyuatg.exe	96
PID 3352 wrote to memory of 2832	3352	Sysqemlzthr.exe	97
PID 3352 wrote to memory of 2832	3352	Sysqemlzthr.exe	97
PID 3352 wrote to memory of 2832	3352	Sysqemlzthr.exe	97
PID 2832 wrote to memory of 1548	2832	Sysqemvksfy.exe	100
PID 2832 wrote to memory of 1548	2832	Sysqemvksfy.exe	100
PID 2832 wrote to memory of 1548	2832	Sysqemvksfy.exe	100
PID 1548 wrote to memory of 1008	1548	Sysqemdodxt.exe	101
PID 1548 wrote to memory of 1008	1548	Sysqemdodxt.exe	101
PID 1548 wrote to memory of 1008	1548	Sysqemdodxt.exe	101
PID 1008 wrote to memory of 4712	1008	Sysqemamkxu.exe	102
PID 1008 wrote to memory of 4712	1008	Sysqemamkxu.exe	102
PID 1008 wrote to memory of 4712	1008	Sysqemamkxu.exe	102
PID 4712 wrote to memory of 3356	4712	Sysqemwwpae.exe	103
PID 4712 wrote to memory of 3356	4712	Sysqemwwpae.exe	103
PID 4712 wrote to memory of 3356	4712	Sysqemwwpae.exe	103
PID 3356 wrote to memory of 4236	3356	Sysqemttxgq.exe	105
PID 3356 wrote to memory of 4236	3356	Sysqemttxgq.exe	105
PID 3356 wrote to memory of 4236	3356	Sysqemttxgq.exe	105
PID 4236 wrote to memory of 2120	4236	Sysqemdiawl.exe	106
PID 4236 wrote to memory of 2120	4236	Sysqemdiawl.exe	106
PID 4236 wrote to memory of 2120	4236	Sysqemdiawl.exe	106
PID 2120 wrote to memory of 3036	2120	Sysqemfgprv.exe	107
PID 2120 wrote to memory of 3036	2120	Sysqemfgprv.exe	107
PID 2120 wrote to memory of 3036	2120	Sysqemfgprv.exe	107
PID 3036 wrote to memory of 2372	3036	Sysqemqoehd.exe	109
PID 3036 wrote to memory of 2372	3036	Sysqemqoehd.exe	109
PID 3036 wrote to memory of 2372	3036	Sysqemqoehd.exe	109
PID 2372 wrote to memory of 3260	2372	Sysqemartxq.exe	110
PID 2372 wrote to memory of 3260	2372	Sysqemartxq.exe	110
PID 2372 wrote to memory of 3260	2372	Sysqemartxq.exe	110
PID 3260 wrote to memory of 2624	3260	Sysqemvuzsc.exe	111
PID 3260 wrote to memory of 2624	3260	Sysqemvuzsc.exe	111
PID 3260 wrote to memory of 2624	3260	Sysqemvuzsc.exe	111
PID 2624 wrote to memory of 2976	2624	Sysqemgtwtl.exe	113
PID 2624 wrote to memory of 2976	2624	Sysqemgtwtl.exe	113
PID 2624 wrote to memory of 2976	2624	Sysqemgtwtl.exe	113
PID 2976 wrote to memory of 3268	2976	Sysqemytbew.exe	114
PID 2976 wrote to memory of 3268	2976	Sysqemytbew.exe	114
PID 2976 wrote to memory of 3268	2976	Sysqemytbew.exe	114
PID 3268 wrote to memory of 4500	3268	Sysqemnfgjz.exe	115
PID 3268 wrote to memory of 4500	3268	Sysqemnfgjz.exe	115
PID 3268 wrote to memory of 4500	3268	Sysqemnfgjz.exe	115
PID 4500 wrote to memory of 1580	4500	Sysqemlzdkj.exe	116
PID 4500 wrote to memory of 1580	4500	Sysqemlzdkj.exe	116
PID 4500 wrote to memory of 1580	4500	Sysqemlzdkj.exe	116
PID 1580 wrote to memory of 320	1580	Sysqemfqxfy.exe	117
PID 1580 wrote to memory of 320	1580	Sysqemfqxfy.exe	117
PID 1580 wrote to memory of 320	1580	Sysqemfqxfy.exe	117
PID 320 wrote to memory of 2060	320	Sysqemaownn.exe	118
PID 320 wrote to memory of 2060	320	Sysqemaownn.exe	118
PID 320 wrote to memory of 2060	320	Sysqemaownn.exe	118
PID 2060 wrote to memory of 1648	2060	Sysqemxmwbz.exe	119
PID 2060 wrote to memory of 1648	2060	Sysqemxmwbz.exe	119
PID 2060 wrote to memory of 1648	2060	Sysqemxmwbz.exe	119
PID 1648 wrote to memory of 4524	1648	Sysqemdscor.exe	120

