Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 09:47
Behavioral task
behavioral1
Sample
ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe
-
Size
88KB
-
MD5
ddd6f3bfa32a756c9b108284a1e3d5f1
-
SHA1
af19ec3ec336ccfdef07504e419cc86b86f10a6d
-
SHA256
7bc8748c51fc81fe58f02d47f2a5906256d5beb229c05abf26126b40470788fe
-
SHA512
520bdcbb498d365fe4f7b55a0830cc288c38e50e2f20468e5dd78b2ff21b01b49ecff6ba729f061c9eceeb565d4fea20af382a491cac328e765e93882be9c578
-
SSDEEP
1536:TYjIyeC1eUfKjkhBYJ7mTCbqODiC1ZsyHZK0FjlqsS5eHyG9LU3YG8nx1:0dEUfKj8BYbDiC1ZTK7sxtLUIGM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrisoz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemcqksy.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjjfrh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemsuoia.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemirkmj.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrtspk.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemwskps.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgnuvr.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiknyj.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvixbr.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqqyws.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqembrvue.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemyxxuy.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrkiue.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvjtai.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqjqvy.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjerev.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemeiqni.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemxdvpn.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemzktyn.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrqazn.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrcrih.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemwgbuu.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemdmriw.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemukxiz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmvvym.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemnzjpz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlboys.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqecio.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgjwhk.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemnfgjz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemcnigg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqembhzjh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemhdjkj.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiyadz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemdhsgh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrpgim.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlmlpg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemxxito.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvgbtb.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvfgme.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemyvrym.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemcawim.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiudim.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemktetg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqempummb.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemtzgfa.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjjlep.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjcrch.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrhzxr.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemttzfq.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgcnds.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemeboae.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemayrzk.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemkbewd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlxrum.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemyqdsi.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlifam.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvhaql.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgcuge.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemzyzik.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemutikc.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemyismm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemveple.exe -
Executes dropped EXE 64 IoCs
pid Process 1704 Sysqemzqczx.exe 4420 Sysqemreukl.exe 3620 Sysqemrtspk.exe 4156 Sysqemcawim.exe 756 Sysqemgqbvi.exe 2000 Sysqemoravp.exe 4320 Sysqemrisoz.exe 4484 Sysqemmpgqo.exe 1788 Sysqemqfdlk.exe 2060 Sysqemwditq.exe 2668 Sysqemdhsgh.exe 4240 Sysqemmtugi.exe 4432 Sysqemwhwjs.exe 3268 Sysqemgcxcz.exe 2500 Sysqemjjlep.exe 4784 Sysqemwskps.exe 2564 Sysqemeafhm.exe 548 Sysqemlbehs.exe 4564 Sysqemtfouk.exe 4760 Sysqemzzipv.exe 2284 Sysqemhshqb.exe 3804 Sysqemoauqv.exe 1604 Sysqemwxqdz.exe 3792 Sysqemyktgu.exe 4600 Sysqemeiqni.exe 3892 Sysqemtjnod.exe 3856 Sysqemjdloy.exe 3240 Sysqemrkiue.exe 4228 Sysqemyaerc.exe 3660 Sysqemeboae.exe 1020 Sysqemrpgim.exe 3196 Sysqemdgidb.exe 4068 Sysqemthudc.exe 2068 Sysqemqecio.exe 4420 Sysqemgyajk.exe 4992 Sysqemoyhjq.exe 3340 Sysqemgjwhk.exe 1376 Sysqemnghmv.exe 3088 Sysqemynmpr.exe 3220 Sysqemgnuvr.exe 4464 Sysqemoviax.exe 4528 Sysqemlwcte.exe 4428 Sysqemvhaql.exe 2252 Sysqemgcuge.exe 1900 Sysqemlmlpg.exe 2072 Sysqembrvue.exe 2212 Sysqemayrzk.exe 1376 Sysqemartxq.exe 4164 Sysqembgsib.exe 4608 Sysqemdyklf.exe 3796 Sysqemiknyj.exe 3496 Sysqemfmyrr.exe 3976 Sysqemnfgjz.exe 4156 Sysqemyxxuy.exe 4052 Sysqemvjtai.exe 4788 Sysqemdofsl.exe 3080 Sysqemptxal.exe 3184 Sysqemxxito.exe 4524 Sysqemvgbtb.exe 3316 Sysqemdkmme.exe 3152 Sysqempuphv.exe 3892 Sysqemnolzx.exe 4388 Sysqemctvnv.exe 4748 Sysqemiudim.exe -
resource yara_rule behavioral2/memory/960-0-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023428-6.dat upx behavioral2/memory/1704-36-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0008000000023424-42.dat upx behavioral2/files/0x000700000002342a-72.dat upx behavioral2/files/0x000700000002342c-107.dat upx behavioral2/files/0x0008000000023425-142.dat upx behavioral2/files/0x000700000002342d-177.dat upx behavioral2/files/0x000700000002342e-212.dat upx behavioral2/memory/2000-214-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/960-244-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x000700000002342f-250.dat upx behavioral2/memory/4320-252-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023430-286.dat upx behavioral2/memory/1704-293-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023431-324.dat upx behavioral2/memory/1788-325-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4420-327-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023432-361.dat upx