98d57e95fc82f157f68b83c644f77e4845782a820b4282282d4fed1ec41e19b1

Analysis

max time kernel
109s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe
Size

539KB
MD5

09b4334c4205996925e222e507ae2860
SHA1

134813201ec447dcbb825240e5788cdf4e034931
SHA256

98d57e95fc82f157f68b83c644f77e4845782a820b4282282d4fed1ec41e19b1
SHA512

617652985155e4bb33c46ac2d7e57628d7f28cb7143b6bf48f39a96bb2a0c2f37d3396a5fc64a57ee3fcfe8f723d6a598b4652f71dceac431d6eb6b9761e4b12
SSDEEP

3072:wCaoAs101Pol0xPTM7mRCAdJSSxPUkl3VyFNdQMQTCk/dN92sdNhavtrVdewnAxp:wqDAwl0xPTMiR9JSSxPUKYGdodHy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemyuvxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemaqspj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemeyedg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemclloo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemmowqw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemjefsp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemjansv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemxwiqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemqvuss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqempnmgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemefpua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemnxnki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemxqnor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemzuqwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemtnkef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemaqdsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemwmuhz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemgigbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemnmxef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemdgtjx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemnbktf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemfpwkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemwofui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemqtkwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemsitmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqempawfv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemcntjf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemwjpit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemzmrtf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqempafmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemreiof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemqnyif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemzbfar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemijsph.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemlysxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemvobbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemhlesa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemsawoz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemhatsa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemzjphn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemnfxrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqempyydc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemlseba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemlqzrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemmgxav.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemmbwrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemzohum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemeqgzu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemlxgtr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemojbld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemiphqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemladna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemyrift.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemnehct.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemfypzc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemljjsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemyomlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemffdwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqempxduu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemfvuss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemdgdrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqembedup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemxiicx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Sysqemfzcfa.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	Sysqemjzxyw.exe
3084	Sysqemgltlu.exe
2632	Sysqemjgxbb.exe
4088	Sysqemlqort.exe
1904	Sysqemtnkef.exe
1652	Sysqemzlhml.exe
856	Sysqemgprzc.exe
3764	Sysqemombmm.exe
1864	Sysqemtryuz.exe
2468	Sysqemboihr.exe
3632	Sysqemljjsy.exe
4856	Sysqemwfkkg.exe
1120	Sysqemjoinj.exe
1992	Sysqemgfnif.exe
1104	Sysqemjefsp.exe
2244	Sysqemlowih.exe
4756	Sysqemorzgt.exe
224	Sysqemymaqb.exe
4700	Sysqemgfzqq.exe
2856	Sysqemiactl.exe
2132	Sysqemtlsyp.exe
1620	Sysqemdgtjx.exe
4688	Sysqemnnxop.exe
2152	Sysqembaoev.exe
60	Sysqemlseba.exe
2900	Sysqemwofui.exe
3724	Sysqemgnjra.exe
4652	Sysqemtaahg.exe
3492	Sysqembedup.exe
5040	Sysqemdhgsc.exe
2684	Sysqemdodxt.exe
228	Sysqemyrift.exe
3740	Sysqemyuvxh.exe
3536	Sysqemlwcte.exe
4444	Sysqemdpqyy.exe
2784	Sysqemvhbwx.exe
2324	Sysqemnhetw.exe
4548	Sysqemlmlpg.exe
1356	Sysqemijsph.exe
4596	Sysqemlqzrx.exe
1244	Sysqemacumn.exe
2788	Sysqemlfwkg.exe
3720	Sysqemlbknx.exe
4088	Sysqemdmgtq.exe
1992	Sysqemniivs.exe
3172	Sysqemnbktf.exe
2240	Sysqemqtkwj.exe
2904	Sysqemdgdrb.exe
4644	Sysqemvfgpa.exe
3632	Sysqemlzepv.exe
4564	Sysqemxiicx.exe
3800	Sysqemaaafb.exe
3972	Sysqemlhoqf.exe
1012	Sysqemgnegs.exe
5080	Sysqemsawoz.exe
4828	Sysqemsitmx.exe
2108	Sysqemcpyxb.exe
3628	Sysqemaqspj.exe
4764	Sysqemnszko.exe
3256	Sysqemaqdsi.exe
4780	Sysqempnmgg.exe
4660	Sysqemyomlg.exe
2152	Sysqemdbgzd.exe