C:\Users\Admin\AppData\Local\Temp\d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe
"C:\Users\Admin\AppData\Local\Temp\d52717018bedff63ebf4fb8bbd75b0910f5cf113f623a6a83f3b555d5cf0a8f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Sysqemofnnf.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemofnnf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\Sysqemyuatg.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemyuatg.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemlzthr.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemlzthr.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemvksfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvksfy.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\Sysqemdodxt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdodxt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemamkxu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemamkxu.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwwpae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwwpae.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdiawl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdiawl.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfgprv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfgprv.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqoehd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqoehd.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemartxq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemartxq.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvuzsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvuzsc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgtwtl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgtwtl.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemytbew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemytbew.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnfgjz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnfgjz.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlzdkj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlzdkj.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfqxfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfqxfy.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaownn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaownn.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxmwbz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxmwbz.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdscor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdscor.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemczbmk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemczbmk.exe"
        23⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsiuzj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsiuzj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvdyhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvdyhy.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiudim.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiudim.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempczns.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempczns.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfknle.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfknle.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqrbbu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqrbbu.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnawhn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnawhn.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemihnhb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemihnhb.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnxtij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnxtij.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuqcgd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuqcgd.exe"
        33⤵
        Modifies registry class
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdrctd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdrctd.exe"
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeubtw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeubtw.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhmdct.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhmdct.exe"
        36⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemklsfd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemklsfd.exe"
        37⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhjmbs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhjmbs.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmzkba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmzkba.exe"
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuefsi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuefsi.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemndrvt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemndrvt.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuacse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuacse.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkvvi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkvvi.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrnytv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrnytv.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmidjn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmidjn.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkgyz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkgyz.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempotzw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempotzw.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxepwu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxepwu.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhssnp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhssnp.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrvvy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrvvy.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmmudr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmmudr.exe"
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhadtl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhadtl.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempeolo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempeolo.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzombn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzombn.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrhbhg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrhbhg.exe"
        56⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhxmkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhxmkk.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcoonh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcoonh.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrwyvu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrwyvu.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwvenc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwvenc.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjlade.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjlade.exe"
        61⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyxfji.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyxfji.exe"
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjpwuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjpwuy.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjxvjj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjxvjj.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemupvsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemupvsn.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoccgt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoccgt.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzgedu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzgedu.exe"
        67⤵
        Checks computer location settings
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrnnyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrnnyl.exe"
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzyrg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzyrg.exe"
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqvxfn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqvxfn.exe"
        70⤵
        Checks computer location settings
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgesli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgesli.exe"
        71⤵
        Modifies registry class
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtvplw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtvplw.exe"
        72⤵
        Checks computer location settings
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemomstf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemomstf.exe"
        73⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtolam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtolam.exe"
        74⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembwipm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembwipm.exe"
        75⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlsknf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlsknf.exe"
        76⤵
        Modifies registry class
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtltla.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtltla.exe"
        77⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwgyza.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwgyza.exe"
        78⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemibnmf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemibnmf.exe"
        79⤵
        Modifies registry class
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemicypx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemicypx.exe"
