51683cf301a82933ca880cbc7a6781df8aa5109a69b43fb3ab0d5a31b0fd4143

Analysis

max time kernel
88s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f327d9a807a64bffb36495f34400a40N.exe
Size

728KB
MD5

4f327d9a807a64bffb36495f34400a40
SHA1

58d1c85f90438136b602214ea8825678ac69b16a
SHA256

51683cf301a82933ca880cbc7a6781df8aa5109a69b43fb3ab0d5a31b0fd4143
SHA512

e498fb8dff3407f642a23cf87f13b5d959e55f1785505847cbf978da4dd45b8d3f13c86e3a727b43bc4911f96366798241d75edac66fed51b11d3acaac04c377
SSDEEP

6144:dqDAwl0xPTMiR9JSSxPUKYGdodH/baqE7Al8jk2jcbaqE7Al8jk2jx:d+67XR9JSSxvYGdodH/1CVc1CVx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemftnhl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	4f327d9a807a64bffb36495f34400a40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemqnysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemipyqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemqkgex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemojegy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemldaos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemafzqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemocmbl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemfxbty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemydbgc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemcrqfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemgjiqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemcgjxx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemdpndc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemyjjvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemybjco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemuldxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemeonlw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemwjtiz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemixlyr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemrfozz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemcaksn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemcbftr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemhiakh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemghnxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemednxj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemojqhm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemfwdex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemdysta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemuujfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemhxlfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemtlozu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemznvvw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemccrox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqempbnwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemnpebr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemdpqyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemsnscb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemvyqnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemdwtij.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemgbhhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemfaqjb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemwxbsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemfahfm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemstdrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemkcibx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqembamkm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemyuvxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemlemzb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqempkmrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemgikbx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemapird.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemjrsly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemroqex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqembmckr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemdwsmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqembipne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemvhduc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemgathl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemtssrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqempkruw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemyaiyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Sysqemsoomw.exe

