Analysis
-
max time kernel
98s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 04:19
Behavioral task
behavioral1
Sample
1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe
-
Size
656KB
-
MD5
1cb215df0b3dec6b766d6495ce7830b0
-
SHA1
f0658d9460c01dbb06f46add70dd4c3c37900d90
-
SHA256
40f8f24210d43ef510c50fcb1e5ad4bfe1ae9d90c18d85c430632328fd49c997
-
SHA512
ba5e2ba76024970e79ef0205c9b9697dc0e0fcbeae8230bf1328b9d230208d6afe961832e8cf0a112b41ba2276005241fe0c21ca23f6e96b1115267d97ae1a57
-
SSDEEP
12288:w+67XR9JSSxvYGdodHDusQHNd1KidKjttRYLwx:w+6N986Y7DusQHNd1KidKjttRYLwx
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 19 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00070000000233fb-5.dat family_berbew behavioral2/files/0x00070000000233fa-40.dat family_berbew behavioral2/files/0x00070000000233fc-70.dat family_berbew behavioral2/files/0x00070000000233fe-105.dat family_berbew behavioral2/files/0x00080000000233f7-140.dat family_berbew behavioral2/files/0x00070000000233ff-175.dat family_berbew behavioral2/files/0x0007000000023400-210.dat family_berbew behavioral2/files/0x0007000000023401-245.dat family_berbew behavioral2/files/0x0007000000023403-280.dat family_berbew behavioral2/files/0x0007000000023404-315.dat family_berbew behavioral2/files/0x0007000000023405-350.dat family_berbew behavioral2/files/0x0007000000023406-385.dat family_berbew behavioral2/files/0x0008000000023407-420.dat family_berbew behavioral2/files/0x0008000000023409-455.dat family_berbew behavioral2/files/0x000700000002340a-490.dat family_berbew behavioral2/files/0x000700000002340c-525.dat family_berbew behavioral2/files/0x000700000002340d-561.dat family_berbew behavioral2/files/0x000700000002340e-596.dat family_berbew behavioral2/files/0x000700000002340f-632.dat family_berbew -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemfwqih.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemadsjt.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemhjand.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemrrekz.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemrnzfv.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemdptzb.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqembmgqa.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemwditq.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemgqrhy.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemapird.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemfthpg.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemyzjqf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemewxss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemacazs.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemhnezl.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemobpra.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemtlxlv.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemphdtx.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjdavz.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemwuuyw.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemybovi.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemzduij.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemofnnf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemnnxop.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemxgazr.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemxuneg.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemrdokp.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjxgvj.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemendfn.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemeklri.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemutikc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemkterk.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemlpbkw.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemajgez.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemsqvwi.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemeucjs.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqembgndu.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemndbfp.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemudugj.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemdxahm.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjjlep.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemzptmz.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemfmyrr.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemfqxfy.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemipvnb.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemflxjk.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemptrhr.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemcchqj.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemczztl.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemreukl.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjdtwu.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjimyw.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemrrbxf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqempuphv.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemcmnaf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemyszpa.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemlymbj.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemjefik.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemnxwdd.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemwkutb.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemtzgfa.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemrxoge.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Sysqemmfydl.exe -
Executes dropped EXE 64 IoCs