behavioral2/memory/3620-364-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4156-401-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023434-400.dat upx behavioral2/memory/2668-402-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/756-432-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023435-438.dat upx behavioral2/memory/2000-466-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023436-475.dat upx behavioral2/memory/4320-506-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0007000000023437-512.dat upx behavioral2/memory/4484-543-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x0008000000023438-549.dat upx behavioral2/memory/1788-580-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x000800000002343a-586.dat upx behavioral2/memory/4784-588-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2060-618-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x000700000002343b-624.dat upx behavioral2/files/0x000a000000023394-659.dat upx behavioral2/memory/2668-691-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4564-697-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4240-725-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4432-764-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3268-793-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2500-827-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4784-861-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3792-867-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2564-872-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/548-898-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4564-932-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4760-934-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2284-968-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3804-970-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/1604-980-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3792-1011-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4600-1040-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3892-1074-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3856-1140-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3196-1146-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3240-1174-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4228-1184-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3660-1210-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2068-1215-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/1020-1275-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3196-1309-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/4068-1343-0x0000000000400000-0x0000000000492000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemeafhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqecio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembrvue.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemvfgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemszlif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemxqcre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzyzik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembncnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdmriw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdnxxx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrtspk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemgjwhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemxwptx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzzpww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrfkms.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemywipi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjjlep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemiknyj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemcqksy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlifam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoravp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemmpgqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyaerc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzktyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempppbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjjfrh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhshqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnolzx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnzjpz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemsuoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemwxqdz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnghmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembowlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemgcxcz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjdloy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemybhva.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemreukl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemcawim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemeboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdofsl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempuphv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemkfckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemukxiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemehpmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembofhv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembhzjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyxxuy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemvjtai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemptxal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemvgbtb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlxrum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemgqbvi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzzipv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempocpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlpiqx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemmtugi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoviax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyismm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyktgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlmlpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemtzgfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqfdlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemgnuvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemvixbr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 1704 960 ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe 82 PID 960 wrote to memory of 1704 960 ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe 82 PID 960 wrote to memory of 1704 960 ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe 82 PID 1704 wrote to memory of 4420 1704 Sysqemzqczx.exe 83 PID 1704 wrote to memory of 4420 1704 Sysqemzqczx.exe 83 