Analysis
-
max time kernel
90s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 11:59
Static task
static1
Behavioral task
behavioral1
Sample
a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe
-
Size
563KB
-
MD5
a2ab172f447cc8a6c48d7ae951964120
-
SHA1
2df0b7d1c45178acf2bf7a722fc9c35596de8a70
-
SHA256
d42693e4a207d2c0c1c618424fd6ce301f8edc467106014f813aa1ed01a7e400
-
SHA512
30767b7c0ff0f5ebef822e0340ee08072c47057839dc49b2c36f405021103daebc064d087f770516b97aadff2a34cae750239e86f372b44783ad5881da745528
-
SSDEEP
3072:dCaoAs101Pol0xPTM7mRCAdJSSxPUkl3VyFNdQMQTCk/dN92sdNhavtrVdewnAxK:dqDAwl0xPTMiR9JSSxPUKYGdodH5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjhkar.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqwjrx.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemolvxl.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemafhwe.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemfjsod.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemviwvx.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqlyae.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemredpx.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrlclf.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiziqg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjgvmf.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemebxwh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgfulj.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmhojq.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmsaxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemycizy.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemfxago.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqixrh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemslhhe.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmdfmi.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqembmxup.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemzgbsv.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjeldi.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqembafsg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemtmczr.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemzkrwj.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemafdev.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlxrum.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemoaftn.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemyfbjv.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvuzsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemhqlrd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemojvtn.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemhfgpv.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjauam.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqhffx.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmayhw.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvsfja.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemizqaz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemcnwwa.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqembtumk.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemvutrs.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemrmsub.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemnhgln.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemhebht.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemhjdfp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemlttbw.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiuenx.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemttnil.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemworyr.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemltpiu.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqhfus.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemjfloz.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgmgcv.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemtrhyo.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemnmwmu.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemqttiw.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemnafyv.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemghvqh.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemiowwg.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemgnjra.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemmrdux.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemdxeli.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Sysqemwrmuz.exe -
Executes dropped EXE 64 IoCs
pid Process 1384 Sysqemjeldi.exe 1848 Sysqemcpzjc.exe 2024 Sysqemwjeru.exe 1520 Sysqembtumk.exe 3080 Sysqemhfgpv.exe 2248 Sysqemmsaxg.exe 4416 Sysqemwrmuz.exe 1508 Sysqemclyxb.exe 2300 Sysqemhjdfp.exe 4412 Sysqemredpx.exe 4044 Sysqemwrpxq.exe 4296 Sysqembafsg.exe 1460 Sysqemjtesv.exe 4056 Sysqemrisoz.exe 4664 Sysqemeatiw.exe 2344 Sysqemgrlgo.exe 2604 Sysqemlttbw.exe 1104 Sysqemoziem.exe 4960 Sysqemyvawb.exe 4388 Sysqemjuntm.exe 4408 Sysqemtmczr.exe 3100 Sysqemeeswv.exe 2488 Sysqemoalpl.exe 3968 Sysqemycizy.exe 2300 Sysqemhokzh.exe 3976 Sysqemolvxl.exe 3280 Sysqemghvqh.exe 4884 Sysqemoivvh.exe 4936 Sysqemoaegb.exe 2600 Sysqemoaftn.exe 4640 Sysqembcmok.exe 2004 Sysqemlnleq.exe 4932 Sysqemexzjk.exe 5088 Sysqemiowwg.exe 1284 Sysqemgtdrr.exe 852 Sysqemqhfus.exe 2320 Sysqemjauam.exe 2832 Sysqemlcsqs.exe 2964 Sysqemtdsvl.exe 1216 Sysqemyfbjv.exe 3988 Sysqemoyhjq.exe 4688 Sysqemaezry.exe 2264 Sysqemgnjra.exe 4604 Sysqemladff.exe 3244 Sysqemlpcpi.exe 2600 Sysqemttnil.exe 808 Sysqemworyr.exe 2832 Sysqemvsfja.exe 2988 Sysqemafhwe.exe 3088 Sysqemlemzb.exe 4132 Sysqemdxbfu.exe 3412 Sysqemizqaz.exe 2412 Sysqemqhffx.exe 3132 Sysqemvuzsc.exe 1988 Sysqemtrhyo.exe 4108 Sysqemfxago.exe 4536 Sysqemnmwmu.exe 964 Sysqemvutrs.exe 1188 Sysqemqijhm.exe 2740 Sysqemymuap.exe 1668 Sysqemdcsax.exe 3640 Sysqemvcdyw.exe 2412 Sysqemqejaf.exe 3128 Sysqemfjsod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemladff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemanbgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnrkyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzrene.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhjdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemtrhyo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnzhtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyomlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembmxup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemyvawb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdcsax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqgedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdxbfu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjfloz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoopyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqkmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjditd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdrkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemltpiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemcnwwa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemikneo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemiziqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrdrfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzkrwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdxeli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemtmczr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqlyae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemxatga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemgihon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemexzjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemqixrh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemozztq