abe55e46f7158ab08b5b2c8e0b914e21b7cc75e5c6ab7041c6218b3195f82b70

Analysis

max time kernel
89s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe
Size

658KB
MD5

1ef8147ef6f64d653540ac48ae444dd0
SHA1

0404835c5a653e4d9f4d69e774dad47ea00728c8
SHA256

abe55e46f7158ab08b5b2c8e0b914e21b7cc75e5c6ab7041c6218b3195f82b70
SHA512

b8fbe4cbab5d2c37195e7b5c694a79aba982e62ecec4c69f2bb3b960d76fdabf005e5a4c74cf3e068ee67505203b1be92eb226b77fcd5e2808765d067c1eafdf
SSDEEP

12288:w+67XR9JSSxvYGdodHDusQHNd1KidKjttRYLwP:w+6N986Y7DusQHNd1KidKjttRYLwP

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0007000000023406-5.dat	family_berbew
behavioral2/files/0x0008000000023402-40.dat	family_berbew
behavioral2/files/0x0007000000023408-70.dat	family_berbew
behavioral2/files/0x0007000000023409-105.dat	family_berbew
behavioral2/files/0x0008000000023403-140.dat	family_berbew
behavioral2/files/0x000700000002340b-175.dat	family_berbew
behavioral2/files/0x000700000002340c-210.dat	family_berbew
behavioral2/files/0x000800000002340d-245.dat	family_berbew
behavioral2/files/0x000800000002337f-280.dat	family_berbew
behavioral2/files/0x000800000002340f-315.dat	family_berbew
behavioral2/files/0x0008000000023410-350.dat	family_berbew
behavioral2/files/0x0007000000023414-385.dat	family_berbew
behavioral2/files/0x000b00000000002c-420.dat	family_berbew
behavioral2/files/0x0007000000016924-455.dat	family_berbew
behavioral2/files/0x0003000000022abf-490.dat	family_berbew
behavioral2/files/0x000900000002335d-525.dat	family_berbew
behavioral2/files/0x000800000002335e-560.dat	family_berbew
behavioral2/files/0x0008000000023363-595.dat	family_berbew
behavioral2/files/0x0008000000023364-630.dat	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemulyku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemrawgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemjpypq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemeyaef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemizsbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemqddte.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemkyszk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemynkuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemeafhm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemosvnr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemjgxbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemjktrd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqembizkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemzdlrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemuahfl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemxbonx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemcwded.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemlsafk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemzyenr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemollap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqempifpd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemybezf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemwdjgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemysulg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemlhrjm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemwqjft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemjtpju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqembvmfb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemwwfsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemnznpu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemizxfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemkvkcy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemukttu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemdfyzv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemquyvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemkasvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemzdqio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemotfke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemjjheb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemmxjwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemcsfqw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemwsxyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemeptmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemmyhqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemegycr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemnyuqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqempkmrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemezpgf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemqpgqh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemdbpfr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemggqwg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemqmyxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemngera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqempcblx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemidlvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemmzddu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemmemxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemytgpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemdnnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemhcknb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqempfjmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemhmiqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemqusxg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Sysqemluqlp.exe