5024	Sysqemkugrm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjansv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeqgzu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemreiof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemygowf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhmobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvwlqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzmrtf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdgdrb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmlryy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemblnzj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnhetw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyrift.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnszko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlmlpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqtkwj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwekad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfzcfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlxgtr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemphemh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrfcsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfypzc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcpyxb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhjmjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsoktp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemoncug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemefpua.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtpgci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzwwav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgynzt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgigbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgprzc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdgtjx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtaahg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemacumn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvobbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempxehm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlowih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnvqnx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzohum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemivuma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemedxtn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxrjap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdbwxg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxqnor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemniivs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkbtyk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemombmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgfzqq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdmgtq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwjpit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdeqes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqnyif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtlsyp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempnmgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmgxav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyiryb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembagla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdodxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxydau.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemphdtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgnegs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemywcts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhlesa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2924	4340	09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe	85
PID 4340 wrote to memory of 2924	4340	09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe	85
PID 4340 wrote to memory of 2924	4340	09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe	85
PID 2924 wrote to memory of 3084	2924	Sysqemjzxyw.exe	87
PID 2924 wrote to memory of 3084	2924	Sysqemjzxyw.exe	87
PID 2924 wrote to memory of 3084	2924	Sysqemjzxyw.exe	87
PID 3084 wrote to memory of 2632	3084	Sysqemgltlu.exe	88
PID 3084 wrote to memory of 2632	3084	Sysqemgltlu.exe	88
PID 3084 wrote to memory of 2632	3084	Sysqemgltlu.exe	88
PID 2632 wrote to memory of 4088	2632	Sysqemjgxbb.exe	90
PID 2632 wrote to memory of 4088	2632	Sysqemjgxbb.exe	90
PID 2632 wrote to memory of 4088	2632	Sysqemjgxbb.exe	90
PID 4088 wrote to memory of 1904	4088	Sysqemlqort.exe	92
PID 4088 wrote to memory of 1904	4088	Sysqemlqort.exe	92
PID 4088 wrote to memory of 1904	4088	Sysqemlqort.exe	92
PID 1904 wrote to memory of 1652	1904	Sysqemtnkef.exe	93
PID 1904 wrote to memory of 1652	1904	Sysqemtnkef.exe	93
PID 1904 wrote to memory of 1652	1904	Sysqemtnkef.exe	93
PID 1652 wrote to memory of 856	1652	Sysqemzlhml.exe	94
PID 1652 wrote to memory of 856	1652	Sysqemzlhml.exe	94
PID 1652 wrote to memory of 856	1652	Sysqemzlhml.exe	94
PID 856 wrote to memory of 3764	856	Sysqemgprzc.exe	95
PID 856 wrote to memory of 3764	856	Sysqemgprzc.exe	95
PID 856 wrote to memory of 3764	856	Sysqemgprzc.exe	95
PID 3764 wrote to memory of 1864	3764	Sysqemombmm.exe	98
PID 3764 wrote to memory of 1864	3764	Sysqemombmm.exe	98
PID 3764 wrote to memory of 1864	3764	Sysqemombmm.exe	98
PID 1864 wrote to memory of 2468	1864	Sysqemtryuz.exe	119
PID 1864 wrote to memory of 2468	1864	Sysqemtryuz.exe	119
PID 1864 wrote to memory of 2468	1864	Sysqemtryuz.exe	119
PID 2468 wrote to memory of 3632	2468	Sysqemboihr.exe	100
PID 2468 wrote to memory of 3632	2468	Sysqemboihr.exe	100
PID 2468 wrote to memory of 3632	2468	Sysqemboihr.exe	100
PID 3632 wrote to memory of 4856	3632	Sysqemljjsy.exe	101
PID 3632 wrote to memory of 4856	3632	Sysqemljjsy.exe	101
PID 3632 wrote to memory of 4856	3632	Sysqemljjsy.exe	101
PID 4856 wrote to memory of 1120	4856	Sysqemwfkkg.exe	103
PID 4856 wrote to memory of 1120	4856	Sysqemwfkkg.exe	103
PID 4856 wrote to memory of 1120	4856	Sysqemwfkkg.exe	103
PID 1120 wrote to memory of 1992	1120	Sysqemjoinj.exe	105
PID 1120 wrote to memory of 1992	1120	Sysqemjoinj.exe	105
PID 1120 wrote to memory of 1992	1120	Sysqemjoinj.exe	105
PID 1992 wrote to memory of 1104	1992	Sysqemgfnif.exe	106
PID 1992 wrote to memory of 1104	1992	Sysqemgfnif.exe	106
PID 1992 wrote to memory of 1104	1992	Sysqemgfnif.exe	106
PID 1104 wrote to memory of 2244	1104	Sysqemjefsp.exe	107
PID 1104 wrote to memory of 2244	1104	Sysqemjefsp.exe	107
PID 1104 wrote to memory of 2244	1104	Sysqemjefsp.exe	107
PID 2244 wrote to memory of 4756	2244	Sysqemlowih.exe	108
PID 2244 wrote to memory of 4756	2244	Sysqemlowih.exe	108
PID 2244 wrote to memory of 4756	2244	Sysqemlowih.exe	108
PID 4756 wrote to memory of 224	4756	Sysqemorzgt.exe	109
PID 4756 wrote to memory of 224	4756	Sysqemorzgt.exe	109
PID 4756 wrote to memory of 224	4756	Sysqemorzgt.exe	109
PID 224 wrote to memory of 4700	224	Sysqemymaqb.exe	110
PID 224 wrote to memory of 4700	224	Sysqemymaqb.exe	110
PID 224 wrote to memory of 4700	224	Sysqemymaqb.exe	110
PID 4700 wrote to memory of 2856	4700	Sysqemgfzqq.exe	112
PID 4700 wrote to memory of 2856	4700	Sysqemgfzqq.exe	112
PID 4700 wrote to memory of 2856	4700	Sysqemgfzqq.exe	112
PID 2856 wrote to memory of 2132	2856	Sysqemiactl.exe	114
PID 2856 wrote to memory of 2132	2856	Sysqemiactl.exe	114
PID 2856 wrote to memory of 2132	2856	Sysqemiactl.exe	114
PID 2132 wrote to memory of 1620	2132	Sysqemtlsyp.exe	115