pid Process 4692 Sysqemendfn.exe 3004 Sysqemczztl.exe 4524 Sysqemztuob.exe 3752 Sysqemeucjs.exe 1904 Sysqemzphys.exe 3348 Sysqempfcmk.exe 4660 Sysqemudzuq.exe 2688 Sysqemeklri.exe 540 Sysqemmones.exe 2116 Sysqempjqce.exe 3108 Sysqemjasxc.exe 4344 Sysqemreukl.exe 5024 Sysqemjefik.exe 3880 Sysqemybovi.exe 4536 Sysqemrxoge.exe 2940 Sysqembmgqa.exe 4712 Sysqemwditq.exe 4660 Sysqemjbebs.exe 4444 Sysqemrvlus.exe 2568 Sysqemjjlep.exe 4776 Sysqemrvxxs.exe 3212 Sysqemjnaur.exe 4400 Sysqemzduij.exe 3328 Sysqemebsir.exe 1352 Sysqemwpsbn.exe 2984 Sysqemyzjqf.exe 3160 Sysqemobpra.exe 4324 Sysqembdwmx.exe 2124 Sysqemlfncw.exe 1460 Sysqemzptmz.exe 4312 Sysqembhlcr.exe 1544 Sysqemrduhp.exe 1452 Sysqemjstaa.exe 3492 Sysqemofnnf.exe 4604 Sysqemoyxll.exe 1984 Sysqembaegi.exe 620 Sysqemnnxop.exe 4700 Sysqemllfuu.exe 1888 Sysqemdwtzn.exe 3372 Sysqemlpbkw.exe 760 Sysqemrnzfv.exe 4588 Sysqemiqvqp.exe 3568 Sysqemvsdlu.exe 1344 Sysqembbmlw.exe 4104 Sysqemdxybd.exe 1784 Sysqemgscjj.exe 1692 Sysqemotcpk.exe 4260 Sysqemdxyuu.exe 2272 Sysqemikbqz.exe 2492 Sysqemnxwdd.exe 1028 Sysqemvbhwg.exe 3348 Sysqemkgqbe.exe 3828 Sysqemfmyrr.exe 1332 Sysqemqwxpy.exe 1356 Sysqemyaihb.exe 3248 Sysqemfqxfy.exe 3836 Sysqemssmad.exe 4004 Sysqemipvnb.exe 4476 Sysqemtlxlv.exe 3628 Sysqemaalja.exe 1200 Sysqemfrrji.exe 4980 Sysqemktyef.exe 1436 Sysqempuphv.exe 636 Sysqemapird.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemudzuq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemeklri.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqwxpy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemadsjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempjqce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempmmqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemaqnxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnnxop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrxoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjnaur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoyxll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempnyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhksjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemutikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembiwqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemvsdlu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemfqxfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemppsoy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemfrrji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemkterk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemulzct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzphys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlpbkw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemiziqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemendfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemktyef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemxdlsi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemndbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrrekz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqempsxyp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemaafsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemcmnaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemsqvwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrduhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembbmlw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhjand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrvlus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzkfiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemmfydl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdqoyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlfncw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemfmyrr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemclcxo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemexppc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemwkutb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjxgvj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrrbxf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemczztl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemkfckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemuepyt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdxahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembmgqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemotcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemssmad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemacazs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemkpgvx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemruoqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemuanjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoopyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdxyuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemikbqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemuhlsg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembgndu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4692 1652 1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe 83 PID 1652 wrote to memory of 4692 1652 1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe 83 PID 1652 wrote to memory of 4692 1652 1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe 83 PID 4692 wrote to memory of 3004 4692 Sysqemendfn.exe 84 PID 4692 wrote to memory of 3004 4692 Sysqemendfn.exe 84 PID 4692 wrote to memory of 3004 4692 Sysqemendfn.exe 84 PID 3004 wrote to memory of 4524 3004 Sysqemczztl.exe 85 PID 3004 wrote to memory of 4524 3004 Sysqemczztl.exe 85 PID 3004 wrote to memory of 4524 3004 Sysqemczztl.exe 85 PID 4524 wrote to memory of 3752 4524 Sysqemztuob.exe 88 PID 4524 wrote to memory of 3752 4524 Sysqemztuob.exe 88 PID 4524 wrote to memory of 3752 4524 Sysqemztuob.exe 88 PID 3752 wrote to memory of 1904 3752 Sysqemeucjs.exe 92 PID 3752 wrote to memory of 1904 3752 Sysqemeucjs.exe 92 PID 3752 wrote to memory of 1904 3752 Sysqemeucjs.exe 92 PID 1904 wrote to memory of 3348 1904 Sysqemzphys.exe 93 PID 1904 wrote to memory of 3348 1904 Sysqemzphys.exe 93 PID 1904 wrote to memory of 3348 1904 Sysqemzphys.exe 93 PID 3348 wrote to memory of 4660 3348 Sysqempfcmk.exe 108 PID 3348 wrote to memory of 4660 3348 Sysqempfcmk.exe 108 PID 3348 wrote to memory of 4660 3348 Sysqempfcmk.exe 108 PID 4660 wrote to memory of 2688 4660 Sysqemudzuq.exe 97 PID 4660 wrote to memory of 2688 4660 Sysqemudzuq.exe 97 PID 4660 wrote to memory of 2688 4660 Sysqemudzuq.exe 97 PID 2688 wrote to memory of 540 2688 Sysqemeklri.exe 98 PID 2688 wrote to memory of 540 2688 Sysqemeklri.exe 98 PID 2688 wrote to memory of 540 2688 Sysqemeklri.exe 98 PID 540 wrote to memory of 2116 540 Sysqemmones.exe 99 PID 540 wrote to memory of 2116 540 Sysqemmones.exe 99 PID 540 wrote to memory of 2116 540 Sysqemmones.exe 99 PID 2116 wrote to memory of 3108 2116 Sysqempjqce.exe 100 PID 2116 wrote to memory of 3108 2116 Sysqempjqce.exe 100 PID 2116 wrote to memory of 3108 2116 Sysqempjqce.exe 100 PID 3108 wrote to memory of 4344 3108 Sysqemjasxc.exe 101 PID 3108 wrote to memory of 4344 3108 Sysqemjasxc.exe 101 PID 3108 wrote to memory of 4344 3108 Sysqemjasxc.exe 