8999ee0edae430356495baac9163eca6583f679a709179c45688a8e69d319324

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Size

629KB
MD5

77076524991a132b4d23bb7e83a9edb0
SHA1

f8439a70ac3b851a5e67da4b91ca28ec5abc879c
SHA256

8999ee0edae430356495baac9163eca6583f679a709179c45688a8e69d319324
SHA512

a97809ef692471182abb85963b7822750015f024603520bc36fc1bb4fa7fa3a9eceb5253859594184b51817e93df91654aac55a912de56a7bd08fb7b0c79542a
SSDEEP

6144:j4sZBOZdjEYTPXMhaMP/kFTA7OA/BOZdjEYF:jnANL8oq/kFTsOxNF

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jrdom.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jxmktrq.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bbbtesy.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bbbtesy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	jrdom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	jxmktrq.exe

Deletes itself 1 IoCs

pid	Process
3980	jxmktrq.exe

Executes dropped EXE 49 IoCs

pid	Process
3980	jxmktrq.exe
1484	bbbtesy.exe
2896	jrdom.exe
2600	bbbtesy.exe
2800	bbbtesy.exe
4160	bbbtesy.exe
3932	bbbtesy.exe
2432	bbbtesy.exe
1764	bbbtesy.exe
1576	bbbtesy.exe
2224	bbbtesy.exe
4368	bbbtesy.exe
3156	bbbtesy.exe
1796	bbbtesy.exe
2372	bbbtesy.exe
4996	bbbtesy.exe
4640	bbbtesy.exe
2072	bbbtesy.exe
1240	bbbtesy.exe
224	bbbtesy.exe
1824	bbbtesy.exe
1836	bbbtesy.exe
4420	bbbtesy.exe
4608	bbbtesy.exe
4428	bbbtesy.exe
3288	bbbtesy.exe
3136	bbbtesy.exe
3740	bbbtesy.exe
3732	bbbtesy.exe
3568	bbbtesy.exe
4160	bbbtesy.exe
1328	bbbtesy.exe
4760	bbbtesy.exe
4568	bbbtesy.exe
4060	bbbtesy.exe
1996	bbbtesy.exe
2484	bbbtesy.exe
4832	bbbtesy.exe
2224	bbbtesy.exe
2968	bbbtesy.exe
676	bbbtesy.exe
4328	bbbtesy.exe
4516	bbbtesy.exe
2708	bbbtesy.exe
3068	bbbtesy.exe
3332	bbbtesy.exe
3928	bbbtesy.exe
4388	bbbtesy.exe
4088	bbbtesy.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbtesy = "c:\\windows\\system32\\bbbtesy.exe"	jrdom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jxmktrq = "c:\\windows\\system\\jxmktrq.exe"	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbtesy = "c:\\windows\\system32\\bbbtesy.exe"	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jxmktrq = "c:\\windows\\system\\jxmktrq.exe"	jxmktrq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jxmktrq = "c:\\windows\\system\\jxmktrq.exe"	bbbtesy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jxmktrq = "c:\\windows\\system\\jxmktrq.exe"	jrdom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrdom = "c:\\windows\\jrdom.exe"	bbbtesy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrdom = "c:\\windows\\jrdom.exe"	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbtesy = "c:\\windows\\system32\\bbbtesy.exe"	jxmktrq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrdom = "c:\\windows\\jrdom.exe"	jxmktrq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbtesy = "c:\\windows\\system32\\bbbtesy.exe"	bbbtesy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrdom = "c:\\windows\\jrdom.exe"	jrdom.exe