PID 1704 wrote to memory of 4420 1704 Sysqemzqczx.exe 83 PID 4420 wrote to memory of 3620 4420 Sysqemreukl.exe 84 PID 4420 wrote to memory of 3620 4420 Sysqemreukl.exe 84 PID 4420 wrote to memory of 3620 4420 Sysqemreukl.exe 84 PID 3620 wrote to memory of 4156 3620 Sysqemrtspk.exe 86 PID 3620 wrote to memory of 4156 3620 Sysqemrtspk.exe 86 PID 3620 wrote to memory of 4156 3620 Sysqemrtspk.exe 86 PID 4156 wrote to memory of 756 4156 Sysqemcawim.exe 89 PID 4156 wrote to memory of 756 4156 Sysqemcawim.exe 89 PID 4156 wrote to memory of 756 4156 Sysqemcawim.exe 89 PID 756 wrote to memory of 2000 756 Sysqemgqbvi.exe 92 PID 756 wrote to memory of 2000 756 Sysqemgqbvi.exe 92 PID 756 wrote to memory of 2000 756 Sysqemgqbvi.exe 92 PID 2000 wrote to memory of 4320 2000 Sysqemoravp.exe 93 PID 2000 wrote to memory of 4320 2000 Sysqemoravp.exe 93 PID 2000 wrote to memory of 4320 2000 Sysqemoravp.exe 93 PID 4320 wrote to memory of 4484 4320 Sysqemrisoz.exe 94 PID 4320 wrote to memory of 4484 4320 Sysqemrisoz.exe 94 PID 4320 wrote to memory of 4484 4320 Sysqemrisoz.exe 94 PID 4484 wrote to memory of 1788 4484 Sysqemmpgqo.exe 95 PID 4484 wrote to memory of 1788 4484 Sysqemmpgqo.exe 95 PID 4484 wrote to memory of 1788 4484 Sysqemmpgqo.exe 95 PID 1788 wrote to memory of 2060 1788 Sysqemqfdlk.exe 98 PID 1788 wrote to memory of 2060 1788 Sysqemqfdlk.exe 98 PID 1788 wrote to memory of 2060 1788 Sysqemqfdlk.exe 98 PID 2060 wrote to memory of 2668 2060 Sysqemwditq.exe 99 PID 2060 wrote to memory of 2668 2060 Sysqemwditq.exe 99 PID 2060 wrote to memory of 2668 2060 Sysqemwditq.exe 99 PID 2668 wrote to memory of 4240 2668 Sysqemdhsgh.exe 100 PID 2668 wrote to memory of 4240 2668 Sysqemdhsgh.exe 100 PID 2668 wrote to memory of 4240 2668 Sysqemdhsgh.exe 100 PID 4240 wrote to memory of 4432 4240 Sysqemmtugi.exe 101 PID 4240 wrote to memory of 4432 4240 Sysqemmtugi.exe 101 PID 4240 wrote to memory of 4432 4240 Sysqemmtugi.exe 101 PID 4432 wrote to memory of 3268 4432 Sysqemwhwjs.exe 102 PID 4432 wrote to memory of 3268 4432 Sysqemwhwjs.exe 102 PID 4432 wrote to memory of 3268 4432 Sysqemwhwjs.exe 102 PID 3268 wrote to memory of 2500 3268 Sysqemgcxcz.exe 103 PID 3268 wrote to memory of 2500 3268 Sysqemgcxcz.exe 103 PID 3268 wrote to memory of 2500 3268 Sysqemgcxcz.exe 103 PID 2500 wrote to memory of 4784 2500 Sysqemjjlep.exe 104 PID 2500 wrote to memory of 4784 2500 Sysqemjjlep.exe 104 PID 2500 wrote to memory of 4784 2500 Sysqemjjlep.exe 104 PID 4784 wrote to memory of 2564 4784 Sysqemwskps.exe 105 PID 4784 wrote to memory of 2564 4784 Sysqemwskps.exe 105 PID 4784 wrote to memory of 2564 4784 Sysqemwskps.exe 105 PID 2564 wrote to memory of 548 2564 Sysqemeafhm.exe 106 PID 2564 wrote to memory of 548 2564 Sysqemeafhm.exe 106 PID 2564 wrote to memory of 548 2564 Sysqemeafhm.exe 106 PID 548 wrote to memory of 4564 548 Sysqemlbehs.exe 108 PID 548 wrote to memory of 4564 548 Sysqemlbehs.exe 108 PID 548 wrote to memory of 4564 548 Sysqemlbehs.exe 108 PID 4564 wrote to memory of 4760 4564 Sysqemtfouk.exe 109 PID 4564 wrote to memory of 4760 4564 Sysqemtfouk.exe 109 PID 4564 wrote to memory of 4760 4564 Sysqemtfouk.exe 109 PID 4760 wrote to memory of 2284 4760 Sysqemzzipv.exe 110 PID 4760 wrote to memory of 2284 4760 Sysqemzzipv.exe 110 PID 4760 wrote to memory of 2284 4760 Sysqemzzipv.exe 110 PID 2284 wrote to memory of 3804 2284 Sysqemhshqb.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ddd6f3bfa32a756c9b108284a1e3d5f1_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzqczx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzqczx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\Sysqemreukl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemreukl.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrtspk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrtspk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcawim.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcawim.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgqbvi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgqbvi.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoravp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoravp.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrisoz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrisoz.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmpgqo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmpgqo.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqfdlk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqfdlk.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwditq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwditq.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdhsgh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdhsgh.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmtugi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmtugi.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwhwjs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwhwjs.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgcxcz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgcxcz.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjjlep.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjjlep.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwskps.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwskps.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeafhm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeafhm.exe"18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlbehs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlbehs.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtfouk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtfouk.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzzipv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzzipv.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhshqb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhshqb.exe"22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoauqv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoauqv.exe"23⤵
- Executes dropped EXE
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwxqdz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwxqdz.exe"24⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyktgu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyktgu.exe"25⤵
- Executes dropped EXE
- Modifies registry class
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeiqni.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeiqni.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtjnod.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtjnod.exe"27⤵
- Executes dropped EXE
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjdloy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjdloy.exe"28⤵
- Executes dropped EXE
- Modifies registry class