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemibnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemtdsvl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemafhwe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnhgln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemeiwwq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemredpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjhkar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhfgpv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemoziem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemghvqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemfdxon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlxrum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemmsaxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqembcmok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlpcpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemnubhw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemkodpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemzhwkx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemdmbfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemlemzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemrlclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemjeldi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemziafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemeatiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemttnil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemworyr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhqlrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemmdfmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemaezry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemhvlyq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sysqemepejg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1384 1220 a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe 83 PID 1220 wrote to memory of 1384 1220 a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe 83 PID 1220 wrote to memory of 1384 1220 a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe 83 PID 1384 wrote to memory of 1848 1384 Sysqemjeldi.exe 84 PID 1384 wrote to memory of 1848 1384 Sysqemjeldi.exe 84 PID 1384 wrote to memory of 1848 1384 Sysqemjeldi.exe 84 PID 1848 wrote to memory of 2024 1848 Sysqemcpzjc.exe 85 PID 1848 wrote to memory of 2024 1848 Sysqemcpzjc.exe 85 PID 1848 wrote to memory of 2024 1848 Sysqemcpzjc.exe 85 PID 2024 wrote to memory of 1520 2024 Sysqemwjeru.exe 88 PID 2024 wrote to memory of 1520 2024 Sysqemwjeru.exe 88 PID 2024 wrote to memory of 1520 2024 Sysqemwjeru.exe 88 PID 1520 wrote to memory of 3080 1520 Sysqembtumk.exe 90 PID 1520 wrote to memory of 3080 1520 Sysqembtumk.exe 90 PID 1520 wrote to memory of 3080 1520 Sysqembtumk.exe 90 PID 3080 wrote to memory of 2248 3080 Sysqemhfgpv.exe 91 PID 3080 wrote to memory of 2248 3080 Sysqemhfgpv.exe 91 PID 3080 wrote to memory of 2248 3080 Sysqemhfgpv.exe 91 PID 2248 wrote to memory of 4416 2248 Sysqemmsaxg.exe 92 PID 2248 wrote to memory of 4416 2248 Sysqemmsaxg.exe 92 PID 2248 wrote to memory of 4416 2248 Sysqemmsaxg.exe 92 PID 4416 wrote to memory of 1508 4416 Sysqemwrmuz.exe 95 PID 4416 wrote to memory of 1508 4416 Sysqemwrmuz.exe 95 PID 4416 wrote to memory of 1508 4416 Sysqemwrmuz.exe 95 PID 1508 wrote to memory of 2300 1508 Sysqemclyxb.exe 118 PID 1508 wrote to memory of 2300 1508 Sysqemclyxb.exe 118 PID 1508 wrote to memory of 2300 1508 Sysqemclyxb.exe 118 PID 2300 wrote to memory of 4412 2300 Sysqemhjdfp.exe 97 PID 2300 wrote to memory of 4412 2300 Sysqemhjdfp.exe 97 PID 2300 wrote to memory of 4412 2300 Sysqemhjdfp.exe 97 PID 4412 wrote to memory of 4044 4412 Sysqemredpx.exe 98 PID 4412 wrote to memory of 4044 4412 Sysqemredpx.exe 98 PID 4412 wrote to memory of 4044 4412 Sysqemredpx.exe 98 PID 4044 wrote to memory of 4296 4044 Sysqemwrpxq.exe 101 PID 4044 wrote to memory of 4296 4044 Sysqemwrpxq.exe 101 PID 4044 wrote to memory of 4296 4044 Sysqemwrpxq.exe 101 PID 4296 wrote to memory of 1460 4296 Sysqembafsg.exe 102 PID 4296 wrote to memory of 1460 4296 Sysqembafsg.exe 102 PID 4296 wrote to memory of 1460 4296 Sysqembafsg.exe 102 PID 1460 wrote to memory of 4056 1460 Sysqemjtesv.exe 103 PID 1460 wrote to memory of 4056 1460 Sysqemjtesv.exe 103 PID 1460 wrote to memory of 4056 1460 Sysqemjtesv.exe 103 PID 4056 wrote to memory of 4664 4056 Sysqemrisoz.exe 104 PID 4056 wrote to memory of 4664 4056 Sysqemrisoz.exe 104 PID 4056 wrote to memory of 4664 4056 Sysqemrisoz.exe 104 PID 4664 wrote to memory of 2344 4664 Sysqemeatiw.exe 106 PID 4664 wrote to memory of 2344 4664 Sysqemeatiw.exe 106 PID 4664 wrote to memory of 2344 4664 Sysqemeatiw.exe 106 PID 2344 wrote to memory of 2604 2344 Sysqemgrlgo.exe 108 PID 2344 wrote to memory of 2604 2344 Sysqemgrlgo.exe 108 PID 2344 wrote to memory of 2604 2344 Sysqemgrlgo.exe 108 PID 2604 wrote to memory of 1104 2604 Sysqemlttbw.exe 109 PID 2604 wrote to memory of 1104 2604 Sysqemlttbw.exe 109 PID 2604 wrote to memory of 1104 2604 Sysqemlttbw.exe 109 PID 1104 wrote to memory of 4960 1104 Sysqemoziem.exe 110 PID 1104 wrote to memory of 4960 1104 Sysqemoziem.exe 110 PID 1104 wrote to memory of 4960 1104 Sysqemoziem.exe 110 PID 4960 wrote to memory of 4388 4960 Sysqemyvawb.exe 111 PID 4960 wrote to memory of 4388 4960 Sysqemyvawb.exe 111 PID 4960 wrote to memory of 4388 4960 Sysqemyvawb.exe 111 PID 4388 wrote to memory of 4408 4388 Sysqemjuntm.exe 114 PID 4388 wrote to memory of 4408 4388 Sysqemjuntm.exe 114 PID 4388 wrote to memory of 4408 4388 Sysqemjuntm.exe 114 PID 4408 wrote to memory of 3100 4408 Sysqemtmczr.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2ab172f447cc8a6c48d7ae951964120_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjeldi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjeldi.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\Sysqemcpzjc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcpzjc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwjeru.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwjeru.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\Sysqembtumk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembtumk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhfgpv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhfgpv.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmsaxg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmsaxg.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwrmuz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwrmuz.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\Sysqemclyxb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemclyxb.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhjdfp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhjdfp.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\Sysqemredpx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemredpx.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\Sysqemwrpxq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwrpxq.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\Sysqembafsg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembafsg.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjtesv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjtesv.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrisoz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrisoz.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeatiw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeatiw.exe"16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgrlgo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgrlgo.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlttbw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlttbw.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoziem.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoziem.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyvawb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyvawb.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjuntm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjuntm.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtmczr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtmczr.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\Sysqemeeswv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemeeswv.exe"23⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoalpl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoalpl.exe"24⤵
