a28c9804fbaed750b207223af9a870b018e576b71c39843ae49fc3da54932e39

Analysis

max time kernel
134s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe
Size

101KB
MD5

f9f943e754e5a84ded793c7f846a6d20
SHA1

643e4007f4ec16c57b7b6ed49860b20dff1aea81
SHA256

a28c9804fbaed750b207223af9a870b018e576b71c39843ae49fc3da54932e39
SHA512

883f4979b0042f23a02f82562a67509e7e43895f83f1592256e55e939f9b21fe27e012a50f637d95de6773d38d9b6751d005f7e23267d986cfcf2377147dec59
SSDEEP

1536:AYjIyeC1eUfKjkhBYJ7mTCbqODiC1ZsyHZK0FjlqsS5eHyG9LU3YG8nC:ZdEUfKj8BYbDiC1ZTK7sxtLUIGJ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemrsgeu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqembmyke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlpooy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemuiftx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemsdhan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqembigrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemkvxva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemibibx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemmbpog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemuaeyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlllml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemcwgts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemhcohb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemeyjoj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemycpta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemzgbsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemgwkkg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemucmbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemjmkbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemqxotm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemvdljv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemkadup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemypmwx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemfriyt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemnddsh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemjsncy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemrfiwi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemnenlj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlewdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemsnnzw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqempfdcx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemhmptd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemwfarz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemkfanf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemaxhzj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemxlgwj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemfjrqn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlfcsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemfdnqz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemuotyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemnkwuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemjngdz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemgsdpv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemkbtyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemtzmxf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemsalda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemvcqgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemyhhbv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemngera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemezgpy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemqlwza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemzumfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlpxcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemkttqh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemyvlcw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlqtuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemfzzaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemqrbbu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemcrvvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemrkcod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemlhjyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemqodku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemarsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Sysqemmtllx.exe