Executes dropped EXE 64 IoCs

pid	Process
1920	Sysqemrfozz.exe
5020	Sysqemdwsmc.exe
2376	Sysqemlormi.exe
1764	Sysqemybjco.exe
2520	Sysqembipne.exe
1696	Sysqemlafsq.exe
4356	Sysqemqnysc.exe
2764	Sysqemycunn.exe
864	Sysqemyuvxh.exe
428	Sysqemjmkdm.exe
3448	Sysqemoosyd.exe
4740	Sysqemttxgq.exe
2912	Sysqemdpqyy.exe
4380	Sysqemlxmqs.exe
2208	Sysqemqyuli.exe
3500	Sysqemqkgex.exe
1600	Sysqemvhduc.exe
2940	Sysqemlemzb.exe
2472	Sysqemajvmh.exe
3532	Sysqemqsguu.exe
1556	Sysqemsnscb.exe
4388	Sysqemardve.exe
2732	Sysqemvjxyt.exe
2284	Sysqemgikbx.exe
208	Sysqemazeem.exe
2868	Sysqemaobjl.exe
724	Sysqemadzoc.exe
4276	Sysqemsoomw.exe
408	Sysqemnfhpl.exe
3584	Sysqemgbhhh.exe
2836	Sysqemvyqnf.exe
1956	Sysqemssmad.exe
2260	Sysqemcrqfo.exe
780	Sysqemgjiqy.exe
1836	Sysqemsalda.exe
3200	Sysqemipyqt.exe
4204	Sysqemseatc.exe
536	Sysqemdzcrv.exe
4888	Sysqemapird.exe
4088	Sysqemnrxma.exe
2336	Sysqemfklsu.exe
4288	Sysqemcaksn.exe
1956	Sysqemsqfgf.exe
860	Sysqemxcztk.exe
1444	Sysqemcbftr.exe
548	Sysqempdmow.exe
2088	Sysqemfawcu.exe
5020	Sysqempkmrt.exe
1212	Sysqemfahfm.exe
4244	Sysqemscoaj.exe
2688	Sysqemfigiq.exe
4724	Sysqemvxtvj.exe
920	Sysqemcjbgj.exe
3980	Sysqemxaujh.exe
4656	Sysqemcnnrg.exe
836	Sysqemppcml.exe
4332	Sysqemcgyug.exe
4020	Sysqemnnlfc.exe
4976	Sysqemcgjxx.exe
4156	Sysqemhiakh.exe
1364	Sysqemmvvym.exe
2940	Sysqemhxaje.exe
2284	Sysqematsta.exe
1836	Sysqemstdrr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsqfgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgzwfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemixlyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemehllr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemyjjvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlormi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemqnysc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemazeem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemcnnrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemppcml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemtlozu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlfagq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlafsq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgjiqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemfkwhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqembmckr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemqkgex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsnscb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemipyqt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemjicry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f327d9a807a64bffb36495f34400a40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgikbx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemppool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsylzc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsalda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemfklsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkcibx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemccrox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemojegy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemeonlw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqembqfyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemtssrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemldaos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemjmkdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemttxgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemcbftr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemnnlfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemmvvym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemyuabb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemydbgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemoosyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvhduc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemadzoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqematsta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgpgeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemfxbty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkoraq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemfdpvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemhxaje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemednxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemghnxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemobcdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvlfoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemnpebr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemyfijp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqembipne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemdysta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemfcers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempkruw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvyqnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemcrqfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemscoaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemcgjxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempjkrs.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiqgho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemapird.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyfijp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcjbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlfagq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempdmow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvxtvj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuaegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemojqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvlfoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemldaos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlemzb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemipyqt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemznvvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwjtiz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgpgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyuabb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsnscb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdzcrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyaiyq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsylzc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemydbgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnaagv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtlozu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrslak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcgyug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmvvym.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemojegy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemngezw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemssmad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemscoaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtssrj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemehllr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdwtij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemclrmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyvrym.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemghnxl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemobcdy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemazeem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvyqnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsalda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfawcu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfaqjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeonlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiztft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemycunn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgbhhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlxmqs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkedni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlormi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdpqyy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempnjsl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwxbsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjrsly.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtrlyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemppool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemseatc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfahfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemaobjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcaksn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemnnlfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemevtng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfxbty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfbwem.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1920	2476	4f327d9a807a64bffb36495f34400a40N.exe	86
PID 2476 wrote to memory of 1920	2476	4f327d9a807a64bffb36495f34400a40N.exe	86
PID 2476 wrote to memory of 1920	2476	4f327d9a807a64bffb36495f34400a40N.exe	86
PID 1920 wrote to memory of 5020	1920	Sysqemrfozz.exe	88
PID 1920 wrote to memory of 5020	1920	Sysqemrfozz.exe	88
PID 1920 wrote to memory of 5020	1920	Sysqemrfozz.exe	88
PID 5020 wrote to memory of 2376	5020	Sysqemdwsmc.exe	89
PID 5020 wrote to memory of 2376	5020	Sysqemdwsmc.exe	89
PID 5020 wrote to memory of 2376	5020	Sysqemdwsmc.exe	89
PID 2376 wrote to memory of 1764	2376	Sysqemlormi.exe	90
PID 2376 wrote to memory of 1764	2376	Sysqemlormi.exe	90
PID 2376 wrote to memory of 1764	2376	Sysqemlormi.exe	90
PID 1764 wrote to memory of 2520	1764	Sysqemybjco.exe	91
PID 1764 wrote to memory of 2520	1764	Sysqemybjco.exe	91
PID 1764 wrote to memory of 2520	1764	Sysqemybjco.exe	91
PID 2520 wrote to memory of 1696	2520	Sysqembipne.exe	92
PID 2520 wrote to memory of 1696	2520	Sysqembipne.exe	92
PID 2520 wrote to memory of 1696	2520	Sysqembipne.exe	92
PID 1696 wrote to memory of 4356	1696	Sysqemlafsq.exe	93
PID 1696 wrote to memory of 4356	1696	Sysqemlafsq.exe	93
PID 1696 wrote to memory of 4356	1696	Sysqemlafsq.exe	93
PID 4356 wrote to memory of 2764	4356	Sysqemqnysc.exe	94
PID 4356 wrote to memory of 2764	4356	Sysqemqnysc.exe	94
PID 4356 wrote to memory of 2764	4356	Sysqemqnysc.exe	94
PID 2764 wrote to memory of 864	2764	Sysqemycunn.exe	95
PID 2764 wrote to memory of 864	2764	Sysqemycunn.exe	95
PID 2764 wrote to memory of 864	2764	Sysqemycunn.exe	95
PID 864 wrote to memory of 428	864	Sysqemyuvxh.exe	98
PID 864 wrote to memory of 428	864	Sysqemyuvxh.exe	98
PID 864 wrote to memory of 428	864	Sysqemyuvxh.exe	98
PID 428 wrote to memory of 3448	428	Sysqemjmkdm.exe	99
PID 428 wrote to memory of 3448	428	Sysqemjmkdm.exe	99
PID 428 wrote to memory of 3448	428	Sysqemjmkdm.exe	99
PID 3448 wrote to memory of 4740	3448	Sysqemoosyd.exe	100
PID 3448 wrote to memory of 4740	3448	Sysqemoosyd.exe	100
PID 3448 wrote to memory of 4740	3448	Sysqemoosyd.exe	100
PID 4740 wrote to memory of 2912	4740	Sysqemttxgq.exe	101
PID 4740 wrote to memory of 2912	4740	Sysqemttxgq.exe	101
PID 4740 wrote to memory of 2912	4740	Sysqemttxgq.exe	101
PID 2912 wrote to memory of 4380	2912	Sysqemdpqyy.exe	104
PID 2912 wrote to memory of 4380	2912	Sysqemdpqyy.exe	104
PID 2912 wrote to memory of 4380	2912	Sysqemdpqyy.exe	104
PID 4380 wrote to memory of 2208	4380	Sysqemlxmqs.exe	105
PID 4380 wrote to memory of 2208	4380	Sysqemlxmqs.exe	105
PID 4380 wrote to memory of 2208	4380	Sysqemlxmqs.exe	105
PID 2208 wrote to memory of 3500	2208	Sysqemqyuli.exe	106
PID 2208 wrote to memory of 3500	2208	Sysqemqyuli.exe	106
PID 2208 wrote to memory of 3500	2208	Sysqemqyuli.exe	106
PID 3500 wrote to memory of 1600	3500	Sysqemqkgex.exe	107
PID 3500 wrote to memory of 1600	3500	Sysqemqkgex.exe	107
PID 3500 wrote to memory of 1600	3500	Sysqemqkgex.exe	107
PID 1600 wrote to memory of 2940	1600	Sysqemvhduc.exe	108
PID 1600 wrote to memory of 2940	1600	Sysqemvhduc.exe	108
PID 1600 wrote to memory of 2940	1600	Sysqemvhduc.exe	108
PID 2940 wrote to memory of 2472	2940	Sysqemlemzb.exe	109
PID 2940 wrote to memory of 2472	2940	Sysqemlemzb.exe	109
PID 2940 wrote to memory of 2472	2940	Sysqemlemzb.exe	109
PID 2472 wrote to memory of 3532	2472	Sysqemajvmh.exe	111
PID 2472 wrote to memory of 3532	2472	Sysqemajvmh.exe	111
PID 2472 wrote to memory of 3532	2472	Sysqemajvmh.exe	111
PID 3532 wrote to memory of 1556	3532	Sysqemqsguu.exe	112
PID 3532 wrote to memory of 1556	3532	Sysqemqsguu.exe	112
PID 3532 wrote to memory of 1556	3532	Sysqemqsguu.exe	112
PID 1556 wrote to memory of 4388	1556	Sysqemsnscb.exe	113