C:\Users\Admin\AppData\Local\Temp\09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09b4334c4205996925e222e507ae2860_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\Sysqemjzxyw.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemjzxyw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\Sysqemgltlu.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemgltlu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemjgxbb.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemjgxbb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemlqort.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlqort.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\Sysqemtnkef.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtnkef.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzlhml.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzlhml.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgprzc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgprzc.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemombmm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemombmm.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtryuz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtryuz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemboihr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemboihr.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemljjsy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemljjsy.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfkkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfkkg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjoinj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjoinj.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgfnif.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgfnif.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjefsp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjefsp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlowih.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlowih.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemorzgt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemorzgt.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemymaqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemymaqb.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgfzqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgfzqq.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiactl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiactl.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtlsyp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtlsyp.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdgtjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdgtjx.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnnxop.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnnxop.exe"
        24⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembaoev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembaoev.exe"
        25⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlseba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlseba.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwofui.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwofui.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgnjra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgnjra.exe"
        28⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtaahg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtaahg.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembedup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembedup.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdhgsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdhgsc.exe"
        31⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdodxt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdodxt.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyrift.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyrift.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyuvxh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyuvxh.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlwcte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlwcte.exe"
        35⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe"
        36⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvhbwx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvhbwx.exe"
        37⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnhetw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnhetw.exe"
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlmlpg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlmlpg.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemijsph.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemijsph.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlqzrx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlqzrx.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemacumn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemacumn.exe"
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlfwkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlfwkg.exe"
        43⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlbknx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlbknx.exe"
        44⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdmgtq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdmgtq.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemniivs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemniivs.exe"
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnbktf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnbktf.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqtkwj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqtkwj.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdgdrb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdgdrb.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvfgpa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvfgpa.exe"
        50⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlzepv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlzepv.exe"
        51⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxiicx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxiicx.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaaafb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaaafb.exe"
        53⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlhoqf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlhoqf.exe"
        54⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgnegs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgnegs.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsawoz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsawoz.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsitmx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsitmx.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcpyxb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcpyxb.exe"
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaqspj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaqspj.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnszko.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnszko.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaqdsi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaqdsi.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempnmgg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempnmgg.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyomlg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyomlg.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdbgzd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdbgzd.exe"
        64⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe"
        65⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdfdpf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdfdpf.exe"
        66⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemscecd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemscecd.exe"
        67⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfpwkd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfpwkd.exe"
        68⤵
        Checks computer location settings
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcbsxb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcbsxb.exe"
        69⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempawfv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempawfv.exe"
        70⤵
        Checks computer location settings
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkubvv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkubvv.exe"
        71⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxwiqs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxwiqs.exe"
        72⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsoktp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsoktp.exe"
        73⤵
        Modifies registry class
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemffdwf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemffdwf.exe"
        74⤵
        Checks computer location settings
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempafmg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempafmg.exe"
        75⤵
        Checks computer location settings
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemswjcm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemswjcm.exe"
        76⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempxduu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempxduu.exe"
        77⤵
        Checks computer location settings
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxydau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxydau.exe"
        78⤵
        Modifies registry class
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmgxav.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmgxav.exe"
        79⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempmldk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempmldk.exe"
        80⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxfkdz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxfkdz.exe"
        81⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhmobj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhmobj.exe"
        82⤵
        Modifies registry class
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemstttl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemstttl.exe"
        83⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemevzjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemevzjx.exe"
        84⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaipzr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaipzr.exe"
        85⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemudugj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemudugj.exe"
        86⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfchrn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfchrn.exe"
        87⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjansv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjansv.exe"
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrjap.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrjap.exe"
        89⤵
        Modifies registry class
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfvuss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfvuss.exe"
        90⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmlryy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmlryy.exe"
        91⤵
        Modifies registry class
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkymlv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkymlv.exe"
        92⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemphdtx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemphdtx.exe"
        93⤵
        Modifies registry class
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxprrc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxprrc.exe"
        94⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzohum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzohum.exe"
        95⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemphemh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemphemh.exe"
        96⤵
        Modifies registry class
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhatsa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhatsa.exe"
        97⤵
        Checks computer location settings
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrodvk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrodvk.exe"
        98⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmfwyz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmfwyz.exe"
        99⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwekad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwekad.exe"
        100⤵
        Modifies registry class
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcntjf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcntjf.exe"
        101⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmbwrt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmbwrt.exe"
        102⤵
        Checks computer location settings
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwmuhz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwmuhz.exe"
        103⤵
        Checks computer location settings
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeqgzu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeqgzu.exe"
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuzsad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuzsad.exe"
        105⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmkess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmkess.exe"
        106⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeyedg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeyedg.exe"
        107⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwvenc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwvenc.exe"
        108⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgfulj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgfulj.exe"
        109⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemreiof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemreiof.exe"
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemblnzj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemblnzj.exe"
        111⤵
        Modifies registry class
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoncug.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoncug.exe"
        112⤵
        Modifies registry class
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemteiun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemteiun.exe"
        113⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgceci.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgceci.exe"
        114⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrfcsp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrfcsp.exe"
        115⤵
        Modifies registry class
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe"
        116⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlxgtr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlxgtr.exe"
        117⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjcfoc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjcfoc.exe"
        118⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembbqlb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembbqlb.exe"
        119⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjjfrh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjjfrh.exe"
        120⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemygowf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemygowf.exe"
        121⤵
        Modifies registry class
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdidrc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdidrc.exe"
        122⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlysxi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlysxi.exe"
        123⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyahsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyahsf.exe"
        124⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkvyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkvyy.exe"
        125⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembsabu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembsabu.exe"
        126⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgigbc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgigbc.exe"
        127⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyiryb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyiryb.exe"
        128⤵
        Modifies registry class
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemefpua.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemefpua.exe"
        129⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdnokl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdnokl.exe"
        130⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwjpit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwjpit.exe"
        131⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiphqt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiphqt.exe"
        132⤵
        Checks computer location settings
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemojbld.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemojbld.exe"
        133⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyifqo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyifqo.exe"
        134⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlktyh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlktyh.exe"
        135⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqefbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqefbk.exe"
        136⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembagla.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembagla.exe"
        137⤵
        Modifies registry class
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiiblm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiiblm.exe"
        138⤵