Executes dropped EXE 64 IoCs

pid	Process
4860	Sysqemgksiz.exe
2512	Sysqemgofth.exe
720	Sysqemlpooy.exe
3732	Sysqemlpxcj.exe
4112	Sysqemgdfre.exe
432	Sysqemgsdpv.exe
4140	Sysqemvqkxo.exe
4764	Sysqemarsse.exe
4756	Sysqemyzefl.exe
4172	Sysqemnenlj.exe
4584	Sysqemdbwyh.exe
3040	Sysqemlrswn.exe
3568	Sysqemaobjl.exe
1708	Sysqemidyoj.exe
1892	Sysqemsddrn.exe
4548	Sysqemqlwza.exe
4596	Sysqemawmph.exe
4120	Sysqemvngsw.exe
4544	Sysqemiwmvz.exe
4068	Sysqemlgets.exe
4248	Sysqemnjhqe.exe
588	Sysqemsalda.exe
4348	Sysqemvcqgy.exe
3792	Sysqemngera.exe
1528	Sysqemlllml.exe
4588	Sysqemaxhzj.exe
5068	Sysqemsxkxi.exe
4172	Sysqemfzzaf.exe
5108	Sysqemndksi.exe
1376	Sysqemfdnqz.exe
220	Sysqemkasyn.exe
700	Sysqemkttqh.exe
4576	Sysqemxrxyj.exe
1088	Sysqemupwyc.exe
3000	Sysqemqrbbu.exe
444	Sysqemdtqwr.exe
876	Sysqemcigci.exe
4932	Sysqemsrauj.exe
1920	Sysqemkfanf.exe
3108	Sysqemsgznl.exe
1368	Sysqemumfpb.exe
4336	Sysqemnafix.exe
4416	Sysqemuqcgd.exe
4588	Sysqemxlgwj.exe
1048	Sysqemkolzb.exe
4060	Sysqemucmbd.exe
2684	Sysqemkshpv.exe
5088	Sysqemxxaxv.exe
5100	Sysqemmcbcb.exe
2568	Sysqemslskv.exe
3192	Sysqemncmns.exe
4644	Sysqemuotyb.exe
4516	Sysqemxgngq.exe
3792	Sysqemnkwuo.exe
2804	Sysqemkadup.exe
3744	Sysqempuxxs.exe
3136	Sysqemrtmsb.exe
2952	Sysqemulfvn.exe
3204	Sysqemxrtxd.exe
1092	Sysqemsxknp.exe
4764	Sysqempvhox.exe
4752	Sysqemflcbp.exe
964	Sysqempotzw.exe
4740	Sysqemrviuf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2072-0-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-6.dat	upx
behavioral2/files/0x0008000000023c85-41.dat	upx
behavioral2/files/0x0007000000023c8b-71.dat	upx
behavioral2/files/0x0008000000023c86-106.dat	upx
behavioral2/files/0x0007000000023c8d-141.dat	upx
behavioral2/files/0x0007000000023c8e-176.dat	upx
behavioral2/memory/2072-206-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-212.dat	upx
behavioral2/memory/4860-242-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-248.dat	upx
behavioral2/memory/2512-279-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/720-282-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-287.dat	upx
behavioral2/memory/3732-318-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-324.dat	upx
behavioral2/memory/4112-336-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/432-357-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-363.dat	upx
behavioral2/files/0x0007000000023c95-398.dat	upx
behavioral2/memory/4140-429-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-436.dat	upx
behavioral2/memory/4764-466-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-472.dat	upx
behavioral2/memory/4756-479-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-509.dat	upx
behavioral2/memory/4172-511-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-545.dat	upx
behavioral2/memory/4584-576-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-582.dat	upx
behavioral2/memory/3040-593-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-619.dat	upx
behavioral2/memory/4596-621-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-655.dat	upx
behavioral2/memory/3568-684-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1708-718-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1892-784-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4548-786-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4596-819-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4120-825-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4544-855-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4068-889-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4248-926-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4588-928-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/588-957-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4348-991-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3792-1004-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1528-1059-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4588-1098-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5068-1135-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4172-1193-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5108-1200-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1376-1229-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-1263-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/700-1297-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4576-1331-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1088-1397-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3108-1403-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3000-1432-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/444-1466-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/876-1476-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4932-1501-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1920-1508-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3108-1537-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemxrxyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemguoll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemaromd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvltse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemdtqwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemcrvvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemmlhfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgwkkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemrfiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemumfpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvdljv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvyhcy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemuiftx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemldzgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlrswn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemjmkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlrtru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempigcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemmqjjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemeyjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgsdpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemarsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvcqgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemupwyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemqddsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemxqdzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemuaeyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemslskv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlglrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemyzefl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsxkxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemncmns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemnkwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemouqyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgtcua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemqxotm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqembmyke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemhdjig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempotzw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemthaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemvkigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemauaik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemhyizz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemuqcgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemxlgwj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempppbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemqodku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkmgbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkttqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkshpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlhjyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqempvhox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemgetqt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemkolzb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemzztma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemuxgyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemlconc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemmifnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemtppjx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemtfzdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemzzktf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemnliac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemortvh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysqemsgznl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemibibx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfutia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeyjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemycpta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemaximt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxqdzt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhjylc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtzmxf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvcqgy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemndksi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuiftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembmyke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyzefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemdtqwr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlqtuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmtllx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcwgts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemortvh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwszlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyeyac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemccuud.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkfanf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlbnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuaeyk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrxand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgdfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlllml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempotzw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkvxva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlfcsi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjngdz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsyfoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmifnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlgets.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembigrs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqxotm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlclah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemutpjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvdljv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgjmyy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfzzaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxxaxv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhhqsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemmbpog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxrxyj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuotyb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyvlcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsxvkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfdnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjplac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemumfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgczrh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemezgpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlpooy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxgngq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcrvvy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzlkaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrsgeu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemoednn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempjztr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsxkxi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkleej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrviuf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvlotk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4860	2072	JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe	83
PID 2072 wrote to memory of 4860	2072	JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe	83
PID 2072 wrote to memory of 4860	2072	JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe	83
PID 4860 wrote to memory of 2512	4860	Sysqemgksiz.exe	84
PID 4860 wrote to memory of 2512	4860	Sysqemgksiz.exe	84
PID 4860 wrote to memory of 2512	4860	Sysqemgksiz.exe	84
PID 2512 wrote to memory of 720	2512	Sysqemgofth.exe	85
PID 2512 wrote to memory of 720	2512	Sysqemgofth.exe	85
PID 2512 wrote to memory of 720	2512	Sysqemgofth.exe	85
PID 720 wrote to memory of 3732	720	Sysqemlpooy.exe	86
PID 720 wrote to memory of 3732	720	Sysqemlpooy.exe	86
PID 720 wrote to memory of 3732	720	Sysqemlpooy.exe	86
PID 3732 wrote to memory of 4112	3732	Sysqemlpxcj.exe	87
PID 3732 wrote to memory of 4112	3732	Sysqemlpxcj.exe	87
PID 3732 wrote to memory of 4112	3732	Sysqemlpxcj.exe	87
PID 4112 wrote to memory of 432	4112	Sysqemgdfre.exe	88
PID 4112 wrote to memory of 432	4112	Sysqemgdfre.exe	88
PID 4112 wrote to memory of 432	4112	Sysqemgdfre.exe	88
PID 432 wrote to memory of 4140	432	Sysqemgsdpv.exe	90
PID 432 wrote to memory of 4140	432	Sysqemgsdpv.exe	90
PID 432 wrote to memory of 4140	432	Sysqemgsdpv.exe	90
PID 4140 wrote to memory of 4764	4140	Sysqemvqkxo.exe	91
PID 4140 wrote to memory of 4764	4140	Sysqemvqkxo.exe	91
PID 4140 wrote to memory of 4764	4140	Sysqemvqkxo.exe	91
PID 4764 wrote to memory of 4756	4764	Sysqemarsse.exe	92
PID 4764 wrote to memory of 4756	4764	Sysqemarsse.exe	92
PID 4764 wrote to memory of 4756	4764	Sysqemarsse.exe	92
PID 4756 wrote to memory of 4172	4756	Sysqemyzefl.exe	93
PID 4756 wrote to memory of 4172	4756	Sysqemyzefl.exe	93
PID 4756 wrote to memory of 4172	4756	Sysqemyzefl.exe	93
PID 4172 wrote to memory of 4584	4172	Sysqemnenlj.exe	94
PID 4172 wrote to memory of 4584	4172	Sysqemnenlj.exe	94
PID 4172 wrote to memory of 4584	4172	Sysqemnenlj.exe	94
PID 4584 wrote to memory of 3040	4584	Sysqemdbwyh.exe	95
PID 4584 wrote to memory of 3040	4584	Sysqemdbwyh.exe	95
PID 4584 wrote to memory of 3040	4584	Sysqemdbwyh.exe	95
PID 3040 wrote to memory of 3568	3040	Sysqemlrswn.exe	96
PID 3040 wrote to memory of 3568	3040	Sysqemlrswn.exe	96
PID 3040 wrote to memory of 3568	3040	Sysqemlrswn.exe	96
PID 3568 wrote to memory of 1708	3568	Sysqemaobjl.exe	97
PID 3568 wrote to memory of 1708	3568	Sysqemaobjl.exe	97
PID 3568 wrote to memory of 1708	3568	Sysqemaobjl.exe	97
PID 1708 wrote to memory of 1892	1708	Sysqemidyoj.exe	98
PID 1708 wrote to memory of 1892	1708	Sysqemidyoj.exe	98
PID 1708 wrote to memory of 1892	1708	Sysqemidyoj.exe	98
PID 1892 wrote to memory of 4548	1892	Sysqemsddrn.exe	101
PID 1892 wrote to memory of 4548	1892	Sysqemsddrn.exe	101
PID 1892 wrote to memory of 4548	1892	Sysqemsddrn.exe	101
PID 4548 wrote to memory of 4596	4548	Sysqemqlwza.exe	102
PID 4548 wrote to memory of 4596	4548	Sysqemqlwza.exe	102
PID 4548 wrote to memory of 4596	4548	Sysqemqlwza.exe	102
PID 4596 wrote to memory of 4120	4596	Sysqemawmph.exe	106
PID 4596 wrote to memory of 4120	4596	Sysqemawmph.exe	106
PID 4596 wrote to memory of 4120	4596	Sysqemawmph.exe	106
PID 4120 wrote to memory of 4544	4120	Sysqemvngsw.exe	107
PID 4120 wrote to memory of 4544	4120	Sysqemvngsw.exe	107
PID 4120 wrote to memory of 4544	4120	Sysqemvngsw.exe	107
PID 4544 wrote to memory of 4068	4544	Sysqemiwmvz.exe	108
PID 4544 wrote to memory of 4068	4544	Sysqemiwmvz.exe	108
PID 4544 wrote to memory of 4068	4544	Sysqemiwmvz.exe	108
PID 4068 wrote to memory of 4248	4068	Sysqemlgets.exe	109
PID 4068 wrote to memory of 4248	4068	Sysqemlgets.exe	109
PID 4068 wrote to memory of 4248	4068	Sysqemlgets.exe	109
PID 4248 wrote to memory of 588	4248	Sysqemnjhqe.exe	110