C:\Users\Admin\AppData\Local\Temp\4f327d9a807a64bffb36495f34400a40N.exe
"C:\Users\Admin\AppData\Local\Temp\4f327d9a807a64bffb36495f34400a40N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\Sysqemrfozz.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemrfozz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\Sysqemdwsmc.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemdwsmc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemlormi.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemlormi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemybjco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemybjco.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\Sysqembipne.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembipne.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlafsq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlafsq.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqnysc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqnysc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemycunn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycunn.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyuvxh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyuvxh.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjmkdm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjmkdm.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoosyd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoosyd.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlxmqs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlxmqs.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqyuli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqyuli.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqkgex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqkgex.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvhduc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvhduc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlemzb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlemzb.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemajvmh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemajvmh.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqsguu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqsguu.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnscb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnscb.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemardve.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemardve.exe"
        23⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvjxyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvjxyt.exe"
        24⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgikbx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgikbx.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemazeem.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemazeem.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaobjl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaobjl.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemadzoc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemadzoc.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsoomw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsoomw.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnfhpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnfhpl.exe"
        30⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgbhhh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgbhhh.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvyqnf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvyqnf.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemssmad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemssmad.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrqfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrqfo.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgjiqy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgjiqy.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsalda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsalda.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemipyqt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemipyqt.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemseatc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemseatc.exe"
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdzcrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdzcrv.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemapird.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemapird.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnrxma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnrxma.exe"
        41⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfklsu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfklsu.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcaksn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcaksn.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsqfgf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsqfgf.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxcztk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxcztk.exe"
        45⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcbftr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcbftr.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempdmow.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempdmow.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfawcu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfawcu.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkmrt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkmrt.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfahfm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfahfm.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemscoaj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemscoaj.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfigiq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfigiq.exe"
        52⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvxtvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvxtvj.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcjbgj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcjbgj.exe"
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxaujh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxaujh.exe"
        55⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcnnrg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcnnrg.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemppcml.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemppcml.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcgyug.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcgyug.exe"
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnnlfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnnlfc.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcgjxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcgjxx.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhiakh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhiakh.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhxaje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhxaje.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqematsta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqematsta.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemstdrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemstdrr.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempjkrs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempjkrs.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemclrmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemclrmp.exe"
        67⤵
        Modifies registry class
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhfkpa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhfkpa.exe"
        68⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuldxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuldxa.exe"
        69⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemevtng.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemevtng.exe"
        70⤵
        Modifies registry class
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempnjsl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempnjsl.exe"
        71⤵
        Modifies registry class
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemafzqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemafzqq.exe"
        72⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkedni.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkedni.exe"
        73⤵
        Modifies registry class
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuaegq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuaegq.exe"
        74⤵
        Modifies registry class
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemznvvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemznvvw.exe"
        75⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfaqjb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfaqjb.exe"
        76⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuxzwz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuxzwz.exe"
        77⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkcibx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkcibx.exe"
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrjwhc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrjwhc.exe"
        79⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemelmcz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemelmcz.exe"
        80⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemftnhl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemftnhl.exe"
        81⤵
        Checks computer location settings
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwxbsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwxbsn.exe"
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuujfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuujfa.exe"
        83⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjrsly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjrsly.exe"
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjgrwa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjgrwa.exe"
        85⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemccrox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemccrox.exe"
        86⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempbnwr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempbnwr.exe"
        87⤵
        Checks computer location settings
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemroqex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemroqex.exe"
        88⤵
        Checks computer location settings
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhxlfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhxlfy.exe"
        89⤵
        Checks computer location settings
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempxlky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempxlky.exe"
        90⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjwafi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjwafi.exe"
        91⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwjtiz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwjtiz.exe"
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemojegy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemojegy.exe"
        93⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeonlw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeonlw.exe"
        94⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtlozu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtlozu.exe"
        95⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoyeop.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoyeop.exe"
        96⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembamkm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembamkm.exe"
        97⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtaxhl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtaxhl.exe"
        98⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemednxj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemednxj.exe"
        99⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrfcsp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrfcsp.exe"
        100⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe"
        101⤵
        Modifies registry class
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemehllr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemehllr.exe"
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembqfyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembqfyy.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembusjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembusjh.exe"
        104⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemghnxl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemghnxl.exe"
        105⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjcpun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjcpun.exe"
        106⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrslak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrslak.exe"
        107⤵
        Modifies registry class
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyaiyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyaiyq.exe"
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlfagq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlfagq.exe"
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtrlyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtrlyt.exe"
        110⤵
        Modifies registry class
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembziez.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembziez.exe"
        111⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgpgeg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgpgeg.exe"
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdnokl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdnokl.exe"
        113⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemojqhm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemojqhm.exe"
        114⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgunxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgunxa.exe"
        115⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemobcdy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemobcdy.exe"
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemocmbl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemocmbl.exe"