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqcwnw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqcwnw.exe"
        81⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemydwtx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemydwtx.exe"
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemirgbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemirgbk.exe"
        83⤵
        Checks computer location settings
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyzuhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyzuhe.exe"
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemarvki.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemarvki.exe"
        85⤵
        Checks computer location settings
        Modifies registry class
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgepxn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgepxn.exe"
        86⤵
        Checks computer location settings
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqdcaj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqdcaj.exe"
        87⤵
        Checks computer location settings
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdqwoc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdqwoc.exe"
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqxnwj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqxnwj.exe"
        89⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrdji.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrdji.exe"
        90⤵
        Modifies registry class
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkvpcd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkvpcd.exe"
        91⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfcgcr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfcgcr.exe"
        92⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngrvu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngrvu.exe"
        93⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnrevj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnrevj.exe"
        94⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfcstc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfcstc.exe"
        95⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyrube.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyrube.exe"
        96⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfnomb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfnomb.exe"
        97⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaquhm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaquhm.exe"
        98⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemprqxt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemprqxt.exe"
        99⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempsqdt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempsqdt.exe"
        100⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkyili.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkyili.exe"
        101⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnasmr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnasmr.exe"
        102⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhgkmf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhgkmf.exe"
        103⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuqsvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuqsvo.exe"
        104⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcnmyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcnmyl.exe"
        105⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemunqjw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemunqjw.exe"
        106⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrpuzr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrpuzr.exe"
        107⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcozcv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcozcv.exe"
        108⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjwefn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjwefn.exe"
        109⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrbqyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrbqyq.exe"
        110⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwgmja.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwgmja.exe"
        111⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemznkrd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemznkrd.exe"
        112⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempgjxk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempgjxk.exe"
        113⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxlfot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxlfot.exe"
        114⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrnjzp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrnjzp.exe"
        115⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxtpup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxtpup.exe"
        116⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtnyhz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtnyhz.exe"
        117⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembrkac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembrkac.exe"
        118⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwxcnu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwxcnu.exe"
        119⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrhfbl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrhfbl.exe"
        120⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzhngl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzhngl.exe"
        121⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzxmjq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzxmjq.exe"
        122⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjzdhp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjzdhp.exe"
        123⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgywqt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgywqt.exe"
        124⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzjuts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzjuts.exe"
        125⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrquwx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrquwx.exe"
        126⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuxjny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuxjny.exe"
        127⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemodbnm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemodbnm.exe"
        128⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtukyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtukyl.exe"
        129⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembntof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembntof.exe"
        130⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembrpeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembrpeh.exe"
        131⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemikpxi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemikpxi.exe"
        132⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemypzqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemypzqa.exe"
        133⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemomjij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemomjij.exe"
        134⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtkpjr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtkpjr.exe"
        135⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtslgp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtslgp.exe"
        136⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlvbec.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlvbec.exe"
        137⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgbbsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgbbsc.exe"
        138⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwkabo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwkabo.exe"
        139⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemykazw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemykazw.exe"
        140⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemygxis.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemygxis.exe"
        141⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqcyys.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqcyys.exe"
        142⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemagytt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemagytt.exe"
        143⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqdjwx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqdjwx.exe"
        144⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyicpa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyicpa.exe"
        145⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkkjkx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkkjkx.exe"
        146⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnqpvm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnqpvm.exe"
        147⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkclik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkclik.exe"
        148⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdnaow.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdnaow.exe"
        149⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiacbb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiacbb.exe"
        150⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxbzrp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxbzrp.exe"
        151⤵
        