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f943e754e5a84ded793c7f846a6d20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Sysqemgksiz.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemgksiz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\Sysqemgofth.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemgofth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemlpooy.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemlpooy.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemlpxcj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlpxcj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\Sysqemgdfre.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgdfre.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgsdpv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgsdpv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvqkxo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvqkxo.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemarsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemarsse.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyzefl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyzefl.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnenlj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnenlj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdbwyh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdbwyh.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlrswn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlrswn.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaobjl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaobjl.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemidyoj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemidyoj.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsddrn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsddrn.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqlwza.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqlwza.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemawmph.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemawmph.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvngsw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvngsw.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiwmvz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiwmvz.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlgets.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlgets.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnjhqe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnjhqe.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsalda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsalda.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvcqgy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvcqgy.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngera.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngera.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlllml.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlllml.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaxhzj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaxhzj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsxkxi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsxkxi.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfzzaf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfzzaf.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemndksi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemndksi.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfdnqz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfdnqz.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkasyn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkasyn.exe"
        32⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkttqh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkttqh.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrxyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrxyj.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemupwyc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemupwyc.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqrbbu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqrbbu.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdtqwr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdtqwr.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcigci.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcigci.exe"
        38⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsrauj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsrauj.exe"
        39⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkfanf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkfanf.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsgznl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsgznl.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemumfpb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemumfpb.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnafix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnafix.exe"
        43⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuqcgd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuqcgd.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxlgwj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxlgwj.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkolzb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkolzb.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemucmbd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemucmbd.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkshpv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkshpv.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxxaxv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxxaxv.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmcbcb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmcbcb.exe"
        50⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemslskv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemslskv.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemncmns.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemncmns.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuotyb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuotyb.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemriptr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemriptr.exe"
        54⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxgngq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxgngq.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnkwuo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnkwuo.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkadup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkadup.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempuxxs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempuxxs.exe"
        58⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrtmsb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrtmsb.exe"
        59⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemulfvn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemulfvn.exe"
        60⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxrtxd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxrtxd.exe"
        61⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsxknp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsxknp.exe"
        62⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempvhox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempvhox.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemflcbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemflcbp.exe"
        64⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempotzw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempotzw.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrviuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrviuf.exe"
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzztma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzztma.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhhqsg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhhqsg.exe"
        68⤵
        Modifies registry class
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrvvy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrvvy.exe"
        69⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmtllx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmtllx.exe"
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempppbd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempppbd.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeivty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeivty.exe"
        72⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkcod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkcod.exe"
        73⤵
        Checks computer location settings
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmqtwk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmqtwk.exe"
        74⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemglymk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemglymk.exe"
        75⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrsmpo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrsmpo.exe"
        76⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjplac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjplac.exe"
        77⤵
        Modifies registry class
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemortvh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemortvh.exe"
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeyfqz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeyfqz.exe"
        79⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemthaia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemthaia.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemouqyn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemouqyn.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe"
        82⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrfkms.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrfkms.exe"
        83⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgypmo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgypmo.exe"
        84⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemezbfv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemezbfv.exe"
        85⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjxhau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjxhau.exe"
        86⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzgbsv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzgbsv.exe"
        87⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjngdz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjngdz.exe"
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwszlz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwszlz.exe"
        89⤵
        Modifies registry class
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuxgyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuxgyk.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembigrs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembigrs.exe"
        91⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlqtuw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlqtuw.exe"
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyvlcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyvlcw.exe"
        93⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemirlms.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemirlms.exe"
        94⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyhyil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyhyil.exe"
        95⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzlkaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzlkaz.exe"
        96⤵
        Modifies registry class
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlconc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlconc.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgetqt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgetqt.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyhhbv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyhhbv.exe"
        99⤵
        Checks computer location settings
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlglrp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlglrp.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrsgeu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrsgeu.exe"
        101⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfarz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfarz.exe"
        102⤵
        Checks computer location settings
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgtcua.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgtcua.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyqcfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyqcfx.exe"
        104⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemojafs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemojafs.exe"
        105⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemguoll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemguoll.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlhjyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlhjyq.exe"
        107⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqxotm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqxotm.exe"
        108⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvkigj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvkigj.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgczrh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgczrh.exe"
        110⤵
        Modifies registry class
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemygmcq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemygmcq.exe"
        111⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemabykw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemabykw.exe"
        112⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemauaik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemauaik.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlbnkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlbnkg.exe"
        114⤵
        Modifies registry class
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtfzdj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtfzdj.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvlotk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvlotk.exe"
        116⤵
        Modifies registry class
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemanxgu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemanxgu.exe"
        117⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoaqkm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoaqkm.exe"
        118⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqodku.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqodku.exe"
        119⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlclah.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlclah.exe"
        120⤵
        Modifies registry class
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyspib.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyspib.exe"
        121⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqddsd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqddsd.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkvxva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkvxva.exe"
        123⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvukyw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvukyw.exe"
        124⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemypmwx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemypmwx.exe"
        125⤵
        Checks computer location settings
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlrtru.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlrtru.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvyhcy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvyhcy.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfnifa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfnifa.exe"
        128⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemslmnu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemslmnu.exe"
        129⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemshzyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemshzyl.exe"
        130⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfcstc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfcstc.exe"
        131⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfriyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfriyt.exe"
        132⤵
        Checks computer location settings
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfjrqn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfjrqn.exe"
        133⤵
        Checks computer location settings
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemibibx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemibibx.exe"
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaximt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaximt.exe"
        135⤵
        Modifies registry class
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdtmua.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdtmua.exe"
        136⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnddsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnddsh.exe"
        137⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhyizz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhyizz.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsxvkd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsxvkd.exe"
        139⤵
        Modifies registry class
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhceqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhceqb.exe"
        140⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhfqip.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhfqip.exe"
        141⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsyfoi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsyfoi.exe"
        142⤵
        Modifies registry class
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkbtyk.exe"
        143⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaromd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaromd.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqlmmy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqlmmy.exe"
        145⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcuhzb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcuhzb.exe"
        146⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnnzw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnnzw.exe"
        147⤵
        Checks computer location settings
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcrpxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcrpxx.exe"
        148⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhhnxf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhhnxf.exe"
        149⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxatqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxatqa.exe"
        150⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfutia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfutia.exe"
        151⤵
        Modifies registry class
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmbpog.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmbpog.exe"
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemshnbf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemshnbf.exe"
        153⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempigcn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempigcn.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxqdzt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxqdzt.exe"
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcojaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcojaa.exe"
        156⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempfdcx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempfdcx.exe"
        157⤵
        Checks computer location settings
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcwgts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcwgts.exe"
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempjztr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempjztr.exe"
        159⤵
        Modifies registry class
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkleej.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkleej.exe"
        160⤵
        Modifies registry class
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkmgbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkmgbp.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhcohb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhcohb.exe"
        162⤵
        Checks computer location settings
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuedcy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuedcy.exe"
        163⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmlhfj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmlhfj.exe"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhdjig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhdjig.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzumfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzumfx.exe"
        166⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmifnf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmifnf.exe"
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuiftx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuiftx.exe"
        168⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzktf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzktf.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemutpjf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemutpjf.exe"
        170⤵
        Modifies registry class
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzgsxk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzgsxk.exe"
        171⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemccuud.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemccuud.exe"
        172⤵
        Modifies registry class
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkofng.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkofng.exe"
        173⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoednn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoednn.exe"
        174⤵
        Modifies registry class
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeyjoj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeyjoj.exe"
        175⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoiadp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoiadp.exe"
        176⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhmptd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhmptd.exe"
        177⤵
        Checks computer location settings
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfvuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfvuy.exe"
        178⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjsncy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjsncy.exe"
        179⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembhfmu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembhfmu.exe"
        180⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemezgpy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemezgpy.exe"
        181⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhjylc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhjylc.exe"
        182⤵
        Modifies registry class
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrxand.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrxand.exe"
        183⤵
        Modifies registry class
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuaeyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuaeyk.exe"
        184⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmdabd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmdabd.exe"
        185⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrfiwi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrfiwi.exe"
        186⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrnjju.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrnjju.exe"
        187⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrftha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrftha.exe"
        188⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembmyke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembmyke.exe"
        189⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemewznh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemewznh.exe"
        190⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlewdh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlewdh.exe"
        191⤵
        Checks computer location settings
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmqjjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmqjjh.exe"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembqebi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembqebi.exe"
        193⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeftrj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeftrj.exe"
        194⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtfgkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtfgkk.exe"
        195⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlbfcg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlbfcg.exe"
        196⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgwkkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgwkkg.exe"
        197⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlfcsi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlfcsi.exe"
        198⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyeyac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyeyac.exe"
        199⤵
        Modifies registry class
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyalll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyalll.exe"
        200⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemldzgw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemldzgw.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemojoxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemojoxx.exe"
        202⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtzmxf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtzmxf.exe"
        203⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsdhan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsdhan.exe"
        204⤵
        Checks computer location settings
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngnvz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngnvz.exe"
        205⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemycpta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycpta.exe"
        206⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgjmyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgjmyy.exe"
        207⤵
        Modifies registry class
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvdljv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvdljv.exe"
        208⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtppjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtppjx.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvltse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvltse.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemivcau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemivcau.exe"
        211⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnliac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnliac.exe"
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfdryi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfdryi.exe"
        213⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe"
        214⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvbepf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvbepf.exe"
        215⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaoyck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaoyck.exe"
        216⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtnkfu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtnkfu.exe"
        217⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvjovb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvjovb.exe"
        218⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvnkyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvnkyj.exe"
        219⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemshgyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemshgyt.exe"
        220⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempiara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempiara.exe"
        221⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtleuz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtleuz.exe"
        222⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxbkug.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxbkug.exe"
        223⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemncvvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemncvvw.exe"
        224⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxjixs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxjixs.exe"
        225⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiqwoh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiqwoh.exe"
        226⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcppgq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcppgq.exe"
        227⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsiwmx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsiwmx.exe"
        228⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkxxcy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkxxcy.exe"
        229⤵
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
101KB