        117⤵
        Checks computer location settings
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjicry.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjicry.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyjart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyjart.exe"
        119⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyuabb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyuabb.exe"
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfkwhh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfkwhh.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembmckr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembmckr.exe"
        122⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdwtij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdwtij.exe"
        123⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgzwfw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgzwfw.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdxdfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdxdfx.exe"
        125⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfgvvp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfgvvp.exe"
        126⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdpndc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdpndc.exe"
        127⤵
        Checks computer location settings
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvlfoy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvlfoy.exe"
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfwdex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfwdex.exe"
        129⤵
        Checks computer location settings
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsylzc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsylzc.exe"
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnpebr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnpebr.exe"
        131⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgathl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgathl.exe"
        132⤵
        Checks computer location settings
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlqzhs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlqzhs.exe"
        133⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemakxio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemakxio.exe"
        134⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiztft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiztft.exe"
        135⤵
        Modifies registry class
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfxbty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfxbty.exe"
        136⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdysta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdysta.exe"
        137⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemppool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemppool.exe"
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtssrj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtssrj.exe"
        139⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfbwem.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfbwem.exe"
        140⤵
        Modifies registry class
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkoraq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkoraq.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyjjvi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyjjvi.exe"
        142⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemixlyr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemixlyr.exe"
        143⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemldaos.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemldaos.exe"
        144⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyfijp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyfijp.exe"
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiqgho.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiqgho.exe"
        146⤵
        Modifies registry class
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngezw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngezw.exe"
        147⤵
        Modifies registry class
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfcers.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfcers.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkruw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkruw.exe"
        149⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfdpvr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfdpvr.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdmzdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdmzdf.exe"
        151⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemydbgc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemydbgc.exe"
        152⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnaagv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnaagv.exe"
        153⤵
        Modifies registry class
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhvnov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhvnov.exe"
        154⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe"
        155⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfpkox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfpkox.exe"
        156⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemumttv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemumttv.exe"
        157⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsrspn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsrspn.exe"
        158⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemphzpg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemphzpg.exe"
        159⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaomak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaomak.exe"
        160⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkycpj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkycpj.exe"
        161⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcjrvd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcjrvd.exe"
        162⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemadnit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemadnit.exe"
        163⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempehau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempehau.exe"
        164⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzlmly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzlmly.exe"
        165⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuydbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuydbk.exe"
        166⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemptijk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemptijk.exe"
        167⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmfdei.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmfdei.exe"
        168⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxmrhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxmrhe.exe"
        169⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemapufr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemapufr.exe"
        170⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrsipt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrsipt.exe"
        171⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemksjve.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemksjve.exe"
        172⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcpjna.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcpjna.exe"
        173⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxjovs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxjovs.exe"
        174⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwylas.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwylas.exe"
        175⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxvbba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxvbba.exe"
        176⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsmdeq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsmdeq.exe"
        177⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsbtbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsbtbp.exe"
        178⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembpcer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembpcer.exe"
        179⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrapi.exe"
        180⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmauhj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmauhj.exe"
        181⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxkkno.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxkkno.exe"
        182⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzcbcg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzcbcg.exe"
        183⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjxcno.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjxcno.exe"
        184⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwoxpw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwoxpw.exe"
        185⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhgmvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhgmvj.exe"
        186⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkmbfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkmbfy.exe"
        187⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempojah.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempojah.exe"
        188⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzvvyz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzvvyz.exe"
        189⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemetsgf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemetsgf.exe"
        190⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemscyqi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemscyqi.exe"
        191⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwhsyb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwhsyb.exe"
        192⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhzhwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhzhwg.exe"
        193⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkxgb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkxgb.exe"
        194⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzcwgi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzcwgi.exe"
        195⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembjkrx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembjkrx.exe"
        196⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjjjrm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjjjrm.exe"
        197⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemutzpq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemutzpq.exe"
        198⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzwfe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzwfe.exe"
        199⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemopcfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemopcfx.exe"
        200⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhlcpt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhlcpt.exe"
        201⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhasvk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhasvk.exe"
        202⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmumyv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmumyv.exe"
        203⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Sysqememxvu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqememxvu.exe"
        204⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjwfql.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjwfql.exe"
        205⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeqkyd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeqkyd.exe"
        206⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrpgox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrpgox.exe"
        207⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemredlw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemredlw.exe"
        208⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemczfjp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemczfjp.exe"
        209⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrwoxn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrwoxn.exe"
        210⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzxnxc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzxnxc.exe"
        211⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjwsum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjwsum.exe"
        212⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtssfu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtssfu.exe"
        213⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhfkua.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhfkua.exe"
        214⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemradnp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemradnp.exe"
        215⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembwexx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembwexx.exe"
        216⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemougag.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemougag.exe"
        217⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlkfah.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlkfah.exe"
        218⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwcwlx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwcwlx.exe"
        219⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuwagn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuwagn.exe"
        220⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemevfjr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemevfjr.exe"
        221⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmlcox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmlcox.exe"
        222⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemozdrz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemozdrz.exe"
        223⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwadxz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwadxz.exe"
        224⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgkcny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgkcny.exe"
        225⤵
        