Executes dropped EXE 64 IoCs

pid	Process
4628	Sysqemmkzoy.exe
4192	Sysqemevomj.exe
1980	Sysqemeyaef.exe
2820	Sysqemegycr.exe
4216	Sysqemzqefi.exe
3084	Sysqemermar.exe
3644	Sysqemlzhal.exe
3964	Sysqemwrpxq.exe
5316	Sysqemuahfl.exe
3724	Sysqemzyenr.exe
3584	Sysqemwhnih.exe
1140	Sysqembmgqa.exe
2932	Sysqemjmfqh.exe
1260	Sysqemoovlx.exe
660	Sysqemwsxyp.exe
2104	Sysqemeptmt.exe
6072	Sysqembyduo.exe
2952	Sysqemynkuh.exe
5908	Sysqemycizy.exe
5592	Sysqemeafhm.exe
4440	Sysqemosvnr.exe
3988	Sysqemwwfsi.exe
3512	Sysqemdbpfr.exe
5460	Sysqemotfke.exe
3128	Sysqemzoxvm.exe
3844	Sysqembvmfb.exe
3756	Sysqemysulg.exe
2160	Sysqemqkxjf.exe
5400	Sysqemjgxbb.exe
1340	Sysqemydghz.exe
1012	Sysqemjktrd.exe
5436	Sysqemdfyzv.exe
4352	Sysqemytgpq.exe
2328	Sysqemwfkkg.exe
4928	Sysqemgbcvc.exe
4432	Sysqemjhrld.exe
2136	Sysqemlgggm.exe
1936	Sysqemvnurq.exe
2200	Sysqemdgtjx.exe
3024	Sysqemlhrjm.exe
4104	Sysqembapjh.exe
3628	Sysqemlormi.exe
3284	Sysqemteoso.exe
1216	Sysqembizkr.exe
3096	Sysqemquyvg.exe
1456	Sysqemdpqyy.exe
2952	Sysqemtmzew.exe
5888	Sysqemvlphf.exe
1144	Sysqemggqwg.exe
5492	Sysqemydqpd.exe
3380	Sysqemvqlci.exe
3904	Sysqemagrdp.exe
4988	Sysqemscrnd.exe
1676	Sysqemizsbb.exe
940	Sysqemqddte.exe
816	Sysqemxwlen.exe
3080	Sysqemkyszk.exe
1580	Sysqemvuuxl.exe
5204	Sysqemlzdkj.exe
5288	Sysqemqmyxo.exe
2664	Sysqemvngsw.exe
4300	Sysqemcrqfo.exe
3212	Sysqemnyuqq.exe
3120	Sysqemytvix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlydaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqpgqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwhnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjgxbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvuuxl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemizxfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzbqjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwdjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiuxkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwsxyp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemscrnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqefbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemysulg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcxjdx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxbonx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhcknb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemybezf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdbpfr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrawgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqkmqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtqbgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemermar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyjvlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnznpu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhmiqq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemedeeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjpypq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdptzb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemynkuh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemosvnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgbcvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxwlen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqmyxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlsafk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeyaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemytgpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsitmx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkasvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmdztw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzdlrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembyduo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlhrjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlzdkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemabpob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzzusu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkrtyj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeptmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhjzfu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembapjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtmzew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkyszk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuprnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemluqlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxgojm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmzddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemblmwn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemevomj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkugrm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuwgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembyerf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqusxg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlwpxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembmgqa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5796 wrote to memory of 4628	5796	1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe	85
PID 5796 wrote to memory of 4628	5796	1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe	85
PID 5796 wrote to memory of 4628	5796	1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe	85
PID 4628 wrote to memory of 4192	4628	Sysqemmkzoy.exe	86
PID 4628 wrote to memory of 4192	4628	Sysqemmkzoy.exe	86
PID 4628 wrote to memory of 4192	4628	Sysqemmkzoy.exe	86
PID 4192 wrote to memory of 1980	4192	Sysqemevomj.exe	88
PID 4192 wrote to memory of 1980	4192	Sysqemevomj.exe	88
PID 4192 wrote to memory of 1980	4192	Sysqemevomj.exe	88
PID 1980 wrote to memory of 2820	1980	Sysqemeyaef.exe	89
PID 1980 wrote to memory of 2820	1980	Sysqemeyaef.exe	89
PID 1980 wrote to memory of 2820	1980	Sysqemeyaef.exe	89
PID 2820 wrote to memory of 4216	2820	Sysqemegycr.exe	90
PID 2820 wrote to memory of 4216	2820	Sysqemegycr.exe	90
PID 2820 wrote to memory of 4216	2820	Sysqemegycr.exe	90
PID 4216 wrote to memory of 3084	4216	Sysqemzqefi.exe	91
PID 4216 wrote to memory of 3084	4216	Sysqemzqefi.exe	91
PID 4216 wrote to memory of 3084	4216	Sysqemzqefi.exe	91
PID 3084 wrote to memory of 3644	3084	Sysqemermar.exe	118
PID 3084 wrote to memory of 3644	3084	Sysqemermar.exe	118
PID 3084 wrote to memory of 3644	3084	Sysqemermar.exe	118
PID 3644 wrote to memory of 3964	3644	Sysqemlzhal.exe	93
PID 3644 wrote to memory of 3964	3644	Sysqemlzhal.exe	93
PID 3644 wrote to memory of 3964	3644	Sysqemlzhal.exe	93
PID 3964 wrote to memory of 5316	3964	Sysqemwrpxq.exe	96
PID 3964 wrote to memory of 5316	3964	Sysqemwrpxq.exe	96
PID 3964 wrote to memory of 5316	3964	Sysqemwrpxq.exe	96
PID 5316 wrote to memory of 3724	5316	Sysqemuahfl.exe	97
PID 5316 wrote to memory of 3724	5316	Sysqemuahfl.exe	97
PID 5316 wrote to memory of 3724	5316	Sysqemuahfl.exe	97
PID 3724 wrote to memory of 3584	3724	Sysqemzyenr.exe	98
PID 3724 wrote to memory of 3584	3724	Sysqemzyenr.exe	98
PID 3724 wrote to memory of 3584	3724	Sysqemzyenr.exe	98
PID 3584 wrote to memory of 1140	3584	Sysqemwhnih.exe	99
PID 3584 wrote to memory of 1140	3584	Sysqemwhnih.exe	99
PID 3584 wrote to memory of 1140	3584	Sysqemwhnih.exe	99
PID 1140 wrote to memory of 2932	1140	Sysqembmgqa.exe	102
PID 1140 wrote to memory of 2932	1140	Sysqembmgqa.exe	102
PID 1140 wrote to memory of 2932	1140	Sysqembmgqa.exe	102
PID 2932 wrote to memory of 1260	2932	Sysqemjmfqh.exe	104
PID 2932 wrote to memory of 1260	2932	Sysqemjmfqh.exe	104
PID 2932 wrote to memory of 1260	2932	Sysqemjmfqh.exe	104
PID 1260 wrote to memory of 660	1260	Sysqemoovlx.exe	105
PID 1260 wrote to memory of 660	1260	Sysqemoovlx.exe	105
PID 1260 wrote to memory of 660	1260	Sysqemoovlx.exe	105
PID 660 wrote to memory of 2104	660	Sysqemwsxyp.exe	106
PID 660 wrote to memory of 2104	660	Sysqemwsxyp.exe	106
PID 660 wrote to memory of 2104	660	Sysqemwsxyp.exe	106
PID 2104 wrote to memory of 6072	2104	Sysqemeptmt.exe	108
PID 2104 wrote to memory of 6072	2104	Sysqemeptmt.exe	108
PID 2104 wrote to memory of 6072	2104	Sysqemeptmt.exe	108
PID 6072 wrote to memory of 2952	6072	Sysqembyduo.exe	110
PID 6072 wrote to memory of 2952	6072	Sysqembyduo.exe	110
PID 6072 wrote to memory of 2952	6072	Sysqembyduo.exe	110
PID 2952 wrote to memory of 5908	2952	Sysqemynkuh.exe	111
PID 2952 wrote to memory of 5908	2952	Sysqemynkuh.exe	111
PID 2952 wrote to memory of 5908	2952	Sysqemynkuh.exe	111
PID 5908 wrote to memory of 5592	5908	Sysqemycizy.exe	112
PID 5908 wrote to memory of 5592	5908	Sysqemycizy.exe	112
PID 5908 wrote to memory of 5592	5908	Sysqemycizy.exe	112
PID 5592 wrote to memory of 4440	5592	Sysqemeafhm.exe	114
PID 5592 wrote to memory of 4440	5592	Sysqemeafhm.exe	114
PID 5592 wrote to memory of 4440	5592	Sysqemeafhm.exe	114
PID 4440 wrote to memory of 3988	4440	Sysqemosvnr.exe	117