        PID:2460

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
561KB

MD5
af36e538c454e7847a3ae6dc23959ff4

SHA1
a8ba9eb15faa3b03b8ebee11f0bd53de128ea5df

SHA256
cdc5b73d8414407a6654d9c4932d07ca7483d1afca2ea27456ba477e7f86281b

SHA512
d21fd42880858884da7ab6dfac1386d546090acde2535d5a6a038a044f0b1cc25e1839794c903ebcb10525f3df9a7d2d88c3b7996fd8bf94f57c305346d96727

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemamkxu.exe

Filesize
561KB

MD5
f320c196c592acd6d866859784b2a720

SHA1
a0d6322881665bacfc7b165158ad59d6bb4ef18b

SHA256
1fec975fdb6ac9605fd592baba3113e61779a1c626b316b05f27012f47f51c0d

SHA512
622780c65c742487ad167507d32dbdf031977d5cb8993df563f1fdd5026d754b5ba1f3c4866a6d85aef049c20a12243a145588e30dd12ba8c16982c122980aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemartxq.exe

Filesize
561KB

MD5
5cec1e3eb3e9ff52f47810b8ae28b537

SHA1
e0dc9090fd6e4689327282da3b8c5ad43ec3fc9d

SHA256
078ec6432523a251a8482f0253a6b82f27bd2506b2c29f47a28a664e9d978d14

SHA512
0c65abb10b67a71d51460c8b27190ac2289dbfb322639b855edf02a1a1052300180bb2dff46dddf188ab729c1721eb309ae379edf36c918be8becb8ba266b53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemdiawl.exe

Filesize
561KB

MD5
aee1a2ce21df8842adece5d01e44dc73

SHA1
cf06fac3d1984dd3e40aedf101ca18294a7f2391

SHA256
db85e3d1bd198fcf7fe2f798acb0536d19dc12cd64449b44443e5e7e0656c5fb

SHA512
a0f160c507e2712ea2ecbe65d1560e9adde3690b350db8b48fa15df0f668669940ccab78559bf6e9e0d31ff1e092e462eca45a690f03577db13a3d6d0388cf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemdodxt.exe

Filesize
561KB

MD5
ba9c090816882c4ebd826254ea7f6312

SHA1
028957c97f08dfd16e65b38b93f4c4ad07187a8a

SHA256
7f7c53b0d492577abd5f38522e6a22e3b27354a95a9ab69fd3f68ab93133e193

SHA512
784e50850997e62a8317875f746e6ad234e9efc50b6f9ecec9d45eb93ee225a084fdbf817fba71ecc8bb088ff130e5333a3e78a990a552b81988d357a16d7e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfgprv.exe

Filesize
561KB

MD5
d5d5c3c02cb0ad5b48d631b6d4f50698

SHA1
f3b115c073f8eebc769bfec3b59efc58d6337755

SHA256
45507b63a75318f84e88dbd40a656b208ad461fd3706cfa4456824a8dadb44b8

SHA512
64d4cbab5478934dbb54ffddffeeae83c1ed9240846faae49e32821e02f902c60b9fe68c8d678023a5fd6c2e8ba9512b79f03a18a09f1513775737307b1d9cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfqxfy.exe

Filesize
561KB

MD5
3beec83dc239f7656ffdac9ed1849f09

SHA1
d50db77efc3470ab5d9446166130d88572b07e27

SHA256
6e7d2030c0621bee833bec5380629da39c7ca139852fb8dae5d6095a330df73b

SHA512
8beff496286c53851dd1557cab2bb36f64f58944340cd56b461f5f10aadc330215bc9d004c1bcf250d4eab3f5e984db24d5cda1b3fa0da0b3298f22e6b71da35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgtwtl.exe

Filesize
561KB

MD5
1f965cb79db5e20a19e5cfde9899c161

SHA1
a3e5bd7023af07ff22d09554d4b528d1dcf77527

SHA256
c1adce6ddf3dd5794f3cf585bf93f51cfcba32d87d47232681ce4b612530cf79

SHA512
7089b66f69c7263e587c27dc38c619e304b9f9b0ca1887d9ea76a004129bc92234bb75b590e21327e8d5ce9a22e415be41c3860a30541e8068e5662af36c5a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlzdkj.exe

Filesize
561KB

MD5
85ef363d54f47daad87db13a7992e7f1

SHA1
f1fd6e7e8c0d30aa51616c740fbb389cfe6d4b5c

SHA256
6c4febdf4bb047b59242b743d771fd2490de317243ee3b895b56faf6db5e23bb

SHA512
7481516bd67ed2f70f2f1fcbddddb8aa1271c0ab93eba882d86ba1326aa9ae4e32d6e7d6f49996a2c96489a7451d6fe90bef001d5ab8e84e19e4f86a02ccef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlzthr.exe

Filesize
561KB

MD5
9e119727f7077b588f81e937cb937956

SHA1
f85b8bdbfa828c659d23d6194dd585df9d48062b

SHA256
d77940a4b5bdb6758688b50c21c2f572e88ef9f440ed4633762d5fc70da14ca1

SHA512
50da9fb682b86b0f0ca54a43757688d949e35a4730ba578e1d495ef996a578c3f79d7f387f295def51ebd93369dd3e308834ed86e6161d0bb48e3754c14c6cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemnfgjz.exe