        Modifies registry class
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemocngx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemocngx.exe"
        139⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgynzt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgynzt.exe"
        140⤵
        Modifies registry class
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtpgci.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtpgci.exe"
        141⤵
        Modifies registry class
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdeqes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdeqes.exe"
        142⤵
        Modifies registry class
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjbosr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjbosr.exe"
        143⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemladna.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemladna.exe"
        144⤵
        Checks computer location settings
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqnyif.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqnyif.exe"
        145⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsikqm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsikqm.exe"
        146⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqzvel.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqzvel.exe"
        147⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqsfby.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqsfby.exe"
        148⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemivuma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemivuma.exe"
        149⤵
        Modifies registry class
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqvuss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqvuss.exe"
        150⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnxnki.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnxnki.exe"
        151⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdbwxg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdbwxg.exe"
        152⤵
        Modifies registry class
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemywcts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemywcts.exe"
        153⤵
        Modifies registry class
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnblyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnblyq.exe"
        154⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnfxrt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnfxrt.exe"
        155⤵
        Checks computer location settings
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxqnor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxqnor.exe"
        156⤵
        Checks computer location settings
        Modifies registry class
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvyhcy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvyhcy.exe"
        157⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdgdzw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdgdzw.exe"
        158⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfbhqd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfbhqd.exe"
        159⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyyhaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyyhaz.exe"
        160⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnvqnx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnvqnx.exe"
        161⤵
        Modifies registry class
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiiydr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiiydr.exe"
        162⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvkoyo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvkoyo.exe"
        163⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvdoji.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvdoji.exe"
        164⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvobbf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvobbf.exe"
        165⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemclloo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemclloo.exe"
        166⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcikzr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcikzr.exe"
        167⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkpyfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkpyfx.exe"
        168⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvwlqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvwlqb.exe"
        169⤵
        Modifies registry class
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfzcfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfzcfa.exe"
        170⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkxgnu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkxgnu.exe"
        171⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe"
        172⤵
        Modifies registry class
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempoomp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempoomp.exe"
        173⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfeizi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfeizi.exe"
        174⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnmxef.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnmxef.exe"
        175⤵
        Checks computer location settings
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnehct.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnehct.exe"
        176⤵
        Checks computer location settings
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxlufp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxlufp.exe"
        177⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempiuyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempiuyl.exe"
        178⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzwwav.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzwwav.exe"
        179⤵
        Modifies registry class
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfxfbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfxfbp.exe"
        180⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfypzc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfypzc.exe"
        181⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcvxeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcvxeh.exe"
        182⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempxehm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempxehm.exe"
        183⤵
        Modifies registry class
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhlesa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhlesa.exe"
        184⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxqnxg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxqnxg.exe"
        185⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmzxfu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmzxfu.exe"
        186⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrnly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrnly.exe"
        187⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzbfar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzbfar.exe"
        188⤵
        Checks computer location settings
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmowqw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmowqw.exe"
        189⤵
        Checks computer location settings
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzmrtf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzmrtf.exe"
        190⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmdmvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmdmvo.exe"
        191⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwcytg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwcytg.exe"
        192⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemedxtn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemedxtn.exe"
        193⤵
        Modifies registry class
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempyydc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempyydc.exe"
        194⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzuqwk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzuqwk.exe"
        195⤵
        Checks computer location settings
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhjmjo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhjmjo.exe"
        196⤵
        Modifies registry class
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemructj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemructj.exe"
        197⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzjphn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzjphn.exe"
        198⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmwhwt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmwhwt.exe"
        199⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempgyul.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempgyul.exe"
        200⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxdmhx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxdmhx.exe"
        201⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhcyfh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhcyfh.exe"
        202⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempgisy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempgisy.exe"
        203⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemflinu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemflinu.exe"
        204⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemovypq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemovypq.exe"
        205⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfwvfr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfwvfr.exe"
        206⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhdjig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhdjig.exe"
        207⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemozunk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemozunk.exe"
        208⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhgxya.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhgxya.exe"
        209⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrjwwh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrjwwh.exe"
        210⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeldre.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeldre.exe"
        211⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmedbn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmedbn.exe"
        212⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemebdmb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemebdmb.exe"
        213⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmubmw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmubmw.exe"
        214⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrdsvy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrdsvy.exe"
        215⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrzfxo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrzfxo.exe"
        216⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrapvu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrapvu.exe"
        217⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemugwlv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemugwlv.exe"
        218⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmvfol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmvfol.exe"
        219⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjsncy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjsncy.exe"
        220⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgfjpo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgfjpo.exe"
        221⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemradnp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemradnp.exe"
        222⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzqzsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzqzsn.exe"
        223⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjayiu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjayiu.exe"
        224⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemonsvz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemonsvz.exe"
        225⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwgsbr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwgsbr.exe"
        226⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemteybz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemteybz.exe"
        227⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembikuc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembikuc.exe"
        228⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrftha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrftha.exe"
        229⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemehacx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemehacx.exe"
        230⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemetmvt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemetmvt.exe"
        231⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyrcqo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyrcqo.exe"
        232⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkrvh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkrvh.exe"
        233⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlblye.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlblye.exe"
        234⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwayba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwayba.exe"
        235⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlistb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlistb.exe"
        236⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzvdwt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzvdwt.exe"
        237⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoamkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoamkr.exe"
        238⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgpmun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgpmun.exe"
        239⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqdoxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqdoxx.exe"
        240⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembgqvq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembgqvq.exe"
        241⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemomivy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemomivy.exe"
        242⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgxxbj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgxxbj.exe"
        243⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlzewo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlzewo.exe"
        244⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgqfzd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgqfzd.exe"
        245⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqehbn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqehbn.exe"
        246⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaoyrm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaoyrm.exe"
        247⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdgyup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdgyup.exe"
        248⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaegac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaegac.exe"
        249⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvvbil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvvbil.exe"
        250⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqfedc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqfedc.exe"
        251⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvsyrz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvsyrz.exe"
        252⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdsgwz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdsgwz.exe"
        253⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemifbre.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemifbre.exe"
        254⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqgaks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqgaks.exe"
        255⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyzzkz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyzzkz.exe"
        256⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlbfzl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlbfzl.exe"
        257⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyract.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyract.exe"
        258⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlpcfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlpcfc.exe"
        259⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemycmvi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycmvi.exe"
        260⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemltpxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemltpxy.exe"
        261⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvpiig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvpiig.exe"
        262⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqeminlko.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqeminlko.exe"
        263⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemirwdr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemirwdr.exe"
        264⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvtdyo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvtdyo.exe"
        265⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe"
        266⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemazirz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemazirz.exe"
        267⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnqmkv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnqmkv.exe"
        268⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemschfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemschfa.exe"
        269⤵
        