C:\Users\Admin\AppData\Local\Temp\1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ef8147ef6f64d653540ac48ae444dd0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5796
- C:\Users\Admin\AppData\Local\Temp\Sysqemmkzoy.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemmkzoy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\Sysqemevomj.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemevomj.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemeyaef.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemeyaef.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemegycr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemegycr.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\Sysqemzqefi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzqefi.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemermar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemermar.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlzhal.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlzhal.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwrpxq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwrpxq.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuahfl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuahfl.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzyenr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzyenr.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwhnih.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwhnih.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembmgqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembmgqa.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjmfqh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjmfqh.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoovlx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoovlx.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwsxyp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwsxyp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeptmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeptmt.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembyduo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembyduo.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemynkuh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemynkuh.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemycizy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycizy.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeafhm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeafhm.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemosvnr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemosvnr.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwwfsi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwwfsi.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdbpfr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdbpfr.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemotfke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemotfke.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzoxvm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzoxvm.exe"
        26⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembvmfb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembvmfb.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemysulg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemysulg.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqkxjf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqkxjf.exe"
        29⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjgxbb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjgxbb.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemydghz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemydghz.exe"
        31⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjktrd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjktrd.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdfyzv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdfyzv.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemytgpq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemytgpq.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfkkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfkkg.exe"
        35⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgbcvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgbcvc.exe"
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjhrld.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjhrld.exe"
        37⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlgggm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlgggm.exe"
        38⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvnurq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvnurq.exe"
        39⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdgtjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdgtjx.exe"
        40⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlhrjm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlhrjm.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembapjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembapjh.exe"
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlormi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlormi.exe"
        43⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemteoso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemteoso.exe"
        44⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembizkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembizkr.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemquyvg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemquyvg.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe"
        47⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtmzew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtmzew.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvlphf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvlphf.exe"
        49⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemggqwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemggqwg.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemydqpd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemydqpd.exe"
        51⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvqlci.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvqlci.exe"
        52⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemagrdp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemagrdp.exe"
        53⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemscrnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemscrnd.exe"
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemizsbb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemizsbb.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqddte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqddte.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxwlen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxwlen.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkyszk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkyszk.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvuuxl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvuuxl.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlzdkj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlzdkj.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqmyxo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqmyxo.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvngsw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvngsw.exe"
        62⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrqfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrqfo.exe"
        63⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnyuqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnyuqq.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemytvix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemytvix.exe"
        65⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiailb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiailb.exe"
        66⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyjvlc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyjvlc.exe"
        67⤵
        Modifies registry class
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngera.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngera.exe"
        68⤵
        Checks computer location settings
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsitmx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsitmx.exe"
        69⤵
        Modifies registry class
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnznpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnznpu.exe"
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyupno.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyupno.exe"
        71⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkihvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkihvw.exe"
        72⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemulyku.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemulyku.exe"
        73⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcxjdx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcxjdx.exe"
        74⤵
        Modifies registry class
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempcblx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempcblx.exe"
        75⤵
        Checks computer location settings
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemabpob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemabpob.exe"
        76⤵
        Modifies registry class
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxgojm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxgojm.exe"
        77⤵
        Modifies registry class
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe"
        78⤵
        Modifies registry class
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkmrt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkmrt.exe"
        79⤵
        Checks computer location settings
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemisxkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemisxkk.exe"
        80⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaraij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaraij.exe"
        81⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemizxfh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemizxfh.exe"
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdnnvb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdnnvb.exe"
        83⤵
        Checks computer location settings
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemidlvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemidlvj.exe"
        84⤵
        Checks computer location settings
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemftrwq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemftrwq.exe"
        85⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcnwwa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcnwwa.exe"
        86⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkvkcy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkvkcy.exe"
        87⤵
        Checks computer location settings
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempifpd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempifpd.exe"
        88⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhefaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhefaz.exe"
        89⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxbonx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxbonx.exe"
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkasvr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkasvr.exe"
        91⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmyhqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmyhqb.exe"
        92⤵
        Checks computer location settings
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcsfqw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcsfqw.exe"
        93⤵
        Checks computer location settings
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzbqjl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzbqjl.exe"
        94⤵
        Modifies registry class
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemktpuc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemktpuc.exe"
        95⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcwded.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcwded.exe"
        96⤵
        Checks computer location settings
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuwgcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuwgcc.exe"
        97⤵
        Modifies registry class
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhjzfu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhjzfu.exe"
        98⤵
        Modifies registry class
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuprnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuprnc.exe"
        99⤵
        Modifies registry class
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhcknb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhcknb.exe"
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmtodw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmtodw.exe"
        101⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzvvyb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzvvyb.exe"
        102⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjfloz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjfloz.exe"
        103⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemubnmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemubnmt.exe"
        104⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjjheb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjjheb.exe"
        105⤵
        Checks computer location settings
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzusu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzusu.exe"
        106⤵
        Modifies registry class
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmiynx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmiynx.exe"
        107⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzdqio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzdqio.exe"
        108⤵
        Checks computer location settings
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemollap.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemollap.exe"
        109⤵
        Checks computer location settings
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkrtyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkrtyj.exe"
        110⤵
        Modifies registry class
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzwceh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzwceh.exe"
        111⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemukttu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemukttu.exe"
        112⤵
        Checks computer location settings
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembyerf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembyerf.exe"
        113⤵
        Modifies registry class
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemracra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemracra.exe"
        114⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempfjmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempfjmt.exe"
        115⤵
        Checks computer location settings
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrsmpo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrsmpo.exe"
        116⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwqjft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwqjft.exe"
        117⤵
        Checks computer location settings
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhmkpj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhmkpj.exe"
        118⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhmiqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhmiqq.exe"
        119⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrijax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrijax.exe"
        120⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembecsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembecsn.exe"
        121⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmzddu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmzddu.exe"
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwypaf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwypaf.exe"
        123⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemguitu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemguitu.exe"
        124⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrpjdc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrpjdc.exe"
        125⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemezpgf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemezpgf.exe"
        126⤵
        Checks computer location settings
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmdztw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmdztw.exe"
        127⤵
        Modifies registry class
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemonrjp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemonrjp.exe"
        128⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemedeeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemedeeh.exe"
        129⤵
        Modifies registry class
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwrdpv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwrdpv.exe"
        130⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembtucg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembtucg.exe"
        131⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlsafk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlsafk.exe"
        132⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmemxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmemxy.exe"