        PID:540

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
728KB

MD5
193f7d55d8f2de33cf3fd2e06701a4d6

SHA1
478ad629385dc0bd770d65a206d9bba5a92939e6

SHA256
8720758144760ddda36d259b45b61e01c103f78a22be57a006f671c302b91ce7

SHA512
a98e0faf9ac8c0c8b0be0896c41316cd7c8888f195f8351374d5f645973c38bba7f4b97d76c6a999e896d2d8d0b86380fe3d1a4ce2ddb42f82f2a2cbbdbb8f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemajvmh.exe

Filesize
728KB

MD5
d975f42e74a4bb1f31feb073e35f8e84

SHA1
649de1b82737ee83c46b19147d9f11d35098a9bc

SHA256
f9305caca5703f4c1755d0b17856be1617382d6121009c393e73436103f5306d

SHA512
1cf7acc6587682cebfb2984b43571c1247dd3be3ce655b205e94e79050c3e0b5884e5866ef99804c156ead0537a22ea47374d983a3a5d79f9fd1e87550d58930

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqembipne.exe

Filesize
728KB

MD5
23ce1493f0328ad7b5c8be1f70aaa296

SHA1
3c50a552363e3bdf75706ad7a7717899952be99b

SHA256
1c2f3aeba4bcdcec1853b0c9fe2ae753c25872707f4dcee011d30f6fdf86ee0d

SHA512
7a4725bb02e93408affe73637d744e6ce7a8e27937ffb0e43f6b3e606942d2ee9b978ac0ce064860130cbc5c6df8ab5dc31699378a75ef78dbf0a7907c5c0dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemdpqyy.exe

Filesize
728KB

MD5
61cbafda93d22ee4154bd0a127cda101

SHA1
5576038fed8d10e11ac79bf395c5451fa433df84

SHA256
52d911cc799e7cb9bdb4941cf735ebacf9d451a98c13cb56e3dbd41dd8791816

SHA512
aaf6afb979dcda55c201b1f3e5234debe11cd2057b1a98396a267d1e21073d9cbcc26a4cc240c305b31e150b3046bd409afdbf543570c8292ec4bfd7df575df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemdwsmc.exe

Filesize
728KB

MD5
466fbdae382061db836f9ab5aaa20e49

SHA1
f32409a9e886b3530977842eb5633e0504b086fc

SHA256
1ea3de490b6cac6bfc7856128a55f6b7633714b0bfddffba80fe3c3b13494370

SHA512
c711b72478dbcb8727511135ec47169b5712c408176437858c2a780dc7ed367bd5ade454c5cf8c4727bc69f35ddc145f50dd27753e352ae96d50d5c7f440c13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemjmkdm.exe

Filesize
728KB

MD5
6d797dce5c3f47474e53cc21bb871963

SHA1
1e94c7ab57db442ed390667ade3fb26ccef7f0d3

SHA256
a82073aa5cd51e551447ba9c877ff8b04557b0bb5eb46f36a50f04392a475b54

SHA512
c2bb1483ca748841e885be336f65840c4b2f9810f3ad804008020eb00669ea722d999b42186fa6841508d2963003228ec9e81094a8c2c59f474d368b0a60fdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlafsq.exe

Filesize
728KB

MD5
538e63b17ec4798cf52bd893b9616ab8

SHA1
980b7fa08c495abf091c84bbc15c955cd6cd2ed4

SHA256
f0f5752b68dc3e39a0d908e6a8d1573ba2ea0792e5d21a752d21aa85d82df27b

SHA512
6b986e493caaa271fff3624eb89a551c0e9ed697e8194a72242afebde33984f4a1067dc56284713f8664dc777a9692f41959c6370febd5f2183b136015b7d01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlemzb.exe