Filesize
561KB

MD5
92aeb467699983e722f0733d695a20e0

SHA1
5a50435a69bc43297b74c82416103ead38c77095

SHA256
a05116594f19b4624ebfaa643927443a5044e8d19280c5aebc13cce436005c02

SHA512
8849d2a7469310d7fca063c950a276127b61d1a853bc1850d778c6bc141727ba6e04407cc73cbacf0e55f9f197154df59a647d2956f8fb39cf76b5226ad5290e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemofnnf.exe

Filesize
561KB

MD5
c828348a376defe8383a1ba0daf8cc7f

SHA1
d448609ea277d187d3332dcf84f4aae0e8f1961b

SHA256
73e8a2946ef89044339d5b02c0512b802d048eca6408088590aa59c7a98b2594

SHA512
7d9debccb9c32cb41df399235ca595973dac8ae873c0733a5dd6ad4afb8a215164ac167e62f84683ae3a44b02318a764b09b5bdad37df7dd828ab73988e8f2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqoehd.exe

Filesize
561KB

MD5
9b8f976171aa3dedf491d4d47aef888c

SHA1
3e9a9d1c8f6a4b1367f1bb47ef9e3260666a55a4

SHA256
d2556dbc2d42b922716ca314a4013038409ff3a825acdbf43925e493316fcaa6

SHA512
bf1c1e6f431206b9baf467367ca75cc7a5c1deefd0be15abb1e768d5b372e768e0b4338b5f30b2fe2cdcf9414e965cb3dae07b39af5911f4a4bd4604fc65cbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe

Filesize
561KB

MD5
d3367a7215f1529bdf5cab3f47b365a2

SHA1
f6cb217fa103874ef5f3b6ea34fd520430100b28

SHA256
6812dfed7c711bbe925160f14f81795be947dad0d6436e82ac7a38355b94ec94

SHA512
9b52de57ffa9bc248250af74747016c63eb5cb27fe7da0edd892d544e7d2c64419422344208315e4014d437e76105117f958e3d043224cde53660b52f1536fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvksfy.exe

Filesize
561KB

MD5
c2bba6418b3893d49f678c36ea99c4b2

SHA1
8bc0a9e82b38e603112c0f609ea4aa6e71e81a2b

SHA256
4f4920adda41f9a63adc2881cdf1851bad6c0b39894ef712880aa69ec32a0ab5

SHA512
dbeb576a636817623798823db4dcac5555f94818135f02944435266698eb3b029edd15e7a00aab92ac342f7983dcd9124a77ad41173512f77c1f6841b0026747

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvuzsc.exe

Filesize
561KB

MD5
614dadd0e95d2cefdd602d39da169da2

SHA1
30fb599f88c0f6f20bbe61b6d0601c21b3b05cc9

SHA256
2d26ac1f269191597128a2a584f1a77cddac16ef52aefccd20cb7a5d0d84e9f7

SHA512
559d9792d35d274971e2b3c24b9f39e5f1ca88a70a66729f4eed78d15a162432afd5e9e2400a35c4c27018edb109cde9701471b516b3afd08baf72c95dbf3598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemwwpae.exe

Filesize
561KB

MD5
ba8a793ee4f514d01a92b3441a99215e

SHA1
27155e5764f8ba84fbe38ab5d6048db145afd634

SHA256
bf4588962aeaf113f6273dc013c769e0fd4d7595bb3cae3ec2af0b1d950a0ac3

SHA512
ca3a76b188bc5652ac4e88536e24049f799d240bf070df88f11f49361b91c484e3dc3dd5d5365490fc6707c479513dfbc9796ff03caafbfe2d1ebfbf766d49b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemytbew.exe

Filesize
561KB

MD5
5fd63984a29deddd281062b30eb64af6

SHA1
c55b774048ab8110d36863b83bee21e6deadf769

SHA256
739826306424352af0eb761412b0964c498a19798038430714955dc3261ae661

SHA512
19a66f14ba4cd8ea4be9947697e86a13e584d553ae4bea8eef79346a164a20853a5e511973dce9abff50e23d272303c5c1bcaca660b8e4da61cf8110d7f068c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemyuatg.exe