101 PID 4344 wrote to memory of 5024 4344 Sysqemreukl.exe 102 PID 4344 wrote to memory of 5024 4344 Sysqemreukl.exe 102 PID 4344 wrote to memory of 5024 4344 Sysqemreukl.exe 102 PID 5024 wrote to memory of 3880 5024 Sysqemjefik.exe 104 PID 5024 wrote to memory of 3880 5024 Sysqemjefik.exe 104 PID 5024 wrote to memory of 3880 5024 Sysqemjefik.exe 104 PID 3880 wrote to memory of 4536 3880 Sysqemybovi.exe 105 PID 3880 wrote to memory of 4536 3880 Sysqemybovi.exe 105 PID 3880 wrote to memory of 4536 3880 Sysqemybovi.exe 105 PID 4536 wrote to memory of 2940 4536 Sysqemrxoge.exe 106 PID 4536 wrote to memory of 2940 4536 Sysqemrxoge.exe 106 PID 4536 wrote to memory of 2940 4536 Sysqemrxoge.exe 106 PID 2940 wrote to memory of 4712 2940 Sysqembmgqa.exe 107 PID 2940 wrote to memory of 4712 2940 Sysqembmgqa.exe 107 PID 2940 wrote to memory of 4712 2940 Sysqembmgqa.exe 107 PID 4712 wrote to memory of 4660 4712 Sysqemwditq.exe 108 PID 4712 wrote to memory of 4660 4712 Sysqemwditq.exe 108 PID 4712 wrote to memory of 4660 4712 Sysqemwditq.exe 108 PID 4660 wrote to memory of 4444 4660 Sysqemjbebs.exe 110 PID 4660 wrote to memory of 4444 4660 Sysqemjbebs.exe 110 PID 4660 wrote to memory of 4444 4660 Sysqemjbebs.exe 110 PID 4444 wrote to memory of 2568 4444 Sysqemrvlus.exe 111 PID 4444 wrote to memory of 2568 4444 Sysqemrvlus.exe 111 PID 4444 wrote to memory of 2568 4444 Sysqemrvlus.exe 111 PID 2568 wrote to memory of 4776 2568 Sysqemjjlep.exe 112 PID 2568 wrote to memory of 4776 2568 Sysqemjjlep.exe 112 PID 2568 wrote to memory of 4776 2568 Sysqemjjlep.exe 112 PID 4776 wrote to memory of 3212 4776 Sysqemrvxxs.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1cb215df0b3dec6b766d6495ce7830b0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\Sysqemendfn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemendfn.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\Sysqemczztl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemczztl.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\Sysqemztuob.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemztuob.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeucjs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeucjs.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzphys.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzphys.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\Sysqempfcmk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempfcmk.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\Sysqemudzuq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemudzuq.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeklri.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeklri.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmones.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmones.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\Sysqempjqce.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempjqce.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjasxc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjasxc.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\Sysqemreukl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemreukl.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjefik.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjefik.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\Sysqemybovi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemybovi.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrxoge.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrxoge.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\Sysqembmgqa.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembmgqa.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwditq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwditq.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjbebs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjbebs.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrvlus.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrvlus.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjjlep.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjjlep.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrvxxs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrvxxs.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjnaur.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjnaur.exe"23⤵
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzduij.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzduij.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\Sysqemebsir.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemebsir.exe"25⤵
- Executes dropped EXE
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwpsbn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwpsbn.exe"26⤵
- Executes dropped EXE
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyzjqf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyzjqf.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\Sysqemobpra.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemobpra.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\Sysqembdwmx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembdwmx.exe"29⤵
- Executes dropped EXE
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlfncw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlfncw.exe"30⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzptmz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzptmz.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\Sysqembhlcr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembhlcr.exe"32⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrduhp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrduhp.exe"33⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjstaa.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjstaa.exe"34⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\Sysqemofnnf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemofnnf.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoyxll.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoyxll.exe"36⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\Sysqembaegi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembaegi.exe"37⤵
- Executes dropped EXE
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnnxop.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnnxop.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Users\Admin\AppData\Local\Temp\Sysqemllfuu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemllfuu.exe"39⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdwtzn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdwtzn.exe"40⤵