Filesize
728KB

MD5
4384852c4cda93c786e13cf767716b0e

SHA1
b77e7e5b6250d487fb464757348de9a7c5eac729

SHA256
4be253414afba7a8c509a4b19f11cc80f3ac9e4e161c1b5437983da03f96f171

SHA512
a94fe146a8aba74acbceb58aacaacf07a433bf7071e8c0298c2fc6451354dd96965e6732d291f1887ad465727d50ad619923696082bee0c42c651dbbc7344aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlormi.exe

Filesize
728KB

MD5
a454ede1daea5c06ed0a5ac30960f70f

SHA1
b50bf66a9e88beae6e6af4dad9c4058345d43948

SHA256
b106048a57879166dd76162d8ec8acb9b3d74b2a6866a452491e5cfe6250b06d

SHA512
743d3f6b2a532a880c5ed0eaca2a2ae9ad7381380b4bc02bb196034aea3a4dc09c6f93bb65e8c444d326d2044cbcadd8d7a63d6d38009b934e5b31fcdb30e747

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlxmqs.exe

Filesize
728KB

MD5
3c2dbd69847e146f2f1a5f1c822a50dd

SHA1
c495b84f0b71d53777bd1c4500dcc022f1948017

SHA256
d7439fdb5cf60cd4f7ec48f8ca1d17c7d1fb2ef04ba9b3df3f23e18b0badf303

SHA512
11a840ea7c710ea20c385649259645701d072f9faf6ec4b4775b3e5b9de1346ef9a33274a1d50bbe19a11dfd90cc72ee7eeb966171d8349937c154abbfb94ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemoosyd.exe

Filesize
728KB

MD5
0823e2a8a95787f18100e3787a9a7119

SHA1
80722b14582ba04c21b16e99c007c12c2f7a7f8c

SHA256
f7df463c1949b819ad7e06e9915aab1e368ac50d2e8b766d727e3fd395908c55

SHA512
dbc3b20dfaa00572175b2c527c5ca1798ad744fcb5b175106d41b375526bcad8856b5050fed56b5f631edcc03b235047d51bb8eb6ec2f66c3268f46993bf9a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqkgex.exe

Filesize
728KB

MD5
33323b474df343489a2719799bfcd430

SHA1
f69a97d9266823a1e42a96f33e20addcc65d0c9b

SHA256
a0f6a8d1bb4d3510ac6abfd762e54bbdb50f82ab676f15064692cf0b6d175ecd

SHA512
b9f12a3646fc38f514ea26028a22bb07d29ab602724b266631e1daca01a1eb2b8fcf424618dc39b59f0101237c7266045fb1f279f9da3ad0d57cbb984b9ae02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqnysc.exe

Filesize
728KB

MD5
add5c3ee04bdcd880dc1024e078e196f

SHA1
3237051e26e064ffe0a8ae6c391564de91f6c457

SHA256
a530567046da82c865fc1c0702463d47e389c97507d737614b27de64d6860734

SHA512
32ca29c787de8bac00d9aa1876d116fe2843e0d8f6560896dc8119540d21e63bdcb7a3d8cbf1f5a56517e5b6dd174a144a794468256e25cf105938d3e0d7488f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqyuli.exe

Filesize
728KB

MD5
94283f531cdd918628086c4f7498e750

SHA1
bd81bc56f77785393c06575351ec03897645a052

SHA256
131ea19e797968a82e29da145c7c6f4322049ebdf7becce54da1e981382c6aee

SHA512
72829f78ebd267f91413d10de075a2dbbab9987da14bfc0214c05bffbe5cbe81e10d6f7d974096e1c85a264752ee5a74887f9e73593198eecfd490b0bf77cfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemrfozz.exe

Filesize
728KB

MD5
a3c13463f9ba43c4ecb2819ffb18e373

SHA1
16b6da30018f539255de1e3d3902cc5114f6babc

SHA256
0f82fdec2c00b8f845caf14f9c1b9416854dc64aa4230d5c0e2b2f08a8d2a015

SHA512
9084d8d174b215e59f11842269f12fa3099cadc3a1ba785b11c22f2a6e41966a2d30696bb25292ff478388f069cef0a75f04be24737414f483e02838e39ff8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemttxgq.exe

Filesize
728KB

MD5
9c5f1de30a5ce91dc4d00b014611a89c

SHA1
09b4db3321cfdbea368e7360d92f6a8dd67075fe

SHA256
4d2f2c1ee15bbf1a9736ed1f8203c9fedf34f817b966760fc045d4cff7b02bf7

SHA512
4d44fbd7c0ba976e457574370f0e8a8636f9a343588238a4364a6b057137cca5489ae585569bf1e63ad4d95f8f9f04bfe2e60af0de5a782cf69c63652df8b4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvhduc.exe

Filesize
728KB

MD5
ba56c79b9be6ed48ef30237cf8c461d4

SHA1
4b36cdc5be2aa4bc3fbf4db2765d16b3f034c472

SHA256
c8db862cf89a44b18c50768c14ab5b6576fc998b8fdd5820533febb531e01861

SHA512
c283f7b4f91455c3660f2089df11a186e43b285d15fdd7dbe2c6bf03dcfee23d1c57a4b6988b7a57e62dcd37a83a6b633dafa55b06cab0e0428f95793d07c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemybjco.exe