        PID:2564

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
539KB

MD5
bce502fa057fcd266e2bda8558cf4fd7

SHA1
cf89490f225819618d383411b52bb2dfeb464188

SHA256
eaef0c3cf2422deec65f6bd0b1b3ae4effd5088c4f8618d8dca018ff65778b4e

SHA512
ae9fa60607ae578c09673aadc8dd7f9d0eeead1e66343756c36cf796a63e53340f8b3b6cfa99c5a8ff84bae3c713bccd8830dc449701ea78b36a3c39473f3640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemboihr.exe

Filesize
539KB

MD5
4d76a5790bf3b54d2b1b9ab246c87681

SHA1
58f8c0298d704b968c5819362647f554ae697f05

SHA256
5c1d316c6e6a6cf51f678eb7afb326b03a847d034f750dd33ecea28e265f36ef

SHA512
d428645515a022c61c4315fbfd31cba159852b0abada40b2003069f624766520e77d5d290a18a8b94ed66abb7dba4b94f8be4a617235c48127aa9fcec4aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgfnif.exe

Filesize
540KB

MD5
432b2ae8244f0afbefb6668453a096bb

SHA1
8b9610beea148fb6b5175f20c6abb8fba8a81cd8

SHA256
9a84e34b8cf3aaaaa3a815b8ba5b1b78cbef1768526048da1aea6eff03c3683d

SHA512
1cd7ad167ffac6c900d54f37db668dc34c33e58dbc9d502fb10ca20de8e92a0670a3a631a9a38993a3903696d5445db039ddc663259fc0f93678fa4958d3d7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgltlu.exe

Filesize
539KB

MD5
11ff3d5603429a8faaf0a139f7ada1f7

SHA1
220e5306ff64ee81816b03800b8f08c209b39397

SHA256
754f9cde5d0b42a5f1fab3f898671a272d46c72141e605a1f97f6f8cb2a25f4c

SHA512
0f128ddd6d45471731d032417616d2086d8f622b7f532fc10b94b8a4ff46585cea0e1843d5cf0f2bdc94d052778dc434401a62cedfc4182c254ed00f0e197b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgprzc.exe

Filesize
539KB

MD5
7e2ebacc7817ca02643fd93151b6b17e

SHA1
74af1f28cce700643090d1506bc208c2d822e6f2

SHA256
404493757abffb6e2f0452b7924e7e16c74dabdf7434c9567d7a291a186a15ca

SHA512
ec49dc3599bfb4fcbead08ecda40f2dd61fadfbae6e4093e81834c703b3118ac1224349b74e0929f92688060faa65cd840b5f151f6d0e45c7d7c6d54be05ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjefsp.exe