        133⤵
        Checks computer location settings
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqusxg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqusxg.exe"
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwdjgi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwdjgi.exe"
        135⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemelydg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemelydg.exe"
        136⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmxjwj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmxjwj.exe"
        137⤵
        Checks computer location settings
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzdlrc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzdlrc.exe"
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemljcsi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemljcsi.exe"
        139⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjdzss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjdzss.exe"
        140⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlydaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlydaz.exe"
        141⤵
        Modifies registry class
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemluqlp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemluqlp.exe"
        142⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrawgg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrawgg.exe"
        143⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemblmwn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemblmwn.exe"
        144⤵
        Modifies registry class
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjpypq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjpypq.exe"
        145⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemybezf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemybezf.exe"
        146⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdrkan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdrkan.exe"
        147⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqpgqh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqpgqh.exe"
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqefbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqefbk.exe"
        149⤵
        Modifies registry class
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemblsdo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemblsdo.exe"
        150⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjtpju.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjtpju.exe"
        151⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdptzb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdptzb.exe"
        152⤵
        Modifies registry class
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlwpxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlwpxy.exe"
        153⤵
        Modifies registry class
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiuxkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiuxkl.exe"
        154⤵
        Modifies registry class
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqkmqr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqkmqr.exe"
        155⤵
        Modifies registry class
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtqbgs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtqbgs.exe"
        156⤵
        Modifies registry class
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemajjqs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemajjqs.exe"
        157⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemirxwy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemirxwy.exe"
        158⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemictuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemictuy.exe"
        159⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlyxkn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlyxkn.exe"
        160⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvinzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvinzm.exe"
        161⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkfwnk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkfwnk.exe"
        162⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqognm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqognm.exe"
        163⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaotyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaotyq.exe"
        164⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemganln.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemganln.exe"
        165⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfqkrs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfqkrs.exe"
        166⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemilozz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemilozz.exe"
        167⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnnfhb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnnfhb.exe"
        168⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdsgmz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdsgmz.exe"
        169⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiimnh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiimnh.exe"
        170⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvgqvb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvgqvb.exe"
        171⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcdais.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcdais.exe"
        172⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkdzih.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkdzih.exe"
        173⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemynglk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemynglk.exe"
        174⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfriyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfriyt.exe"
        175⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnzdqn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnzdqn.exe"
        176⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrtws.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrtws.exe"
        177⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfjswz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfjswz.exe"
        178⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkwles.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkwles.exe"
        179⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxgrgv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxgrgv.exe"
        180⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdhabl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdhabl.exe"
        181⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcwxhd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcwxhd.exe"
        182⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkxwhr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkxwhr.exe"
        183⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvhmmw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvhmmw.exe"
        184⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvwbsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvwbsn.exe"
        185⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfrccd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfrccd.exe"
        186⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqndnk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqndnk.exe"
        187⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemajwfs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemajwfs.exe"
        188⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemingkj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemingkj.exe"
        189⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsfwqo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsfwqo.exe"
        190⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemanrqi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemanrqi.exe"
        191⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnabgo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnabgo.exe"
        192⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnsvu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnsvu.exe"
        193⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkmdtt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkmdtt.exe"
        194⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsrplo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsrplo.exe"
        195⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiknmj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiknmj.exe"
        196⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsvdcq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsvdcq.exe"
        197⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemacaho.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemacaho.exe"
        198⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiolar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiolar.exe"
        199⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnbfnw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnbfnw.exe"
        200⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxewdd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxewdd.exe"
        201⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemunpvk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemunpvk.exe"
        202⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcopjk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcopjk.exe"
        203⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcgzhq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcgzhq.exe"
        204⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxjfcb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxjfcb.exe"
        205⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemczlcj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemczlcj.exe"
        206⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcdwvm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcdwvm.exe"
        207⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuawfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuawfa.exe"
        208⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemecnvh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemecnvh.exe"
        209⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuelwc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuelwc.exe"
        210⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemciwof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemciwof.exe"
        211⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjepmj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjepmj.exe"
        212⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemezvhu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemezvhu.exe"
        213⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmavnv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmavnv.exe"
        214⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnqiz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnqiz.exe"
        215⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfpfdw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfpfdw.exe"
        216⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjqoih.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjqoih.exe"
        217⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemumqga.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemumqga.exe"
        218⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemphebm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemphebm.exe"
        219⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwaeuu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwaeuu.exe"
        220⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrgtcv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrgtcv.exe"
        221⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzztue.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzztue.exe"
        222⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkiax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkiax.exe"
        223⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtjxvh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtjxvh.exe"
        224⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuovop.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuovop.exe"
        225⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhqcjm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhqcjm.exe"
        226⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmjtwx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmjtwx.exe"
        227⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrhrrw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrhrrw.exe"
        228⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoqkkm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoqkkm.exe"
        229⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Sysqementxk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqementxk.exe"
        230⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwjtiy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwjtiy.exe"
        231⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoylsu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoylsu.exe"
        232⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembldac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembldac.exe"
        233⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmkqly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmkqly.exe"
        234⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwgsbr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwgsbr.exe"
        235⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemewphx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemewphx.exe"
        236⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjywcu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjywcu.exe"
        237⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuxjny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuxjny.exe"
        238⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemodbnm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemodbnm.exe"
        239⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrvtqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrvtqq.exe"
        240⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwiodv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwiodv.exe"
        241⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembyudc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembyudc.exe"
        242⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemghlme.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemghlme.exe"
        243⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoslwf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoslwf.exe"
        244⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembusrk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembusrk.exe"
        245⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzzmv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzzmv.exe"
        246⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdmtuo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdmtuo.exe"
        247⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjkqcu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjkqcu.exe"
        248⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtgrvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtgrvj.exe"
        249⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemebsfr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemebsfr.exe"
        250⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemramiz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemramiz.exe"
        251⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembvnsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembvnsh.exe"
        252⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemomivy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemomivy.exe"
        253⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembzatd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembzatd.exe"
        254⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlusdl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlusdl.exe"
        255⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzhktr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzhktr.exe"
        256⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjpoqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjpoqb.exe"
        257⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtkpjr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtkpjr.exe"
        258⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemybklz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemybklz.exe"
        259⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgfurj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgfurj.exe"
        260⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqawok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqawok.exe"
        261⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtzljt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtzljt.exe"
        262⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvrmmx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvrmmx.exe"
        263⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaegac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaegac.exe"
        264⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemshwqp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemshwqp.exe"
        265⤵
        