Filesize
728KB

MD5
054c68fb097d0d75d15548a805fd2618

SHA1
9c4c35416786de61a1b207b8b8c22246e2664412

SHA256
36a2c1ab12b1373810b26e02a2c823b5cf4076fc2c757d01b70fa4dd3a38067e

SHA512
e3cb44b5a17deba4f1cdd533edbd25c72e083ed8d095d2ad80984d7917c4f13f480b90d94e153a28c712e0455e514410fa83c7a1ac788ccfab17e9c0cbc9041c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemycunn.exe

Filesize
728KB

MD5
a0954e19ffc371f823dd7818ce1dd51e

SHA1
32dd3f875ff8742697f489c15241e321717283aa

SHA256
596fd56cc39f0aca5f7898ce9bfdd22e4b4fb315bcb49ec6ab9f81575e78c942

SHA512
f5077cc57f47a14066f6f915ce429d230609a3f31eff15dc4db9c885f7223f5f506642dca07f03654033f1fc740bc0efca9f2b6dd1cc39fd694650523342ef50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemyuvxh.exe

Filesize
728KB

MD5
c7e4e76a6ea8cab9148866163be28567

SHA1
961dcc00a8f376454cf099514fc03aa1310cfd58

SHA256
9fce1b2995a8aa3cb2317dcf32e45fd0b38c8a6d40eee55fe35b726da6b0a07e

SHA512
f7a39c0252e0c4557745f7cd0696b26c8400749adb9286cdb56bc3d1e19eae0ecb652cbf8b0f62547f50a22ac00721ed93d826214fc7d86787978c7067046fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
798f08e365aed680ea5839e65856ed5d

SHA1
2ec00dfd17bf543f8bf1216c0d229ac376444470

SHA256
51d3e73f931bd130001f89cdaa7c15db3b8492eab36792fc9b42a68ca648fd14

SHA512
5b42d30912648b3c2d4d4c5791038b43497b45ee932db72d438be699ce7fad5b44009a99ac042a795742645b6fe8ca66882fcf48fd9f8c6829cc22b7c058a805

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2c8d739d376ba2eda5a4c204e6d440d9

SHA1
e326e0d3917beb6202b88ea5a1049fc9c3803bf8

SHA256
484bd41d3a9245c5393be760c74f3ecc33914f81b92d4e71c6f1e7b81038dabd

SHA512
d8c136e78c5711af0be23977314df1ba521a1d552de1ef3c9c7906ba00f840a2e5c7fd2db103f352e0f7fdce395dc5b98f94970a96bd7f12d1fd5b3dc56305bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c64882fa8a187c5ba6e581e7529d9654

SHA1
7c9e276c19b4bb62bc4ffa2c6ee0829fd752c01e

SHA256
c746d5be209eaa75ef0cdb6f65c1cfed211f3104ab625d8b0e0c20b7bb215456

SHA512
ee5c85ead5f8689cbf63d3d24a08232da60de5d5d0e93bd68a6f70937bef542088613c2a8aeecae70807366cf3e351fa0831e7b34bc776072be45ea67e666911

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
1da778e6a9a828942d344ae2aeb69a94

SHA1
89b56392aeebfd31f3fc41667f7c778b0d656fff

SHA256
b4b6d4cd43236b464ff4e31954fa8d05dc378da090b6565d3bc2ec8055674e74

SHA512
bb69c5206bfd06b5c7ba97b6624edc05fed8cee2ba15100dd8af05c9c3eb83302e70d843d6b873e1976d4b25325b3e866a2c9a19e712a63b711d9018b39b2c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
37e1774e17ffa185ec30980ccc85f150

SHA1
2dd43889b41bfedee0359008c7278fd1f765a768

SHA256
28fdd24ecbfdd716f147aaed3195cab87c370026bb0ecf85c6b458cca4ae86fc

SHA512
7092ea12f0865f14be5312598b18d78daec9094b9b792c65f044a1970d51a4f1b5f8891c3ef018a9e8e87ac9628d396a29b1dae9d89c2f542e30d052cd1b7608

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
377452b0139687fe67aff487f3eb2da0

SHA1
a4901462e8c78786de12d6a3894255197d9937a5

SHA256
94af32418e80beca1ac1bbaf6e9d817df572f862ce02370692c75a2c3f7b8982

SHA512
b6e01f73a2164e4708e0497ab1e3ea93b2e7ed9d30183aa92f30e36c54bf99a440d1c61c2b19005a8e1d64c0df013c3a43afccde70ca90cf8c74e1f133f593fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
56655c6a167d926e946b93090b53c351

SHA1
7fdc4edbfc77b1294fe63c99e43e3d210476b2e7

SHA256
72191cf857c5c996280a277473d1104cfdee39bedab70a81b10f9d7cde51c8e5

SHA512
9da9c17405a642908a8b0ba3136361c718ae363a37544f8346fb308deaa4d39ab05dd2e85b44e32906a90600ab8fac10c397bd64b7bb74c0d540dee930406366

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
e618fef66015033a0f96a578933b7921