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrkiue.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrkiue.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyaerc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyaerc.exe"30⤵
- Executes dropped EXE
- Modifies registry class
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeboae.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeboae.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrpgim.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrpgim.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdgidb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdgidb.exe"33⤵
- Executes dropped EXE
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\Sysqemthudc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemthudc.exe"34⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqecio.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqecio.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgyajk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgyajk.exe"36⤵
- Executes dropped EXE
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoyhjq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoyhjq.exe"37⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgjwhk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgjwhk.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnghmv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnghmv.exe"39⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\Sysqemynmpr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemynmpr.exe"40⤵
- Executes dropped EXE
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgnuvr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgnuvr.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoviax.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoviax.exe"42⤵
- Executes dropped EXE
- Modifies registry class
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlwcte.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlwcte.exe"43⤵
- Executes dropped EXE
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvhaql.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvhaql.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgcuge.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgcuge.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlmlpg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlmlpg.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\Sysqembrvue.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembrvue.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\Sysqemayrzk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemayrzk.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\Sysqemartxq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemartxq.exe"49⤵
- Executes dropped EXE
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\Sysqembgsib.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembgsib.exe"50⤵
- Executes dropped EXE
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdyklf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdyklf.exe"51⤵
- Executes dropped EXE
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiknyj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiknyj.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfmyrr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfmyrr.exe"53⤵
- Executes dropped EXE
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnfgjz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnfgjz.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyxxuy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyxxuy.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvjtai.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvjtai.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdofsl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdofsl.exe"57⤵
- Executes dropped EXE
- Modifies registry class
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\Sysqemptxal.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemptxal.exe"58⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\Sysqemxxito.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxxito.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvgbtb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvgbtb.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdkmme.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdkmme.exe"61⤵
- Executes dropped EXE
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\Sysqempuphv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempuphv.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnolzx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnolzx.exe"63⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\Sysqemctvnv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemctvnv.exe"64⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiudim.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiudim.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqjqvy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqjqvy.exe"66⤵
- Checks computer location settings
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\Sysqemsfule.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsfule.exe"67⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\Sysqemvixbr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvixbr.exe"68⤵
- Checks computer location settings
- Modifies registry class
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiyadz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiyadz.exe"69⤵
- Checks computer location settings
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\Sysqemktetg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemktetg.exe"70⤵
- Checks computer location settings
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkugrm.exe"71⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\Sysqemkbewd.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkbewd.exe"72⤵
- Checks computer location settings
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvfgme.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvfgme.exe"73⤵
- Checks computer location settings
- Modifies registry class
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\Sysqemxdvpn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxdvpn.exe"74⤵
- Checks computer location settings
PID:804 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkfckk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkfckk.exe"75⤵
- Modifies registry class
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcqrie.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcqrie.exe"76⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\Sysqemszlif.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemszlif.exe"77⤵
- Modifies registry class
PID:648 -