Filesize
540KB

MD5
19c760dff79d9d5b98cf5ad46e34b33c

SHA1
7501af534560e1b62ba214e2b860d33c844a4c3c

SHA256
7ab6b52145d758ce44f6324fa0219ff52e68f35ea3dfa647a759402013c63dbc

SHA512
8bc18d00f998c7f827bb3084a423e8127284f271a970d1f98d485da0be1579a8c4dc9042995e6af749ee613e2386817803a23769a0ae7d9a0cb7f65ea55e616d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjgxbb.exe

Filesize
539KB

MD5
3dc1fbffc01b2f4abac98d15e51c426a

SHA1
c92726811b6057a5cfc36dc833e611e6542d0b88

SHA256
db3bf6d61c2bd9d6b91a7bd632462237eac41eef2a62ddac0c62c31357d92ea8

SHA512
8eaaab4911fd048c35411b1c98a82713704b35eb4febaa80873d1929e64d3ca68e639af2c101bc42dd382ae9ac688a7bf7cf47836622a06d3d70942dc2b39665

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjoinj.exe

Filesize
540KB

MD5
5687aaee86606abada6181b2757f8b15

SHA1
bafc4fea9b541dd0372eefaa4d9bcb57805793b4

SHA256
5a43796e2032bfb80634f43213445d09bfb703395c474e3ed527218a2cdd52ab

SHA512
5ee0b095c6415ad9ec2e28004f02436d8ef396edb6ebb652af6b126bb4a11f0afcbaaae708512a3d5680242c022e18d5a110245b09d60f0bc90ad623e830a3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjzxyw.exe

Filesize
539KB

MD5
95f3a62fd2648a088223420c83e6e983

SHA1
e3a737c47821dede69d3e635a1b15ad3812063a2

SHA256
328855fcc38a9bf7cc016c49a5649ed8b5e5be8d7a2c200a6e8e39f63bfe9a02

SHA512
92152b136a7661a4f8af4cd89b2421966f22a2bf33b2bcfaedd6555a4dc0594e0dd337b4c20d00dc24f56cc048a6b3cdf6e8d621dc909d74482178e47809bc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemljjsy.exe

Filesize
539KB

MD5
f29a0b0ed7a3907f849e8c4d55b6a0df

SHA1
ae1e06362f02dc6cd82f74f05df9167685f18be9

SHA256
aca079b07cbc8f6d02cd8078cbc4cf34283184523b4a5aaabecf56611db3cc06

SHA512
1d57e1cbf6173a72197c1deb5b7543167963f040a4c4b4d94e8204bc37db530891193ae516f975d0d1189ba0a68d3f3e5239cffbdbd28d24cd0767ddf7d22464

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlowih.exe

Filesize
540KB

MD5
77ee5f87fdd7c746f2f13eeccd2e4fbd

SHA1
8a7a246ac11aeb80e4effb3b68b8536dd8608d12

SHA256
68ae29fd8cbabcd8a5d4cacd20421a026125c48e65a66ea4d285cd3c2217fef3

SHA512
a44a5ba91ee1e9e9e3475e6aa68458ad7a2650e73bc4de9afbd301c69d00d942e83837e765e7ff75248f336a6f4605de2459c24ce2f982a95a3dfd9400cebeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlqort.exe

Filesize
539KB

MD5
c4d1246ec8d2e1aae798b5453714e071

SHA1
f99ff98d408f11a99c0a8739facb6827a259557d

SHA256
3c96fc0af476485a2f8d099d802c5e252c06ef9d051acea7f59b632c8b733296

SHA512
2f5b82c8f92e291c4a2871ca0725859247ab5904da3d295ef9bf652867b9236f9b679e4fe69412fafc4632b267ac6f8eea6068598548991296daf96fc9e6ec7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemombmm.exe

Filesize
539KB

MD5
79a368323533dac400cc879114b53582

SHA1
79c9d2c250d4f28dc7d21138d751759d71ad37cc

SHA256
52dc2c19498d1491c594578d353338d99fc6ca4d0b8e6ac95dc43b43d09a8782

SHA512
592827201c76281ebdba46b5e5679f60bc15c33531d96c3f3734f4dca6c83eb75e061f77e65e786d163357629bdf12542d0222a17527bb4f4995b88c6160df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemorzgt.exe

Filesize
540KB

MD5
efcebb71c2aa749f2319c81731b1963f

SHA1
10839d63bc4815975dbb4f8675d39e4d41a52f27

SHA256
50707728bc0a67fd280fc99a6719d339148cd2e7045cb78510af93262105e0ec

SHA512
cef34026026ebe8f64d3745a613f6bbe0681949cb89397543451778028c062e0c31d9ce9e979225678369f3ba9020d86fd26626df000b9d251fdd7c91f5faa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemtnkef.exe

Filesize
539KB

MD5
4c4b453a6f9398fe943860b7e9a0420d

SHA1
3a53b949a35f1b765abfa501be86a1ab83ce2c8f

SHA256
5255a56e1487b34372280e5c844046da44fdebae3b15f78b8856052fd2debf25

SHA512
1862fab087641b732005cdefdab6612331e046381b2e52a97a04ceed5999f2c83a25ddff851758363531e9696075bd516778aec181f3bdfe080bd363b44bdf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemtryuz.exe