MD5
dd7e42b49fcc88ff20213eb5f93d19ed

SHA1
5cb8c04cc441a6d362761881c3ddcbce5bf453bd

SHA256
30e5448421a344af2b7daf13e120fe22ab3a4a48d28be9996d37a1da83cdca58

SHA512
083b6136f648782f46923a490c725b9e6047dd45c1495ddadcca363b9d206e45bbec5309947b112a19869b0a8d26245f6a2fbbeea61970d57f52b9267beea794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemaobjl.exe

Filesize
101KB

MD5
d2e1d6ba7551c92c30109614c7225ea3

SHA1
bcbdf27dfd6674d3785f1bb6f8b61e6b622efd24

SHA256
376f3954c9b91d317dcab8d9543b3986442283fcb027c3f9f6728ee23b56a387

SHA512
11324330228b5459937bc2e5abda844a02f9c77dcb514e44a5c74c5bef2cdafdfe88be72f74712219841e09f46b6488adda9f7edbfaca49f650f2c47e0aa16f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemarsse.exe

Filesize
101KB

MD5
0be2b97d8d8b49fd68c0d99966efa112

SHA1
f222ea52c9c151809b401791c7e3c96c4396fabe

SHA256
95387873e8e7afe576c3f1e4d91bfbd216a5f304ea2781803b9434cafceb0a19

SHA512
450a4d284ad12933a6eda154064de00501b1d470f854d9498bba8e7a57c9960dee4b2cc35f3a2c250d2c81c0009e2e4d23cc3440e2f64444e876cdce018a7f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemawmph.exe

Filesize
101KB

MD5
7d138b44095e52bbfb6b5b4a20dc516b

SHA1
df14e9b40a46af934cec671203e9e646c9787fc3

SHA256
8bc6687b473f80f238a43794b3f5cbb39ea62421b23734027a843695a24ed040

SHA512
887e78171553bfb22ba5a7171a97d6bab8b18f9a5f99675a05d867ecfe3d9914621f6375e1b8bec424e54d153ee880d6e477e25a823e3260948fe638280f4fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemdbwyh.exe

Filesize
101KB

MD5
34466a601d585ea6b5fe23e7dddc459e

SHA1
807f47d0829d2b4339d1e5812f449a09a89c30b8

SHA256
6df81dbc2181305a965470fed5e676ef491caeae18b13547d7d6bfc66fd54b55

SHA512
36b8fae79a0c937de3fc1b50a0e8aac2c4a299dbdbd940a8a8642b0e9c15a99f0a7e2a186bf183c5961fdd93bae0e210876c0642be83a3c98c7d0172a501156d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgdfre.exe

Filesize
101KB

MD5
4cc097f0a7fa8aac3a90c3bb8637800d

SHA1
c1d5b96f3421597e607aabbd0c33f33af483c87c

SHA256
501330edf4c0ae01a7cc64d38f06b0860fc1dafcb006b2a2daddc7d7eb789193

SHA512
564c724adebfa2ec207737542ca28864997661a0df0dc28ee8833dda3d1c5d308c87c71d9b8f424a020437a426fa1b3b78aea0093e3b8d9750a6284827db74f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgksiz.exe

Filesize
101KB

MD5
b7f319dd92ef2b470998fedbf84b1078

SHA1
12d5615c8594a0d8fc94d89861c2909bb2c6c8a4

SHA256
098164c8a2166d1d2eab6c07452424fe61abbcfdcd02d1d3b830c21a0983ea94

SHA512
64e95ccb9dead355e7993330d442ab86c938727cb514c85e53c1c30d977416b788af82dee42845c8f04390540bbea8fe0710df240d73b07bde08a121fed7756d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgofth.exe