- Executes dropped EXE
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlpbkw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlpbkw.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrnzfv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrnzfv.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiqvqp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiqvqp.exe"43⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvsdlu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvsdlu.exe"44⤵
- Executes dropped EXE
- Modifies registry class
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\Sysqembbmlw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembbmlw.exe"45⤵
- Executes dropped EXE
- Modifies registry class
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdxybd.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdxybd.exe"46⤵
- Executes dropped EXE
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgscjj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgscjj.exe"47⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\Sysqemotcpk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemotcpk.exe"48⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdxyuu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdxyuu.exe"49⤵
- Executes dropped EXE
- Modifies registry class
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\Sysqemikbqz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemikbqz.exe"50⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnxwdd.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnxwdd.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvbhwg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvbhwg.exe"52⤵
- Executes dropped EXE
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkgqbe.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkgqbe.exe"53⤵
- Executes dropped EXE
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfmyrr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfmyrr.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqwxpy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqwxpy.exe"55⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyaihb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyaihb.exe"56⤵
- Executes dropped EXE
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfqxfy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfqxfy.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\Sysqemssmad.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemssmad.exe"58⤵
- Executes dropped EXE
- Modifies registry class
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\Sysqemipvnb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemipvnb.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtlxlv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtlxlv.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\Sysqemaalja.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemaalja.exe"61⤵
- Executes dropped EXE
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfrrji.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfrrji.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\Sysqemktyef.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemktyef.exe"63⤵
- Executes dropped EXE
- Modifies registry class
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\Sysqempuphv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempuphv.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\Sysqemapird.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemapird.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
PID:636 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnzoug.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnzoug.exe"66⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\Sysqemxgazr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxgazr.exe"67⤵
- Checks computer location settings
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfzzaf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfzzaf.exe"68⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\Sysqemndbfp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemndbfp.exe"69⤵
- Checks computer location settings
- Modifies registry class
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\Sysqemuhlsg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemuhlsg.exe"70⤵
- Modifies registry class
PID:884 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhjand.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhjand.exe"71⤵
- Checks computer location settings
- Modifies registry class
PID:696 -
C:\Users\Admin\AppData\Local\Temp\Sysqemsbryb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsbryb.exe"72⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\Sysqemajgez.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemajgez.exe"73⤵
- Checks computer location settings
PID:620 -
C:\Users\Admin\AppData\Local\Temp\Sysqemflxjk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemflxjk.exe"74⤵
- Checks computer location settings
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\Sysqemacazs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemacazs.exe"75⤵
- Checks computer location settings
- Modifies registry class
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\Sysqemxdlsi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxdlsi.exe"76⤵
- Modifies registry class
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfthpg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfthpg.exe"77⤵
- Checks computer location settings
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkfckk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkfckk.exe"78⤵
- Modifies registry class
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\Sysqempsxyp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempsxyp.exe"79⤵
- Modifies registry class
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiziqg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiziqg.exe"80⤵
- Modifies registry class
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\Sysqemppsoy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemppsoy.exe"81⤵
- Modifies registry class
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzwfrc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzwfrc.exe"82⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\Sysqemxuneg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxuneg.exe"83⤵