Filesize
561KB

MD5
f7d3011fa3afe02162282eca8c73ea30

SHA1
ae31ac36fdbbaca3c9e4c1215a8c03507e410047

SHA256
4cd01014452f792a1622bc5b6182496e787b0213e870a30c2f29db60ae3aa87f

SHA512
876585d27dc032c0f5a18b88615523daf9f0b3a2a303352fbf8bda261fcb0301427671d1f877fa4d57f87c936bf1ad7eb52555b21c654fe32c33989b46b9a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
955c7255babc9353c1df6af51ba15b0a

SHA1
e39d8217c3ae7f384101da42dbc568808d34a4b2

SHA256
01a1a265096a8b43e7c7ea3ca4c023ce2e372194045c165abe34eb53853e09ff

SHA512
fb95059bfce2a5673a29929d2e6fcf23b8cb58aca7597820ce44161a2fbe24a58b4b9864d88ca5563497bad9ffe964309f2fe9ff8249d9531358d445cb030e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
26726f1557ca889dfedc7d123bfd1524

SHA1
d9db21e3770540a6d4a4d9bedd1ea9de49d72a42

SHA256
c1e7d7ec35ef33190f74ce7cb19b308cc5e4c9528e2116e0a59d330dd93795dd

SHA512
c314c0a213c3000dc853b09222ffbdfbd09f89c861e37bb5d09e65f82375277cf0e84b03d51c44ca1b0aa6f9b261936bd796e5b6bc9e856e372a4cdc46bf1dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
0e543631c76fa5031802f69cea011660

SHA1
ee77b408c63644c8dd58869623b584463fbb71c7

SHA256
2a1501471206d2187bda0075e4d4e453b92837a6a730c1af7c0f6013b030f373

SHA512
cec6adbf296849e2b6490034bb4199794f730345fa0a8f7e3722f501280270fa1df61217d3af22485d9fcc88c088fbc1c63638c5093161ea1fa82c321ccb6e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
792f5a050dcf4c55afd93c987ad4ea78

SHA1
f9cb3be67ecd909b929cd5b978e9c146fd1c300e

SHA256
2744ff1db55ba4aff322aa1311e025220821c40365ef45212dd952054a6dbfa5

SHA512
8b71432ab07b15678f0c38e4beb971830a3ee5a1f683dc7bc7a88e4c8736f8159fa521a43cf9d48113dd6956ccc1a844a8132dd367ef3b45157710f0458b7e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
839e697db07ead1ae88270c31e146364

SHA1
d1919ba38a2581e3899fb29138a3a9109df7218b

SHA256
c8fb26dd401fb280b9862f7c9ee0a6a24e0ff78b2fb7e3e53ff6a55cd19cfed2

SHA512
cb5222aa515e343fef6c5a06cfb8ce0ff13f544131d1e678aae195591cc1d1d75c7ba190e78b0652b2603654154ea9f7a27bb71ed2aa662bb7f9ed28e714475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
7309bd28f057ae1368e31f37264afbe3

SHA1
e88e7368bbdadfe28605927286a78c8a7d346915

SHA256
6c834536906af2cb0fed7f4b5ba51ee7450821098860f17596808c33054cf104

SHA512
b8dc517c006e6938805bc8289f296b5fd52953c23f6cfe5faf2f339c687a35ce44c5cbd25750a108a797e5d7787abde89411c760e03e61d705690ee2b79b390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
90f7a06854db1317316e52d8f1bd8d97

SHA1
64db7fb3a0b26ce7d695c2aff26269eed9f2ace3

SHA256
98e9f3193488b22ce276b1e9a3122be7254ae9a35efa3d496da71776672859a6

SHA512
5c902f2e5ec20255e4ea63ef5fa7f6cca200bdaea21f446cd433f7329b203c8ad8dce768db5474e8b009c1d273b0a240683d996b1850550d5fc113336e8bc7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c890c125bcba1f8a97c4849d4f1267c3

SHA1
910f9babb80c81fce4d7611c514d9f912a16b0dc

SHA256
d10642fe572af35d63ae7737ebb507fb0a3eb67e8f2191eb7da0f82d58394c30

SHA512
ebaccfc55eb2911836d1972bfb8895b0e61a440fb7042808121576493cce5f67fb6527525782e9ebd4e38c853c5b11cc56d6f0a963132ee59e832c6db3bdaba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2fbe00f63b6a6756a90816dd8af5ba6e