Filesize
539KB

MD5
16aa3f71c2208b67079ccedede385f7e

SHA1
4d69758ba5cc566e147941d14f2543560c42d0eb

SHA256
4377162ebf9912303b9cb6abec757674a08c078c3296425949b93f2dea8e6fe7

SHA512
ce71095046f4aebc7b520bfbb9949610cef57845f124f35f75af6101df1a9216f5808182577d4b7d01056f4576ef757fc3fc50bf199ae57dba4db3aa2570e691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemwfkkg.exe

Filesize
539KB

MD5
21e3797dcb74188565e56ce667485497

SHA1
f2114d16d4173fda8c07a93ada0aea7301a5a998

SHA256
7ca19b93ba48929aa8daec64b411785285e047961962bfdcc6b73411ff465a0a

SHA512
85d8bfd973a8c0e1b28d6ef4bb6de2ee16b9443245fb43efa0d1675bc82f88cb6129d002e39723d59c64511ee8e638e92189e36f799e6182075e1e983cc6b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemymaqb.exe

Filesize
540KB

MD5
6f1a07750969f8438ed6d6638eddc137

SHA1
29086bdd0896371379033f55be760950cc0cb6e2

SHA256
6c2101d7194ed040ad2fd1a780192c3533c56a15fd6f671b6e6a9646a1add4d3

SHA512
92b55f9b7cb24802a72253438b1b9b8dd193c5ae840c75efa5da495efa98533cf6b6c8e116e9c7c3afe5a431b18bbfecd4e0fe05744080efb374fadb33cb4fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemzlhml.exe

Filesize
539KB

MD5
3956223d643c67c2e70d4c62af2313b9

SHA1
475b4f512ccef10274ce21416e181523244067de

SHA256
a50897459f76d3131f3f3f4cb092348d0adbc1a0d0279014ec2a583a5db20828

SHA512
f3e664a091cd700664637d6cb0424d4e5626ce9e751382ebf049ef0941b58e648ef3e4f7276cb6c48312b4efbb13ae8f2d63a4e26271221b68c973b2eccf2f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
892a4dd62595a21a3db2be4769972300

SHA1
60fa378fe4d614bbe0dbc79c11c4e95f21f1edbf

SHA256
15118eb2a8361f1dea6074e65e86b87464cd7d39bde92a0192bba404cb572897

SHA512
4417be775f58c2babb7b6102a31a2c44ccaf109d4d43a0a583159addb52c5dfc59150345078e19f72c4225896190e6a40aedae19699ede6b1d7ef59253480af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c1f7e788c163ce10281c91057421e17f

SHA1
9ad9438814647b37fc728c8f7f946c76c9f25964

SHA256
37b7778216c64392a07a86ffc22d07ee71516fb6fe0c242feda4e1e32d7aeb6d

SHA512
d01c2e65ccdd897f3792685b353d0e754b6c80ad5d0205df52e3a32479758c043c982de2db603af1ea8e256596629ee4e64e02ef20702ea658098e1b5d2b0a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
eb55f053a5ec412fdaef85bd80e68c06

SHA1
966a3ae19dd147d487d4ce83afe0e509a7607eeb

SHA256
befa9b27ced5160b350a9747213c2bb162a04a86ce3eb60c986ceafad3264725

SHA512
f6405c14c48f91f844f8e03e9544ff34d850d75018261ded83871627802a055828028347c3e39187d2b563ad4439830054a17c37a791db40469980ed53cedfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
439acef4103610d7514798b7d287a00d

SHA1
f3b5dca3ed0017309d1f2c82c762f470ae1695cb

SHA256
bee93c84747c30f3d5633e8e992b681a52c860bc45f007db5ef514b46960498a

SHA512
1f4e1787e15a7190261963ce1a954f95d41209bab0bbfcff4dd22e26c5f49b07541abdbd79bbc916d81ca2ae7605c5385e79ae1b58d25b8b5d961d64959e9b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
cac2d50158d1777f5ccb0808bafad2f8

SHA1
11b5b595b396a7c1fe1c978996716bd6fa5499ec

SHA256
e59550d9b9f6336332bfe9bef10cab1d4d1e190518f564300202bfa168ce194c

SHA512
09d67442799319e2fe929855d5e369d77d5fa4cbe67f00634da76ba5e3ea31b73c87598f6aa28d62e3eca1697fef6f9ccbbf84d271484d4180a23ee9ecff7afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
b6a682b9e4a0728c1ba415ef2afcc44b

SHA1
e613941f332dd8439408eee866aba8375f7a9939

SHA256
68c4ac82b82f22e680686a6a954e6bf1057c16d86d0d2951d2a76b585d09b320

SHA512
3e14cf96bdef976a8adf09918c856f0ce1321c21b4365cae73d5d0563158ee8e83174460f696ecd0a52abcdbd3dc570e60f2cc4923aabe91f0d3f463548a819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
ea87340ea3acc672a5bfaa05ef7f62a5

SHA1
a2f5e2b1c6c7f4a9d7c37709dec4c0b42467738f

SHA256
3bb6cb5aaa8f75e1b2fd7a3d54bcef85be21d8d7b09e85652ac380e126e1ac10

SHA512
ce4c59645cb49a3f46428896b65d9258fb437cca582e636ce13d2484ba629aea17500eb3bd0d5b27d767793bf74348c200910bd0bb40fe615555d2ae0f8b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c6f195f93609c579d85ab2a992d45a5e