SHA1
8fdb547d6807b052fddca598cd85cc1b2822a17c

SHA256
f3c2bd9c3be9ccdb2e3ca4d22e1ed3b452fb2e341278dc5fe92c02d4a9f9011e

SHA512
bec109ed498333a0fd9274280e4355c3304540d98ef5ef88214a763a7dfda05ba40f3f018ac461e757248a82980434139ac47beda15ab82a9717f006b84aa1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
4f3e8ea48200528e3c12569f3c3fd34f

SHA1
2fb5133133b495cce650365d1d8dad90f33ef359

SHA256
b7331202544d1cec3db0053448e2ed773f9829a934aad4c72a0f4d4e88492b8f

SHA512
2fc56777b0295c7f8820b55a744b0897e75a0b550f09566b540d6148cdc52c9a2c96eedb240f6a6985307634b95ed18b6949c846dd27d39d6d11c40ebc2e6dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
548bb3c9df142b414cbb9427e268e3d5

SHA1
4201d60b23be73760b9fb7d77468cbd59627e9e9

SHA256
84fe974ad6944f7935fad90ca78f7e64a1fc15ecff772359a2aa932654eeba13

SHA512
17af7fdf8263cdb9328d67fd6dabb53ac32bdf41f5c1165a29b28608025d56e69bc1b2b752e3e975ee6cc36cf7d54aebfce885e634f6b13b311800526c4dc15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
7309bd28f057ae1368e31f37264afbe3

SHA1
e88e7368bbdadfe28605927286a78c8a7d346915

SHA256
6c834536906af2cb0fed7f4b5ba51ee7450821098860f17596808c33054cf104

SHA512
b8dc517c006e6938805bc8289f296b5fd52953c23f6cfe5faf2f339c687a35ce44c5cbd25750a108a797e5d7787abde89411c760e03e61d705690ee2b79b390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
60fbe5f34ed709cff24b0f655e30a5bd

SHA1
26d883318ca728bfdde28dac49e9894ae9c338a8

SHA256
bfb994bac14f952c1ee98ad1ba69e32322d6eab967e77632c94cad86c1c1ccc4

SHA512
1b57da7e572397eda320649df29668fad1d22595246d6719d60e630bc339a88dbb6ba1dce60a98decc55a13760ce7799eada214734c26307137f0756c7425a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
13c67dc037696d50eabef99c4ff77ece

SHA1
678df0ba314557dc1706d69c6159d9b54d17f3f6

SHA256
eec149c7d752488f9ad44d220f138c051a1618de5edd170c9cc51671f735dca6

SHA512
995259f6c51c69eea02af38afa49a0531a17a0520dd544252855392b3ba1675687ab71f899473f7a558a4df200d90344e0cfc0c4a3f1a3829ef962e302ceda46

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
0a4d883e40c1e438c272134fa494c66a

SHA1
f192bfd547f7a9857c05df4b0d2279b3d58cd1bf

SHA256
eb3c1d758d07ba74f3da538b4865bef31f5d68902f1b4b2144f7c9e47d894d50

SHA512
2e61f88e55eae6ef18b07ccfe1e4a8fe703467d43e57c4680b6d37c3ff0983498c15a36ac628720c7d97ff628a01fea7f191e7b75c8e839f839986921cc67410

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c9669266eb280b3c3f6c70af0fcfe4c7

SHA1
5586cdbb5c248b87969be790c0f4794e9f74e060

SHA256
600f7e578bf5190bd8e7e2c7732ddcafc5d209773b26f76737648bde9f8f2b30

SHA512
105e99134ca451146c8737a5114495a97dcdb552a918e69efbc899b067650d023e2a7ab3f1b0883d644c785adb5e8fc5f5e7e8c13d7ef2068d813fc73c648400

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
278743c6264e736e4eb9bed3870ed642

SHA1
8a44f2940382f906bc8c534b00eaac0fabb45d66

SHA256
5e388db50390408d8f6128a5ba51c917e3f9e0579488deff4817ddc0d1165d7a

SHA512
429e3bc4af2c6d35b95fca05edeafb7bce33386696fb0cb1c6d61a31ae4f663b374a28ac9c75405a10b327e112124d4833a5e7a4cd50182820f44edb8b997ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
4258fa8bcdbca058a7b9e8d59f97ba7f

SHA1
1d57debc932929045a34935291027291cb7a467a

SHA256
aa6dcfb87cd58232a7c06bef3d491e5bf9e8be6d2cba22bcbb78ded636b74d05

SHA512
63cef190669dd96a8af4dac40314232772285a49686e8d61319b092993fb847eb3728b35c6f1bf84e1d36843efbbe1f56718067a350ec9fe0fab51a0a9580372

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
b8045665ac7a8fa97f8243077c35a0ee

SHA1
c04dcfae1f0c8ed28d65669bc9c237974d95a421

SHA256
8e318753eacc9932f4d144a0634fdc73159f1c9defd7a9665732679d7713b5db

SHA512
c469a5cc7b0a70e0023fbd2af4093bac141fff8299fb405412b4005c723949eb1a2896849ecf78565cc809bfb1e9a7d71c9603d04126cc4dde13224b76953d09

Download Submit