- Checks computer location settings
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\Sysqemptrhr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemptrhr.exe"84⤵
- Checks computer location settings
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\Sysqemaafsv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemaafsv.exe"85⤵
- Modifies registry class
PID:916 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkpgvx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkpgvx.exe"86⤵
- Modifies registry class
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\Sysqempmmqw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempmmqw.exe"87⤵
- Modifies registry class
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkterk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkterk.exe"88⤵
- Checks computer location settings
- Modifies registry class
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\Sysqemudugj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemudugj.exe"89⤵
- Checks computer location settings
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmruzf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmruzf.exe"90⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\Sysqempnyhm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempnyhm.exe"91⤵
- Modifies registry class
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\Sysqemclcxo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemclcxo.exe"92⤵
- Modifies registry class
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\Sysqemruoqp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemruoqp.exe"93⤵
- Modifies registry class
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcmnaf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcmnaf.exe"94⤵
- Checks computer location settings
- Modifies registry class
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\Sysqemuepyt.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemuepyt.exe"95⤵
- Modifies registry class
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\Sysqemphdtx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemphdtx.exe"96⤵
- Checks computer location settings
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhksjk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhksjk.exe"97⤵
- Modifies registry class
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\Sysqemexppc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemexppc.exe"98⤵
- Modifies registry class
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrrekz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrrekz.exe"99⤵
- Checks computer location settings
- Modifies registry class
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmemau.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmemau.exe"100⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\Sysqemzkfiu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzkfiu.exe"101⤵
- Modifies registry class
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmfydl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmfydl.exe"102⤵
- Checks computer location settings
- Modifies registry class
PID:740 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcchqj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcchqj.exe"103⤵
- Checks computer location settings
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\Sysqemccrox.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemccrox.exe"104⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\Sysqempeyju.exe"C:\Users\Admin\AppData\Local\Temp\Sysqempeyju.exe"105⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\Sysqemeywkp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeywkp.exe"106⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\Sysqemrdokp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrdokp.exe"107⤵
- Checks computer location settings
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjdavz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjdavz.exe"108⤵
- Checks computer location settings
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwuuyw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwuuyw.exe"109⤵
- Checks computer location settings
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjimyw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjimyw.exe"110⤵
- Checks computer location settings
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwkutb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwkutb.exe"111⤵
- Checks computer location settings
- Modifies registry class
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\Sysqemerqyz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemerqyz.exe"112⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\Sysqemtozmx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtozmx.exe"113⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\Sysqemmhojq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmhojq.exe"114⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\Sysqemuanjf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemuanjf.exe"115⤵
- Modifies registry class
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhnezl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhnezl.exe"116⤵
- Checks computer location settings
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\Sysqemulzct.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemulzct.exe"117⤵
- Modifies registry class
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwvrzm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwvrzm.exe"118⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\Sysqemewxss.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemewxss.exe"119⤵
- Checks computer location settings
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjxgvj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjxgvj.exe"120⤵
- Checks computer location settings
- Modifies registry class
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\Sysqemutikc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemutikc.exe"121⤵
- Checks computer location settings
- Modifies registry class
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\Sysqembiwqi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembiwqi.exe"122⤵
- Modifies registry class
PID:1356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-