Drops file in System32 directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xitutb.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\legh.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\rfzbkued.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xitutb.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\hllxvex.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xvraoc.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\rfzbkued.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\hkmitcnl.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\tuyxs.exe	jrdom.exe
File opened for modification	\??\c:\windows\SysWOW64\bbbtesy.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\aaxwqmj.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\hkmitcnl.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\tuyxs.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\vxos.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\rfzbkued.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\jinnnqg.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\tuyxs.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\jinnnqg.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xitutb.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\xitutb.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\cgzobkz.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\xvraoc.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\legh.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\hllxvex.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\cgzobkz.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\aaxwqmj.exe	jrdom.exe
File opened for modification	C:\windows\SysWOW64\bbbtesy.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\bbrbuekd.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\legh.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\tuyxs.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\hkmitcnl.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\legh.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\vxos.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\bbrbuekd.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\aaxwqmj.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\jinnnqg.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\hllxvex.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\rfzbkued.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\hkmitcnl.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\aaxwqmj.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\xvraoc.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\hllxvex.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\zfgkmt.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\jinnnqg.exe	jrdom.exe
File created	\??\c:\windows\SysWOW64\bbbtesy.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\bbrbuekd.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\zfgkmt.exe	jxmktrq.exe
File opened for modification	C:\Windows\SysWOW64\vxos.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\cgzobkz.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\zfgkmt.exe	jrdom.exe
File opened for modification	C:\Windows\SysWOW64\bbrbuekd.exe	bbbtesy.exe
File opened for modification	C:\Windows\SysWOW64\cgzobkz.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xvraoc.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\zfgkmt.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\vxos.exe	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\ewoebjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\cpmgpjczc	bbbtesy.exe
File opened for modification	C:\Windows\phqgwezjczc	jrdom.exe
File opened for modification	C:\Windows\system\edugplbjczc	jxmktrq.exe
File opened for modification	C:\Windows\vflljczc	jrdom.exe
File opened for modification	C:\Windows\system\snxkohwtjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\wovgcbjczc	jxmktrq.exe
File opened for modification	C:\Windows\smavxfknjczc	jrdom.exe
File opened for modification	C:\Windows\utevjczc	jrdom.exe
File opened for modification	C:\Windows\system\oukvmveqjczc	bbbtesy.exe
File opened for modification	C:\Windows\hevapzjczc	jrdom.exe
File opened for modification	C:\Windows\system\llwnet.ujczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\wrdsvezmjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\rxyqjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\xvqxpogjczc	bbbtesy.exe
File opened for modification	C:\Windows\ofepkjczc	jrdom.exe
File opened for modification	C:\Windows\system\xuscjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\fwnprvjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\lgpqiyajczc	bbbtesy.exe
File opened for modification	C:\Windows\system\hwyiirjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\oaqgmjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\edcxjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\cdahefjczc	jxmktrq.exe
File opened for modification	C:\Windows\skgyucmpjczc	jrdom.exe
File opened for modification	C:\Windows\system\gffpjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\.uppgjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\nftvhjczc	bbbtesy.exe
File opened for modification	C:\Windows\zsztrlmjczc	jrdom.exe
File opened for modification	C:\Windows\system\kfysqosgjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\zlhbjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\mnnkirjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\mdpqktjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\tilboijczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\pwzkgjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\tnwijczc	jrdom.exe
File opened for modification	C:\Windows\system\bugrjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\mmbeorjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\fimrqi.jczc	jxmktrq.exe
File opened for modification	C:\Windows\system\ndaafwpnjczc	bbbtesy.exe
File opened for modification	C:\Windows\turxjczc	jrdom.exe
File opened for modification	C:\Windows\system\htgvvtr.jczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\ecuarjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\beckgjczc	jxmktrq.exe
File opened for modification	C:\Windows\.htnemdrjczc	jrdom.exe
File opened for modification	C:\Windows\system\krwdpiojczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\hasbobzjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\vohkijczc	jxmktrq.exe
File opened for modification	C:\Windows\system\rxilujczc	jxmktrq.exe
File opened for modification	C:\Windows\hgglowojczc	jrdom.exe
File opened for modification	C:\Windows\btmkjczc	jrdom.exe
File opened for modification	C:\Windows\system\esdyggqejczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\oipyyfjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\htzxpbrjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\uhtmacjczc	bbbtesy.exe
File opened for modification	C:\Windows\bpoizykbjczc	jrdom.exe
File opened for modification	C:\Windows\system\nbavgsjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\bpgrssqjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\oudiejczc	jxmktrq.exe
File opened for modification	C:\Windows\system\rukyjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\wtdtoncjczc	bbbtesy.exe
File opened for modification	C:\Windows\system\wkwouqjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\wgwfxmmyjczc	jxmktrq.exe
File opened for modification	C:\Windows\system\gevejczc	bbbtesy.exe
File opened for modification	C:\Windows\system\htfqukjczc	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bbbtesy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	jrdom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	jxmktrq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
2896	jrdom.exe
2896	jrdom.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
2896	jrdom.exe
2896	jrdom.exe
1484	bbbtesy.exe
1484	bbbtesy.exe
2896	jrdom.exe
2896	jrdom.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe
3980	jxmktrq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3980	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	90
PID 4404 wrote to memory of 3980	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	90
PID 4404 wrote to memory of 3980	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	90
PID 4404 wrote to memory of 1484	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	91
PID 4404 wrote to memory of 1484	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	91
PID 4404 wrote to memory of 1484	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	91
PID 4404 wrote to memory of 2896	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	92
PID 4404 wrote to memory of 2896	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	92
PID 4404 wrote to memory of 2896	4404	77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe	92
PID 3980 wrote to memory of 2600	3980	jxmktrq.exe	95
PID 3980 wrote to memory of 2600	3980	jxmktrq.exe	95
PID 3980 wrote to memory of 2600	3980	jxmktrq.exe	95
PID 1484 wrote to memory of 2800	1484	bbbtesy.exe	98
PID 1484 wrote to memory of 2800	1484	bbbtesy.exe	98
PID 1484 wrote to memory of 2800	1484	bbbtesy.exe	98
PID 2896 wrote to memory of 4160	2896	jrdom.exe	129
PID 2896 wrote to memory of 4160	2896	jrdom.exe	129
PID 2896 wrote to memory of 4160	2896	jrdom.exe	129
PID 3980 wrote to memory of 3932	3980	jxmktrq.exe	165
PID 3980 wrote to memory of 3932	3980	jxmktrq.exe	165
PID 3980 wrote to memory of 3932	3980	jxmktrq.exe	165
PID 1484 wrote to memory of 2432	1484	bbbtesy.exe	102
PID 1484 wrote to memory of 2432	1484	bbbtesy.exe	102
PID 1484 wrote to memory of 2432	1484	bbbtesy.exe	102
PID 2896 wrote to memory of 1764	2896	jrdom.exe	103
PID 2896 wrote to memory of 1764	2896	jrdom.exe	103
PID 2896 wrote to memory of 1764	2896	jrdom.exe	103
PID 3980 wrote to memory of 1576	3980	jxmktrq.exe	104
PID 3980 wrote to memory of 1576	3980	jxmktrq.exe	104
PID 3980 wrote to memory of 1576	3980	jxmktrq.exe	104
PID 1484 wrote to memory of 2224	1484	bbbtesy.exe	137
PID 1484 wrote to memory of 2224	1484	bbbtesy.exe	137
PID 1484 wrote to memory of 2224	1484	bbbtesy.exe	137
PID 2896 wrote to memory of 4368	2896	jrdom.exe	173
PID 2896 wrote to memory of 4368	2896	jrdom.exe	173
PID 2896 wrote to memory of 4368	2896	jrdom.exe	173
PID 3980 wrote to memory of 3156	3980	jxmktrq.exe	110
PID 3980 wrote to memory of 3156	3980	jxmktrq.exe	110
PID 3980 wrote to memory of 3156	3980	jxmktrq.exe	110
PID 1484 wrote to memory of 1796	1484	bbbtesy.exe	180
PID 1484 wrote to memory of 1796	1484	bbbtesy.exe	180
PID 1484 wrote to memory of 1796	1484	bbbtesy.exe	180
PID 2896 wrote to memory of 2372	2896	jrdom.exe	112
PID 2896 wrote to memory of 2372	2896	jrdom.exe	112
PID 2896 wrote to memory of 2372	2896	jrdom.exe	112
PID 3980 wrote to memory of 4996	3980	jxmktrq.exe	181
PID 3980 wrote to memory of 4996	3980	jxmktrq.exe	181
PID 3980 wrote to memory of 4996	3980	jxmktrq.exe	181
PID 1484 wrote to memory of 4640	1484	bbbtesy.exe	114
PID 1484 wrote to memory of 4640	1484	bbbtesy.exe	114
PID 1484 wrote to memory of 4640	1484	bbbtesy.exe	114
PID 2896 wrote to memory of 2072	2896	jrdom.exe	115
PID 2896 wrote to memory of 2072	2896	jrdom.exe	115
PID 2896 wrote to memory of 2072	2896	jrdom.exe	115
PID 3980 wrote to memory of 1240	3980	jxmktrq.exe	116
PID 3980 wrote to memory of 1240	3980	jxmktrq.exe	116
PID 3980 wrote to memory of 1240	3980	jxmktrq.exe	116
PID 1484 wrote to memory of 224	1484	bbbtesy.exe	117
PID 1484 wrote to memory of 224	1484	bbbtesy.exe	117
PID 1484 wrote to memory of 224	1484	bbbtesy.exe	117
PID 2896 wrote to memory of 1824	2896	jrdom.exe	187
PID 2896 wrote to memory of 1824	2896	jrdom.exe	187
PID 2896 wrote to memory of 1824	2896	jrdom.exe	187
PID 3980 wrote to memory of 1836	3980	jxmktrq.exe	119