- Executes dropped EXE
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\Sysqemycizy.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemycizy.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhokzh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhokzh.exe"26⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\Sysqemolvxl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemolvxl.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\Sysqemghvqh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemghvqh.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoivvh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoivvh.exe"29⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoaegb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoaegb.exe"30⤵
- Executes dropped EXE
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoaftn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoaftn.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\Sysqembcmok.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembcmok.exe"32⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlnleq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlnleq.exe"33⤵
- Executes dropped EXE
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\Sysqemexzjk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemexzjk.exe"34⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiowwg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiowwg.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgtdrr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgtdrr.exe"36⤵
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqhfus.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqhfus.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
PID:852 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjauam.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjauam.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlcsqs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlcsqs.exe"39⤵
- Executes dropped EXE
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtdsvl.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtdsvl.exe"40⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyfbjv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyfbjv.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\Sysqemoyhjq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemoyhjq.exe"42⤵
- Executes dropped EXE
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\Sysqemaezry.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemaezry.exe"43⤵
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgnjra.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgnjra.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\Sysqemladff.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemladff.exe"45⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlpcpi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlpcpi.exe"46⤵
- Executes dropped EXE
- Modifies registry class
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\Sysqemttnil.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemttnil.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\Sysqemworyr.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemworyr.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:808 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvsfja.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvsfja.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\Sysqemafhwe.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemafhwe.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Sysqemlemzb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemlemzb.exe"51⤵
- Executes dropped EXE
- Modifies registry class
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdxbfu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdxbfu.exe"52⤵
- Executes dropped EXE
- Modifies registry class
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\Sysqemizqaz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemizqaz.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqhffx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqhffx.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvuzsc.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvuzsc.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtrhyo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtrhyo.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfxago.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfxago.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnmwmu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnmwmu.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvutrs.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvutrs.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
PID:964 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqijhm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqijhm.exe"60⤵
- Executes dropped EXE
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\Sysqemymuap.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemymuap.exe"61⤵
- Executes dropped EXE
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\Sysqemdcsax.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdcsax.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\Sysqemvcdyw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemvcdyw.exe"63⤵
- Executes dropped EXE
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqejaf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqejaf.exe"64⤵
- Executes dropped EXE
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfjsod.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfjsod.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\Sysqemqixrh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqixrh.exe"66⤵
- Checks computer location settings
- Modifies registry class
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfrrji.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfrrji.exe"67⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\Sysqemfyoog.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfyoog.exe"68⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\Sysqemddnky.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemddnky.exe"69⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\Sysqemdexhe.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemdexhe.exe"70⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\Sysqemqgedb.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqgedb.exe"71⤵
- Modifies registry class
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\Sysqemiuenx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiuenx.exe"72⤵
- Checks computer location settings
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\Sysqemviwvx.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemviwvx.exe"73⤵
- Checks computer location settings
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\Sysqemfdxon.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemfdxon.exe"74⤵