SHA1
ebe705cd134828f65937b9f7ee0bbbf934a23ebc

SHA256
55b7308de14a232b6c577f69b112d241fe4ab962db30125b21f98468fccf5ddf

SHA512
4434224bbd9f1d206623eab68a6bfc165a6c19591225dd41eda881d33bc58963bd2f5a0fb949ea1e9f31a9cf2645a637197388edd37491f7be343a41f30e5d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
673a3897f9fa6ff86e374fda7be43bd4

SHA1
a723c8fb1ebb15e8e60369a4b2be4a57f2a5af67

SHA256
f74b8fba4a6ccf529d8390696f592a0b4166d4c87340dc0d20fb05e61a149d71

SHA512
f5ea0d0117aae95106a49e11992e5a2db6725f92046b4f3222f9c36f1797ef203b24b9c951b4b5578f0fb6e7b80dc2b3145c71389841b7f90135b64ab475c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
fbcbce6b77e698e99911d009408afec0

SHA1
c1acf55373e947a7c6a2cd503e550e6967770a94

SHA256
b28d0a91604020166d85634037b12a85309efa0aa46dff427d29af2dd15643f2

SHA512
55c35ed862ccd471175d37b7b437bdca3e2e6c1288215e1683792ee6b9ed1a2baadde92890c2982905e11e481d09374ddbabaecb15371dcaf789d7c289fc6065

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
8adc3ba7955861eebcff8e30ed2af75d

SHA1
babdf2b3d5ec295f716e83a508e9d94ed9867bf1

SHA256
2198e189343082fbd63d092fea0d0f7fe973ed29a1953a314adf161382162b0d

SHA512
67ed211a255281571087380bde98a814c4dd5601812a310d82f698f836fab8711333a120d433f1a413399a0335de7206808b4835715c67f42f00aeb9bae7e111

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
256fe850b564273aa04439e86a56bfa0

SHA1
7dbf2b0c74ccb6bc0885484a754faa548da00fd7

SHA256
f5090c176278f481bbbb6ece5e3d4789461a5ff5e2a38d411d3849d303d1d83a

SHA512
ae8ea799b7c66725f87d8e226cce3eb8f736ece3ca86586089a8ec4b8d4cc5796a8b2eb57c44c871e5b629e5073f74001e4b6f179993b3c975a2ed8bcfc3e065

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
3d2a33f8dc7fa188828c92d34603e961

SHA1
dcc953b6e33102fe153cde712f9781dd0e3dcbb4

SHA256
6701c2f3c0404b364fa00dbb1fcef3a1c6d6c16f9d45f9e4673984710d5bdcc5

SHA512
99bcd8280faf6e8ff3faf9c6a5f95a3f305654c76845184a1b1552abc2150f6e2d50d683974d9acccab8ba3bb8d3c29a6bbebbe4ccc6bec412bffd5465a1a0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
d0fd385b58a3cc11f3e38e5210d48106

SHA1
ea333b2011ac9c77cefd8c82f46929bcab52d780

SHA256
fa4994e6094633df30d9e6bac6a26e452089c9a15f2d4cf7ba95e65a4f160fda

SHA512
bcfa4e383c3ed249c1e0806a91ff2d2e27023f5bed3fe1399af538916ed6ad8ab80cafb8070a8af12bf8e50e2dcef8783490a27291a19d67407f89182404c84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
1ddeab2ef417cfac8362031ba5b1f418

SHA1
e3f7695229273c5b2485bec4dfdd11daabff93cb

SHA256
cd8646fdf42a3d91858948afff52b4c993c0c00a879855dc4730e9ab5298b998

SHA512
8332809f39a0c718ec07edd41fd6be2529ab2b14e1c039634e525683d915dde37ccd8ca53848acb6df0c9e3afb057d46fa5e5c6f8c33ce630dd6339d0a649644

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
a40bb3df249fd9cc76998441194b3dfe

SHA1
49431662913a200e1c610682bc9a3cb10b745940

SHA256
25e9485925057faa13b22f7c4ff49ee7fcbbb8be300eac2cb8f4ac8d397d40d2

SHA512
f8b2ffda4b2fa12b6a7925438ae28adc2009f3f31bf41413c08c9e090e1e5842436bbfc0e0581bdc54d40a2e7d2a86b9f62c20f6f2aa870adbfba8c13a456520

Download Submit