Filesize
101KB

MD5
cdef6ba0df5d862a8fab530b3bc1c99d

SHA1
baa6efea638f618606323c3556332841bf380034

SHA256
ec72acafb555c4c719a4d5810f0f8fe9dcdc1c0f4952ece262f74537c4ad7c80

SHA512
54dec179d8484de88d1045dc71b2fc6d58f2444727a73c227b899b6b5fb8aff20704a38c7f27e1e2814bdd7712a59c6eb40afc88a9029362cbdcd654756451eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemgsdpv.exe

Filesize
101KB

MD5
b768da905ae1e04a553f8919c571acc3

SHA1
75aa52461d144fd162022991c4078e2940b76f21

SHA256
dab642990b526d7c603d54d14b373cbbf3d6e2a57cec77ef917b40a5fafca700

SHA512
85108c03c1b4e4e037fa9639a604fa7685f50ae8cfa048c0a9f513ff96f710b2f07407516a69d5b0f7db165a55a18b917863f65ce2a54d1336dc5c03e52e5a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemidyoj.exe

Filesize
101KB

MD5
49c2ac5df9e4aace681ebc5750265216

SHA1
bed76375e5391eefa416bb6a46fd2545eaa7722a

SHA256
261214ed25b6b02d3c1067ef4b58d1aaf4f78ee86c7d6e62e433e421b51409e9

SHA512
324ae0256c02251ff274578b33e431685df9d43c2b230a0ffad19e0999625ac35ddba3aed0133ace1f44531ce53bb7726b04ede889efd505af451889b353defe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlpooy.exe

Filesize
101KB

MD5
03ca067afd16352ebc68b99e23de32a1

SHA1
80234348d44852474c4d83ecdc718a87a7b0e15c

SHA256
77095f886cff7d021cafffdaa18424481b250194c4eb7b53efce440ff242ba88

SHA512
e227302e71fc165fab0571e686cfaf2555ee8ad5ab9da84fab858f0e7a77221be15122257eb215e48d18cc768fd3105a40d9e74d3e099a8efd451a1599ea81f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlpxcj.exe

Filesize
101KB

MD5
b23051bcdcfcd9c412bf44d56bc6255f

SHA1
f0934c11c6201103972e29a98b16afd3e8c7f0a1

SHA256
3dcac62148e49b6a0b61c08266ed964d4089d97318fc10c597f45d1add0c36ed

SHA512
fc195023e1c0d305b3d0ec492b43b867c66cb1cd7f4aabea26e2bf3529fac70c24445e94574b486caecef32a1de4fcbfd1dc6c4d7571fa78ba77ac74691859e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlrswn.exe

Filesize
101KB

MD5
6a6c04ad63efe3ed01697f9c8673c62f

SHA1
8e5ead000731fc245c7c9b7f21a8af695f77e875

SHA256
1d8de57cbdf23cb9f4f747ed3f0d8df86c3e843d88b468593fb6965d8c2906e8

SHA512
b2bc2814b31f1ec77ef38c06b0a5e80cc44e9c2d5f12c7993870d6e994c113f4fc9fedd1bb5e8ef278a3b3b00cf4acd7002afaa25588fad9cbfa72d13339107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemnenlj.exe

Filesize
101KB

MD5
59ac2c1f49b72c121c6210256e78d39f

SHA1
0a370fb97a1e42fe81d3e319a9d8daa0690b1c3e

SHA256
091f3d8da0ef8317ff352d629576869cd30cb41632901a15097ec8c5ba8bfebe

SHA512
6ef66ce3ea7f7edd2780a038e2b54d9c4782c15d7242dd4cf312043f8940859c267d13bdbc51ac367f84767ff7fe39a2f09b1c893ed345bd555b987ad2b38cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqlwza.exe

Filesize
101KB

MD5
c00775b47875c0ff40ea2abcec56922e

SHA1
cf8fdad06bae345a39a633ba54ad18bb1db146e1

SHA256
93cc812d2ad166d0ef9bbeba683be7137acce23d523ec0ba0c1e613975a7ff0f

SHA512
4cea26695677ee054a8be8b19427fe06c69f188de1d1b9b7f4190890ab5e0ba9c26cbc4155670b5939ca277736667ef4b3767f1c89c86c65cd2d518696cf64fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemsddrn.exe

Filesize
101KB

MD5
bdf2daf58d1b579a34492c7026a5d260

SHA1
31df2477f7721f39ce4b1067c1db0d3e9dd3fe71

SHA256
278f27651d561ee5798c2739f9ddfafc3ad39b51ee440e3f0de2d1199ffb1402

SHA512
24cf56534011d08e70a75241080ec446ba079accd47a4a97615a4043e3119fbf401445f3049e7771f466b13405bcf868f0c3314eab433f5021c1471800ac21a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvngsw.exe

Filesize
101KB

MD5
83d42c7b2ab36e99258adacc9ecd8623

SHA1
4fe78d15bdbb8d72e60a4edfe74ab6b0073435ae

SHA256
587b4ef81eedaed17cf33f991066e406eddc7affa1ed1fae5f2f2ff5a990c423

SHA512
3f2689d3dc5dba20652bbfa05ffc294bc3e07bee6ebc1463fffbe6ae558641350e6a728a75b350e44a5be7345fc787738a86f536a804b8f06298a11dabcfe003