        PID:1332

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3644

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4468

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3080

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
658KB

MD5
24b73feccf5c155cf8c515ef4d1c1cf5

SHA1
3b34fd2f8b2e17388f056752ab1f4cce2b7ccd54

SHA256
6068edda2efb5d9aa57fd44f93d1db93ce0d1c07f9986c609604a58319827fcc

SHA512
36bfd44c9147b9a0dcc11c46d4373b634cfcaf4a81fa638d24ddf1fd0b475b4545786b377c9de2a7595b05da5960b759e557d27ff654ed395dd236d368ab6085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqembmgqa.exe

Filesize
658KB

MD5
1fe4cfa8888c1485308091accd1742b0

SHA1
85d492f4f330880a9798e96a19eab3360417255d

SHA256
f4d74d9d2ad1da60e81969df4e3a5c88a484801ef91f1c683a4a302e2c201f8b

SHA512
b1e976d5ad62b515db81f9de53cde5f23e7d8deed079dbf588bb4ffb47ee0dc33c0db895468b1e466b045160e323b94b04827d4769f83ef1573f6cb800dc11f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqembyduo.exe

Filesize
658KB

MD5
693ae0373aec56b904e2c16e91e41fcb

SHA1
7c0e861a4dda0669bfd1f5126c23c61751629a9f

SHA256
a8e9899b68e804188a69d6d45a80fe6b195780e020a95681b09dde9ba0104aa7

SHA512
f8f3c5ad6e1349b40e7e376fe121de27e3d08f04dd12a54964441b44d0b27f0e4a9bf0eef4371503b296cdc3d4b616cb6afbc0c719a20b45693e0b31d73b1b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemegycr.exe

Filesize
658KB

MD5
a59cf4792f46fa3c542ed48b5b368b1c

SHA1
5c42dc98554f90abd1d588f717793b07f3e09dc1

SHA256
e4c50cc1da13a2aa9523752f77a056d1178ac7432486e07c3f1ed63be3c36c56

SHA512
a8232cf4b197d07125b2848f7a379bd4ae83088e0f70018c04e7ac058f3429201698e38719ab0ba9e418cbd6a2bded3d3405c8557df4bbb5c7cebd548818a381