SHA1
6094e38606f88fae9f6838693b626ccb9c108593

SHA256
77507a535e2f18620d2f6800ae8216aec9baf93b2a20865e6803d5727e860450

SHA512
62a86ca858fb1606668462f539684898566d2d2018772d0ff353732473ce9b9ce748156895e88f3d640ff208246b8ab5bc0be8db223380e8de08c2677a485f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
8a3cab00b67ef83bfd022a29d16fb88a

SHA1
61ce1100d0c923920017dbf7fa346f6dbc5bd281

SHA256
f803132322c14d1a4694a2063c6dc9c7edc058c9fad54d607df85777248312d7

SHA512
01677a4e695a9e62ded855623d2285f1bfe93d371b6a79e5dc61b55f1358032ab9cf28f98cd272f075460d7d24a866f8741b53a74afd5f0281e1e4d65ca79734

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
6c2515591a29e335b6dfb7ec2d5cd3b6

SHA1
b4bdea041b20d96a1e3b0a3b5ed5bc3e3085a4a3

SHA256
3c0c85c225cb7cdfe1a0fd9dcd5d584178ebc63142aa6371364a0433cb49162f

SHA512
e8231a691c766497d32ab7a00d7653724db6793fc11fcfd055dd8137658ca10cb76408002a518798b95af67f90578b55b10fa9c814c4b75d251c96084a22df36

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
b6c982433ef3c8ba3f8a57c8b4a64c42

SHA1
0248902bff0e27e57e97df94b0a933b5b799c8a9

SHA256
7649bd138d02492c24a6c9f45a7d5a45b66d8215a38c335a22c108f7ed628162

SHA512
a98d4fd7340789ca76608509d58ed4ce0030b4fa4feacf303fcf4baf093423208b51c29aba43b63a6bb0285bcd45669b97cf6bd2648e73fc98cd36b206e53fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
8833f383a847363b1666d569f0b5c94d

SHA1
b2f99348db6d01d786813fd65a47028e661ed08e

SHA256
fbaf08be2cfefdb2b37a83344c8a352c7599351e0a847cef89774fb6ee55ec27

SHA512
ec13d5d27b7c1e27fd6031b76bb8b34a5c9b73f57f4acfe0eacb3cb2143543646a884c722757e8ad60abb6dc332970890bba6977c29216af0af0a3ae319d125d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
6a8c9bb99d8753d774a7352f8b3fb347

SHA1
90509bbdcdae894150f63bbb25adaa24ecf5aee0

SHA256
3c035f48a772bc43c4b0166d97059ca871e7dfb70ce84bb2e49b4ced1ee5404f

SHA512
de7a95141ac570bf8aa687d229c836b952adb549457205f924598d4cfcaee844d1dc6706e0fe2099cb50725902802bfb0d50502630321e85895017e415e74cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
d6131e99d73faae0deec8e45cd605f35

SHA1
ebe9f547c0f67502ae3d0a46119ce101ab79a16f

SHA256
9ccd05ae866d2ab8dcd5b363f4697823a2852c77df04aba2b9eca97692a31d03

SHA512
d02ee924c5967be9763478b20068811f043ef37bedcfdd988e72aeca3f0ea2ab55e1513646020f82d800c23e73335bb8ae189be2904f098662355bc3ec07b8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
788e8bfd6b721ad194393db5b720c323

SHA1
ed28cb9179e05324d31993b8edcb33f96243d22f

SHA256
f9ab3badfa760afdbe98d93ab660730a6fdd491e70d83aa21a7aebc5f958ee25

SHA512
e2f250148b150a84f28c07ef23dafeb5692b757e69f19f3bd9365c4324869d62153d55d59d548b5dab9a90b7993b07e617ec4beb432d39d2bf232ec2de0420ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
fc2fedd1a29ae543e2fb324f59f3997f

SHA1
970c93cacf0a062758ba9324d05ca13547e26293

SHA256
d19df269fd4be8e43911557b99387be569d904aef03620e833dd10042088fa69

SHA512
c42f934d8587c4202abc841a9843d2004b17f9b89d2bf58b5077703c5732b6738fce20b8b2a7b544ec60db338cf82290406595414567007afd13a882296d7aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
5c6f6a1ac18de2ff08dad0e3cc591345

SHA1
750849bfb3ffd116921a690f1edcc56f5c459bb2

SHA256
8d9afcb9c9cdcf71e04789453ea2460f344fec6663da364f7e188e5e0b27b6cb

SHA512
ff64bd9fa3ebd59e9b3d91eac8390b65469ce9a723ff2a2993a13d5f41e2991907389689014f9b6b451a5ae89eb0acb1e705b7e4ce0b87304b8851b502e0a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
8ac7f99f11e6c1607b29b10433e05d6c

SHA1
d5859bc33da813f3ddfed382246048b9e70f2bf4

SHA256
202bdade4226b84d2faf13a13907c0b817c644428940ca9e8112b0f95bad4ce6

SHA512
c3b6dedc08949893e5a5b4c64ad350e4ae2de105aed6d799449c4f866a1f6a96a86db5de09471685379f42f9d6db3b7751a69d24c552ae5ce1fd10a044849d8d

Download Submit