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvqkxo.exe

Filesize
101KB

MD5
af0da3fbea02a1e64c38d80036857a98

SHA1
dc8d3eeec71d109072046ca586f5e1dbbe9350cb

SHA256
f19a9b93da16554bded51a0fa4a0473336de46f93a8b2c442f365bb9a019e639

SHA512
1f864848a1d2dcd141871f5e4dd31a394024485ae97eda5b7d13941cc11abe77aebfd39da80cdd78556db92070985a6c3cd1d60bee61df1acef53aec2d0e4cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemyzefl.exe

Filesize
101KB

MD5
b8a45e618b6f5e57ea5864fa7ade40dd

SHA1
791494e3f6e1ef6cfd9e822fbafb7d021aeebe25

SHA256
22f03282ae5edd719f0d02fa7f276a8dffde958b301d29695dc6daf5119ba815

SHA512
8a1fc6624d91fa58b24dc37ab63e68fd75b304812576de38c274d72070a06f39acf645a5d426a86ba289e1f110ca2ccfc0812dbbe3e6790f83b99aeb5961c555

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
b66a1455eda3c1df9630e5ac32f849ed

SHA1
33093dee16f950320abe0639ca8a1fa7cba43bf4

SHA256
a223944429d1f97acb6362007a05a5321fd6526280fdeff5f714d9adb4eb53b3

SHA512
448bb80b494e2063bfc5a62ad922bd366cd0fa67b07cbb2d2b7c4819850415c045f5771f01291a2a7a7fa3a22745281354173969a67e9ca6f5931ac15a5495da

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f157bea0a3c154904f1444388cc1eff0

SHA1
12fed6c4bc656874c5adf875485e60f1bd2395b0

SHA256
b28d528539e0d7f32ebbe690a21d3fdf220adf3928a00dd5d7b11b5b02eb00e6

SHA512
f005ea0f0c16d02ef81f9e9e52cd8231786ff1cc74853a1bf06d5f1e7bb75abc4ac01c918bb41e4c5934fcdf904173a8d677071a5763ed5229b0223a8d2d450c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
e2af3c7e1134f0dfb21b8abb670bc7e4

SHA1
c21a0e91c31693daf0674ab8e2fa2186324c6f9b

SHA256
7f69993a2dcb5af025fdc86d521f3ac8af5495efa4309221a006b7feb9529a5f

SHA512
46213bae35f56813409490272f4bbafe70171bc5553204b77177edff5423e31bffab63a51147c9fadb3244fcf55f7c8cda301f052a8e0cd2a30a3887cff07f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
23bc6e98f352915888c272ca9bc3646d

SHA1
e37019e69a04d82ff323b688566da18c8fb52e81

SHA256
80d954938644d79f5dd0bc55a3bea781344ccd3c388b012ff9fea09e54591070

SHA512
f2caec7562bed818ae329903a37c87f0f3e5d80597fb7edb7629c81018c97f970a36d60c1d9a1a91ea70c2e34176c80135ea80feab699cb0db1c970337e10f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
3cf5e9490f6367b6a8583313b0216b43

SHA1
d429ef335cb5766b5b03601dbb9aa065c3473211

SHA256
54eb8ab065535153f66cc2a2c59c3fdf0567b65f1e58c990b6be5ff93a5d3d8b

SHA512
abab7bddf976bfcf3af87185fac65d6186f1c84e2f859a5f29f0daf45a239144b60c44a11584a70ad9df4233caa3dfc83a9a7dd3e89c1baeef5be0c7b1cf1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
034a4d3f3bed3c89657b10e92f86731d

SHA1
62fed101994f44c346a2f0bc5ba87939771fb7d4

SHA256
9e1fd96397f9330dd13b7a9005ddabe42d9e06d4b39071e917212f18933c163d

SHA512
c3127f6b5eb19c44003bad015801f3bbf3c0c346c78602077b244166f2e9357be8b6081e9324f9c9d60d132433c71bbff64662fee546ff0dbc3678053a15a9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2a5522318e0093baf5ccc2fae1f8caad

SHA1
5e1a8a922101897e31bc66925c7128f13345088f

SHA256
a6044aded848ab5dc5ecbd3103c1dbb0bbe897f3e6f8214e2e0bb012b09c2fee

SHA512
0730a3ab5b7d5c90422fe1ad8b2724a95725255065cf97f672d8baa6b99fcfba49fb17f4d5a413fa053841c3ddf7cf83db94a8234dfbc6cd8ede0bc8b51575f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
5f1d6f3fbc8ccc0cfdcb3f5aea4a4f5a

SHA1
855c30d0ee5acba15c56a260f60e078ab4e8db1e

SHA256
9f0cf92e711c9354f461f74be7ac8d84e48b8a2e314471be2cd61428822520f6

SHA512
b367f5322c634bee27568b705bf8f09b3195d2053cdf3f03546df5482288d762f853619a9f412222063f8bc04f61cb8a7ace5bf761cac98e16c3fcd378dee8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
d991e140ea71755082a1d02d98a6adec

SHA1
75520b8e0f2f3dd375aab40d8926f7c2181752a3

SHA256
60a814410474e1fa0a324e61c3aa09342cd20e220e5e6006d85a1a7454179d94

SHA512
514a273a6bc85c73404c77b0418a3565559ffcf8dde23fa8be6344fd15a06eb513f2be5d6f84f289ad07cf8cf1008e2a931d36af71512dcbf12ba95ba693d937

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
2804e3526e02f19f00227c788f2223cc