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemeptmt.exe

Filesize
658KB

MD5
41d566c983b194e4cb3be78b06de1a8c

SHA1
db3d719ba60aae6bec13aa8d33c9fb6e13431351

SHA256
46eec335541ae651c4bf4e23244996d807c10690318f4d7a6d9bccfee1746f08

SHA512
768e6419b76b18cf780f7c086be1a2228446cecef433a9a520d4aea00abb02451e081c426271fead2af0fc0c861001127f892d02a8d2e2d9d589bf48c148938f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemermar.exe

Filesize
658KB

MD5
d7a094689ebf7072828de62fa0fde232

SHA1
75311e6d941e923ae67c0af30afe75048378a762

SHA256
54fd9631c4a56ef75058ee682b66c1fdc204e044802de5876aa2185f6c69fa6c

SHA512
668460ced8ba47a230fcc0a3a76ccca824de62d102a43b4b6df2b93dbae7e3675d0f5b08b0eff3c2c753c2f9d9b2743b26e98777455b2ac484a6c6fc2198067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemevomj.exe

Filesize
658KB

MD5
0c928801cb9712c79809c10f32df1468

SHA1
7e4372c307f7b0cb6b8a92502a28bc04e09924e0

SHA256
770159179371f336475593894dde54edb7b91dcab589f12d3f9b1f747d002f46

SHA512
167f4e8df4e351708bba718f62e120aec11f08033009ac627addf9b99567285b7c37b946aa05a0d501beae10f847fcce4e4b3bc3b0fb21e661513ea80352feb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemeyaef.exe

Filesize
658KB

MD5
5fffd6153df6d93f4e849c045a8c51e3

SHA1
c3a8bf215f3128bcfc7b2249d9d4923a40092bd7

SHA256
37a02a1db69229f8549a52a88c574c417913364809146b7a842e5fa1289c4755

SHA512
de122a7460d92ce3bf4b06a1939b54a84e7c9d4e0ae4defc18cf4791cd05e90e3621a591a136ef68e8526b57b411da4134eb013b6996c155de78b6ea171cb04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjmfqh.exe

Filesize
658KB

MD5
53567f9f14552b529d38db4ddb26fe6d

SHA1
3b5055af2be54feaed1ff00ce33cf8ae99d48bc7

SHA256
910a17166e3618f701603c49ad103630a99bb74feb8c1c5aa471c52c1e05cfd9

SHA512
a77c8c75d1abe020da368f053a9c85dbb101636b799764dc6c0727e54a5b27c61a22c6ad561b920f9a851fdcfc0cecb0e60b0e33c219ce30bc327629000a8030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlzhal.exe

Filesize
658KB

MD5
b35069c111a8bfc2e224519addbd6f6a

SHA1
834f050d56eaf64d6d223b93cb7540712756bb95

SHA256
b0430a0f59934895ff41d54dede24f84dc61ed0c8b1e83360d79ca30047b49ff

SHA512
1fc2e79df32c9075266873ebe80d377f0c49968da3bcdc2fc7c873b3295ca2f639ace9756a58184099e36fafb12231884e09c669df47e4619390ab38f78ef131

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemmkzoy.exe

Filesize
658KB

MD5
f74d812838abe6b5301206f8c9fe5357

SHA1
1bafb936f586292c53df717ac987abe31cd44188

SHA256
196877c26a41effdf69281808eaa2c7eabf3e29d7a3f57495f5d2a82eff9da8e

SHA512
0cad6c78cd1469257a3ca713fa28184d5018f785fb6dcc82b087bdcc8f96ce2c3080d3e4a735df2abf076ef4d467ea1a1252cdb736f94929718fe3985194f14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemoovlx.exe

Filesize
658KB

MD5
66eb9f5e41cc8d2a563d9192993d3ff3

SHA1
6426d51b03478068e8d1573023f62acaa360acd6

SHA256
825d8d468c435c17e6185a31a03aab72f2ad7945180aeef75163ef69850f12fb

SHA512
c475fecaaf879de9739750e9f1f4c9286ee272f254d2977c8a42f34cc5f3d25129e9c6b4e829c123cfb29afeb73e1cd58b9f8a0668b1d0cf46418961245b81c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemuahfl.exe

Filesize
658KB

MD5
a305283c586dce6ca8bf8a544a3382b6

SHA1
1daffc14d7788efe4a0a1adcbbf572c39dfed029

SHA256
b8ffa096792940931dcb2f60b6976ef90f17080d56f9cd4b840adfddaf3d36b3

SHA512
849a03c73bf3eceb855799c63656172f7fd0367e93b87e8870aca1b7f855a65802b5a48e4a90d064706ab57aba2316466c63e4b87dcb9e36a27b29ccb22aa0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemwhnih.exe

Filesize
658KB

MD5
861f8c4c236cedcbb37472e4eb2cf44f

SHA1
cd23dc65c3d3d393dc64ad6887f17c5b5ac93d00

SHA256
bdca60ecc7542db3ce264544d8537dd0c49642ffe945edb750384aa41ab57398

SHA512
8f169e8ad34e6c8e3f28c6a3c1a0225324e2c6343a85fcb27f94e0274f7562e8f1eee235beab8484c0dd052ad798c72785bed0d57e792a076a609370255dd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemwrpxq.exe

Filesize
658KB

MD5
8dbc2036f6ae1b056072f38f563a9b6b

SHA1
5617cac0e9800597151dfb049f604b5e03245031

SHA256
5adb9c9cd7d187a03ef1c535b1d3426a4d88c5142e80af26ca0b59ac087e1606

SHA512
0fdbd44f6e13077c7ec184d3a33f30137fd073b3d296bf5fdf4f8233cf20eaa5e7c28477378eeb20e16286ed99dbc1c961dfe95e81d9e958a96955ba9bc2f887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemwsxyp.exe