C:\Users\Admin\AppData\Local\Temp\Sysqemsoktp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsoktp.exe"78⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\Sysqemzktyn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzktyn.exe"79⤵
- Checks computer location settings
- Modifies registry class
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiltmg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiltmg.exe"80⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\Sysqemxqcre.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxqcre.exe"81⤵
- Modifies registry class
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\Sysqemslinp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemslinp.exe"82⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\Sysqemukxiz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemukxiz.exe"83⤵
- Checks computer location settings
- Modifies registry class
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmvvym.exe"84⤵
- Checks computer location settings
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\Sysqemriptr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemriptr.exe"85⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\Sysqempummb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempummb.exe"86⤵
- Checks computer location settings
PID:760 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmruzf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmruzf.exe"87⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\Sysqemrqazn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrqazn.exe"88⤵
- Checks computer location settings
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcpfcr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcpfcr.exe"89⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\Sysqemsfaqj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsfaqj.exe"90⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\Sysqemzyzik.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzyzik.exe"91⤵
- Checks computer location settings
- Modifies registry class
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwlcvp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwlcvp.exe"92⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\Sysqemxwptx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxwptx.exe"93⤵
- Modifies registry class
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\Sysqemehpmx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemehpmx.exe"94⤵
- Modifies registry class
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\Sysqempocpb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempocpb.exe"95⤵
- Modifies registry class
PID:512 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcqksy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcqksy.exe"96⤵
- Checks computer location settings
- Modifies registry class
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjcrch.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjcrch.exe"97⤵
- Checks computer location settings
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrcrih.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrcrih.exe"98⤵
- Checks computer location settings
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcnigg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcnigg.exe"99⤵
- Checks computer location settings
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\Sysqempppbd.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempppbd.exe"100⤵
- Modifies registry class
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzzpww.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzzpww.exe"101⤵
- Modifies registry class
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtjrrn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtjrrn.exe"102⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\Sysqemebhps.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemebhps.exe"103⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\Sysqemrhzxr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrhzxr.exe"104⤵
- Checks computer location settings
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\Sysqembofhv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembofhv.exe"105⤵
- Modifies registry class
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\Sysqemybhva.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemybhva.exe"106⤵
- Modifies registry class
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhbhas.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhbhas.exe"107⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\Sysqembhzjh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembhzjh.exe"108⤵
- Checks computer location settings
- Modifies registry class
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe"109⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\Sysqemrfkms.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrfkms.exe"110⤵
- Modifies registry class
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwgbuu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwgbuu.exe"111⤵
- Checks computer location settings
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\Sysqemojpfo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemojpfo.exe"112⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\Sysqemrqehe.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrqehe.exe"113⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\Sysqemttzfq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemttzfq.exe"114⤵
- Checks computer location settings
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\Sysqemutikc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemutikc.exe"115⤵
- Checks computer location settings
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwlziu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwlziu.exe"116⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyvrym.exe"117⤵
- Checks computer location settings
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgcnds.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgcnds.exe"118⤵
- Checks computer location settings
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlpiqx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlpiqx.exe"119⤵
- Modifies registry class
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjjfrh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjjfrh.exe"120⤵
- Checks computer location settings
- Modifies registry class
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhdjkj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhdjkj.exe"121⤵
- Checks computer location settings
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\Sysqembncnm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembncnm.exe"122⤵
- Modifies registry class
PID:4380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-