- Modifies registry class
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnzhtw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnzhtw.exe"75⤵
- Modifies registry class
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\Sysqemyomlg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemyomlg.exe"76⤵
- Modifies registry class
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\Sysqemikneo.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemikneo.exe"77⤵
- Modifies registry class
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\Sysqemanbgq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemanbgq.exe"78⤵
- Modifies registry class
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\Sysqemafdev.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemafdev.exe"79⤵
- Checks computer location settings
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnehup.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnehup.exe"80⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\Sysqemsrbhu.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsrbhu.exe"81⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\Sysqemqlyae.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemqlyae.exe"82⤵
- Checks computer location settings
- Modifies registry class
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkcadt.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkcadt.exe"83⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\Sysqemiziqg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemiziqg.exe"84⤵
- Checks computer location settings
- Modifies registry class
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\Sysqemsdxgt.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemsdxgt.exe"85⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\Sysqemcnwwa.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemcnwwa.exe"86⤵
- Checks computer location settings
- Modifies registry class
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnubhw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnubhw.exe"87⤵
- Modifies registry class
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\Sysqemslhhe.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemslhhe.exe"88⤵
- Checks computer location settings
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrdrfj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrdrfj.exe"89⤵
- Modifies registry class
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\Sysqemncmns.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemncmns.exe"90⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\Sysqemnrkyv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnrkyv.exe"91⤵
- Modifies registry class
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrlclf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrlclf.exe"92⤵
- Checks computer location settings
- Modifies registry class
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhqlrd.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhqlrd.exe"93⤵
- Checks computer location settings
- Modifies registry class
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmdfmi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmdfmi.exe"94⤵
- Checks computer location settings
- Modifies registry class
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\Sysqemklrsp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemklrsp.exe"95⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\Sysqemziafn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemziafn.exe"96⤵
- Modifies registry class
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhvlyq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhvlyq.exe"97⤵
- Modifies registry class
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\Sysqemnhgln.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemnhgln.exe"98⤵
- Checks computer location settings
- Modifies registry class
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\Sysqemepejg.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemepejg.exe"99⤵
- Modifies registry class
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\Sysqemxatga.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxatga.exe"100⤵
- Modifies registry class
PID:100 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjfloz.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjfloz.exe"101⤵
- Checks computer location settings
- Modifies registry class
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjgvmf.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjgvmf.exe"102⤵
- Checks computer location settings
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\Sysqemufipj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemufipj.exe"103⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\Sysqembmxup.exe"C:\Users\Admin\AppData\Local\Temp\Sysqembmxup.exe"104⤵
- Checks computer location settings
- Modifies registry class
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\Sysqemxioyn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemxioyn.exe"105⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\Sysqemebxwh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemebxwh.exe"106⤵
- Checks computer location settings
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrhqwh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrhqwh.exe"107⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\Sysqemwukrm.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemwukrm.exe"108⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\Sysqemhebht.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhebht.exe"109⤵
- Checks computer location settings
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmrdux.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmrdux.exe"110⤵
- Checks computer location settings
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\Sysqemkodpi.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemkodpi.exe"111⤵
- Modifies registry class
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjhkar.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjhkar.exe"112⤵
- Checks computer location settings
- Modifies registry class
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\Sysqemtsbyp.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemtsbyp.exe"113⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\Sysqemojvtn.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemojvtn.exe"114⤵
- Checks computer location settings
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\Sysqemgfulj.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemgfulj.exe"115⤵
- Checks computer location settings
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemjmkbk.exe"116⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\Sysqemmhojq.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmhojq.exe"117⤵
- Checks computer location settings
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\Sysqemmayhw.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemmayhw.exe"118⤵
- Checks computer location settings
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\Sysqemrmsub.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemrmsub.exe"119⤵
- Checks computer location settings
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzrene.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzrene.exe"120⤵
- Modifies registry class
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\Sysqemzgbsv.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemzgbsv.exe"121⤵
- Checks computer location settings
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\Sysqemhvpfh.exe"C:\Users\Admin\AppData\Local\Temp\Sysqemhvpfh.exe"122⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-