Filesize
658KB

MD5
39e48af77bc6f50fc9ea8bd213e2b536

SHA1
891bbe331739bf921df10ed218282adb29c17d8b

SHA256
d76933a35a79fd07a9d20dc03762007d5c6d6a7c1fa0f5263e1508cd8e702e72

SHA512
b8faea4bfa8fd93caf42e63a7a2e3176c4bdb200def8d980e39ac4fe9bc7541d554c78aea8d3a6d14d0901ac2139656c46b06397ef0d829b3a29474e3a0380b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemynkuh.exe

Filesize
658KB

MD5
3e1dbcd062d7589559378c89506dea8c

SHA1
491275700b3d36d731c32e304e5c486bd1e91925

SHA256
1b6cdf2509fdc76b2f1de3b17efa9f7bec8e02fa45da8ac32579415a893d5557

SHA512
7c2df552979b156c9bc4f1f8797dd63e14c57d623550618401c9381e021304bafb7187cf7f6b1d85ad88ae8cd1005b279eda73eba8fb19a3144fffea8d2f684c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemzqefi.exe

Filesize
658KB

MD5
950174900cb2718b38f126f7f10472ea

SHA1
945914f369145d5a4703e064c0a646a9dba0c720

SHA256
e68e8d8401315c1d0f9ac7e9b7f126b144914dffa671759c145aa175c243c0dc

SHA512
cf6ceb8a49596a1736cb8faa4582367c4e4d3e9d2b47cfa2a7a6dba1ba80670d6153f4ca844bb05a87a0b54450ed5fe483175ac53ed65e0eb96a628f4a008cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemzyenr.exe

Filesize
658KB

MD5
52ca7a71b4032483ee52babc4ee0e036

SHA1
635e99ae51bc9240639379de971a949956e75061

SHA256
700d5b398fc154edf37ae193b71117164ac70c7b61e0be5e22c389edef0c162f

SHA512
cb5e695fe5a504866a1cfb53cee2b98a7385eb6bb48c6678211380e33ed7697db05f7743768238db4f7a0dd46e48bd0c24d720c824d02900244eb1e4679b4467

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
a2b7fb2172d1e48fa46f7d185274cd6d

SHA1
0c0c2aa68204fecfd2d135e6d3ed84a3ef2446a4

SHA256
7e2a3e162931fd050fbd4685a02a937426c4b7599d7c0f01c393a1cf33aa6017

SHA512
d359e1c1d59e6baa813ea46aba7b85ac1cab7a0fe87b1062fdfa231c0634c257f7d5b85602e2195aac36ba1db2517560b615101599327261711e0a89ca85a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
422c7117cfc5f94e985d3deb22016a66

SHA1
f053677ce586a8e0c2ae82221506b5105f38269a

SHA256
ab7e06b1e5c13c084dec9a9aa430414a341527cf51069b583b2b87e83a9b9367

SHA512
2beb62d19a61997891171d7dedfb2d73acd2dfb0e5de5ade8f76372f02209f34283e1d82fe3bb7f915f67bd94f8677ed17db040882fa496f04b8c5b0d0971902

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
25c85047bb5ab2f4f5148bb79cc335f2

SHA1
f0aaed14ed609b58a30cb6f2c5c88182f45ab5e4

SHA256
37d4ce02327697820f7a7fe5e1a6435a2a48d5e6fbd0a02c26227283b04278f3

SHA512
54493399db4fefd05054f772fd82d90f2042e6841bbc8e43868ca779e03c076b558dd530845f1eba303b4ce6ccc5397164a309ced561135d95ebdafa6b5c17eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2a1045ef010cf6a7909a47414f8a0f6e

SHA1
a56189d937671b6f680a60f120ff743569f4c7b6

SHA256
91e4b46a01918f6c933b0741231b3fa0e0b45cf4b001e2b62944e3ee7be080ce

SHA512
0cf6ce1e7eff063bb49124fd585249f3a1b66b82d92c3e2db7541b3378479c25f0e1dc4eb498308afec4025d98f2b1c89041d6c6488175191cf67e8edfd15ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
335dd9767a554fe68688ad0a23f245c5

SHA1
930861c8661d90d9cf146d1405b2305bab28ebbe

SHA256
34109738da7ddf661ce8ba105d748ce7600566531ebea1fd1da1ee801d82bdd1

SHA512
cd5cc441d0afb2f1b2acc4f823725c9218c74b460a3684d28774915da8a1ee7ab2051d32bbc8c51269d3e66b824c5b462db3395a058bbddeebef6a7323a66aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
d0060781458e9526af3f24dcf5103670

SHA1
beb77316460a7a6c75e08522a6601e1232cf0126

SHA256
86045d42cace6e75ca5dc26d9db266455787b67fa09a2c667d5d0474ff58847a

SHA512
6e775eb6e7daa079f69eaf51721ac14de7908687530c80be5c012e2b4d55e4b8b70fd7f8ef71aba2da15e91250553bab8eafa542b606653af4157906a3e2df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
031f77d35a17f2152311863601772038

SHA1
12cc2d5dc8861e9a05c048a555380f35afb920f2

SHA256
6258746cd326b580d035e556c770db8e76d6710affbc70010ebf41f5158fa5f6

SHA512
9ec3638c53f64ea135dbd46dd2e7fa395ebb0eea135e87373e0362fd8fcaf31fae8be8d9f99cf862cd58c343d713046ab1b495a2c5e13f65949d38b8f39945de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2e3e25e99c39ac96b70c4065a197337c