SHA1
aee4b4df8ecd672bfb1ea7dc4184667b046f7bc3

SHA256
85bdadad747781598d0198b55a87b3d20c10a91a551cd0940ead26b8c71afdc8

SHA512
a120abe71f20d34fad56906457e5f1715d936e96e8258ca322efb46b550a015d1caf3cf9928f11db19545ad6bbbf5dc08bb509df1d57672d73c789f51efbadb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
98e2a837d4ab588a4442bea632a8b554

SHA1
3240c30bbed6be86298a1b1915b096e0d009ea37

SHA256
d51639e1842123079e8f2fa7b266a0e589babff8709803b732c9bb990f648393

SHA512
4950ff773d3615526c69e9328d9aacbf75796c15afab84ddf74f6472f5c58b53e2aeef5cb6ea83548471f8c76033c6abbec94731403d359d39e269fcd416b1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
49714e3983dcabd10f6dbdfbd897e251

SHA1
7d194ddb748c71cf83ff09e3980215f355b8d95d

SHA256
34d988183ea3856a0d345b14c6353116c4a14476ff23978be6211dbee9024a53

SHA512
35c582c13ae75b02f7a9c7b8b1e246006c6b4ffa49ded2625a80a08d03fdfad075681653bd2380b58fcd392103b9e3c7dd9500b8c54215fd0025fb5cb9dce3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
4b8546271e24a177d451fe31c5164707

SHA1
12b55d89cbc4145ded51b4312b40325d4508c8dc

SHA256
4ffbb0df0ad9d11f7f1ea79d08337d392ee74aac72fa91addda33b74fba55a9d

SHA512
19d95cff653e0d06cc1b3e53ce5dbea6a50c92c03eccf6899b2acad4650666921bddf47898993a3b2ea3712de0fd540c9339658e61b927d02ae57cb6bf9d1471

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
15b004289a8d74a265db4c36fac99abe

SHA1
258a6b031b11374f7fc7e4196e5a8c99e5882c6f

SHA256
e227221c6a8e7e9e5e7287a1d3546c78902825542351c81c4782145f793bc54b

SHA512
9a8279be0745e31b370852893560e8532aad24c2997df032c6ff2ef9679bc84069d28e5f0f278c271ffb97dbb338418cb67f106ee06e7a96bfa8bec67e72ab19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
02cb92478513e124cf15c9c9ea1039ed

SHA1
31e5afdb047dda08abaca11540b88990ed76d8b0

SHA256
a04437aedb66a3e1afa5e8fb8757a23bfbbac35b2c0a2a2ee5233ed0714d6888

SHA512
55a58d41044d1390e4350d77224fcbc9873a9426afab69b4ef968724c3a8593fba69423ac252bd248bed620bc3a4b7af5861831d278ce516b5e09faf85a19e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9cf9af2b9536c537d593055b8aca36cf

SHA1
011f32263a3543562d2df41f5cc5719571b1959f

SHA256
a90e20a9a150cdd682c2d973c79de6fd93ced4334ca478a223d71c4d14a1a561

SHA512
bc44488ee78dfbdeff19301340508faeab80878e34cea05452b56fd81967fea79dca94c236fe5a357c5ad92729470d9134381d3765c12f7b747255230d78ba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
82dc0b7401f35a97d65a30ad622529f7

SHA1
64219763cdecdf92ddba392c1aa6191b8e015909

SHA256
e5a3dcc4e7e9ea1e6684dfe615f5b166c60d49422e7adf960084f9f3dd64bf44

SHA512
6042c6db916aa6ad8d53b92cf3f81c922c7ca03724bc2604ab104872633b52e836f3b6fdf9a37a9b3ae4d860648765b17de8b8111341b4e6ad263981b108ab41

Download Submit
memory/220-1263-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/432-357-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/444-1466-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/444-3033-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/588-957-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/700-1297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/720-282-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/756-2494-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/876-1476-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/964-2337-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1048-1711-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1088-1397-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1092-2219-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1164-1980-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1232-2795-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1368-1576-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1376-1229-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1528-1059-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1708-718-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1748-2456-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1892-784-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1916-3409-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1920-1508-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1988-2937-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2036-2805-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-206-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2080-2389-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-2562-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-2727-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2204-3383-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2276-3443-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2512-279-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2512-2831-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2568-1877-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2576-3485-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2684-1783-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2804-2081-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2908-3203-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2952-2156-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3000-2422-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3000-1432-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3020-3306-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3040-593-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3108-1403-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3108-1537-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3136-2149-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3192-1911-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3204-2189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3304-3237-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3380-2761-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3416-2899-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3484-3111-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3568-684-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3588-3339-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3604-3271-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3668-2693-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3680-3101-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3732-318-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3744-2115-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3792-2023-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3792-3067-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3792-1004-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3872-2999-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3964-3145-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3984-2591-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4060-1770-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4068-889-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4112-336-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4120-825-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4140-429-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4172-1193-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4172-511-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4248-926-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4312-2659-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4336-1636-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4348-991-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4416-1670-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4516-1990-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4544-855-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4548-786-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4576-1331-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4584-576-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4588-1098-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4588-928-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4588-1704-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4596-621-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4596-819-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4644-1946-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4648-2865-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4672-2625-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4716-3373-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4740-2359-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4752-2290-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4756-479-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4764-2253-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4764-466-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4860-242-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4932-1501-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5068-1135-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5088-1814-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5100-1840-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5100-1712-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5104-2528-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5108-1200-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download