SHA1
ffce3fe00dcafe80c8d9828e3e28fdff8ddc2380

SHA256
fa61ea2c353dcade0a027dbe6a9fc2a8cdbb0a81041cc6438dd96c7d12201480

SHA512
94f3aa7eb3bc3990d085428a5e3809de61c84c3978dacd8ff3d41b80b2be9fdd09699a2a13d9b220c4a6ee4534538610fa1be6024bbd225490a73f889e5bccf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
bc585a1657467ad979ac704074cf95d0

SHA1
7d356cfaf541b74890d4b90feba2a5735607dc02

SHA256
11347aec5dc71a5892a9a87ec9ac19a33d0d0a79e45a289fabc8c8e3ee22be26

SHA512
a418de0ce2bcaf7ba210679414ece9699c4c9d4be3a77ee131be6eafa5d66073c395fd484afdc1ff310e7abc71e6cde34b12c247fe32438c87fe44beb31980c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
a418504141cbf45e8b024088e417ba2e

SHA1
acc2e1bc2a0972ae65b4adf416e1b748c2b2e919

SHA256
6f3561dbae8c9be21de7100ab74acfedd3e1033480a58e75ff7b7acc9297de9f

SHA512
34bd480228e13aa01781b1b80a821ad1683c46c9acd6ded35eaea2faabdd71ebb2f59825c9bec160c02840d652f41edd097caed38bfed31e8048caada78478de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9ab61090f4767daa943ab250e7a81ae4

SHA1
834adee4ad62d1e46aba90c8164db1c932395c46

SHA256
e270a925914f4692c78b533eafddc96bd4f2c5cd3daa69b0c104a293d87f7064

SHA512
6a6e044ed87a1ca414855558d9f9d4f538bc0fb3f927b37362d545e77b1a34e771b86ec71c22a9e5a0cbc0597165f0a1917de0ca0f0693b2101577bc750675f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
0654f25fa3078b59b444251911b55e03

SHA1
013320f1e69a7f74c0dbfbb8cb3238300726c0b5

SHA256
60c7fb078d232a902d99c980eb6ac18cae6174182574f25cb1943681be761ed2

SHA512
5bc3a9a3d5ed4a5e141f314d8b39e4e17746f2ca1d8551708a7b39f05a3d45170ddae31f708370623d16eeafdc989da487afc50a1fd0aa101319c26896ceb675

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f535e7aab02fef415f116685c7d6ee08

SHA1
31974bfc6533d0a7a23c510f2af181cfde9af810

SHA256
082d8ac345b470bba99b6beb5458fb05f09616a84067258b3a1436765ef25da0

SHA512
ee147ae7074d7664cf521e369eede66948642eadb0073053a9eae5ab065db790280ad944a992becf1aa75aa44cda69353dbbafa59b2d15292bcb6f815b3ab940

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f48452eadb4133b7787b102cbbba3aa9

SHA1
0d61f11e573b0f34e6e0a675f263a0557b96d6fd

SHA256
20f30d39e0b0e1e2508dda0abf717e5276d5acb71d77c9cc4db4993cfc954073

SHA512
34e6515c1d4bd13087413c5e676c69f46adb2610f7db3b80e05bdc2dd58b9696c69bedf2ba77c69d51e754ed5d63c7883b040f1b5c72c8312a3f38c38f5b4423

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
e898e021af2ba4d739ace9ef723ecd5a

SHA1
924b62c5237a63c382ac79bcea7720dd05c1556e

SHA256
fed456524ab04fbe94b9ae56e9aa8bc4ff4306fc84a6b4f8e3ccd40c92088705

SHA512
e2ddf73fec15265462dda902b8d7a59e883961b64d7a1072f6a1508599cbd682be7e785699e85768ad7b84e2acc97a2ad66339c3f01c08f5c3b43745d57a9dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
d7ba2dd5f9cf83c872444ccd3913421c

SHA1
5c1d0a688e7e21991b8a6c4633203b438a0fd63f

SHA256
fc8ccf8b23db03d796d44777145178652ab571708e61dafe00ed95bddcf56951

SHA512
412ce20c1518427719279b626baff9482bbf35c35315e1f928b58324915e87823b4b6186e71182887ce9d139396b10f3ac333c3f8485feded32e76761a81778c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
6e5075cf03b38f37248d3b2fc1d9cf33

SHA1
7d0fdec635b117dfbe43f4a74c4605164afeaedf

SHA256
d98739b33817c6786ab32202b4d8bceb725fb0afdc0ed6ac4e06c95d24b41d40

SHA512
b28e5f04bcb3b13fdb7ba868554c7c5726e38ebaf14dda95c68320340986731017503b516d3b951322cce521e9f490508f6b441a15b591e7d0570819311476ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2004af7a83e2077c4916d5b17eec0d6c

SHA1
7aeb133a2cf3f8d371428f55bbb523b48cc44bab

SHA256
b6f80cf927076edfd63d840d1b98c672fbc63f042a68f141d179b4f1df01d6df

SHA512
a89ddb8be38fb77a7fd99164d19567bbdf0e9621cb8360a1303885bcede2f84e2bb5f88e1dd3670abdddbb66dcde7f1cef4d25180873a7f830ee934f7e68eb1d

Download Submit