C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404
- C:\windows\system\jxmktrq.exe
  "C:\windows\system\jxmktrq.exe" "C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3932
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3156
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1836
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4428
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3740
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4160
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4568
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2484
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2968
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4516
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3252
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2164
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4100
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2376
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3684
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3932
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4760
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2248
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2804
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2104
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1796
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1536
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4376
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2356
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3856
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2288
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3776
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:3292
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2028
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2044
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2168
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:4836
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:3476
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2380
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:3400
- C:\windows\SysWOW64\bbbtesy.exe
  "C:\windows\system32\bbbtesy.exe" "C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2224
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4640
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4420
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3288
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4060
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4832
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4312
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3792
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4180
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4428
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3644
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4424
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4972
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4496
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1744
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4296
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1136
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4996
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2524
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3724
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1756
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3308
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3120
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1340
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe" "C:\windows\SysWOW64\bbbtesy.exe"
    3⤵
    PID:4148
- C:\windows\jrdom.exe
  "C:\windows\jrdom.exe" "C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4160
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4368
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1824
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3136
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4760
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2224
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:4328
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4672
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4032
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:700
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1612
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3996
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2960
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3712
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3780
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4368
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:972
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4284
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2260
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3900
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:1824
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4524
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:3496
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:4100
- - C:\windows\SysWOW64\bbbtesy.exe
    "C:\windows\system32\bbbtesy.exe"
    3⤵
    PID:2688
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:1840
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:2248
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:4352
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:4220
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:2888
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:2936
  - - C:\windows\SysWOW64\aaxwqmj.exe
      "C:\windows\system32\aaxwqmj.exe"
      4⤵
      PID:396
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:5108
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2772
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:1656
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:2128
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:4680
- - C:\windows\SysWOW64\aaxwqmj.exe
    "C:\windows\system32\aaxwqmj.exe"
    3⤵
    PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77076524991a132b4d23bb7e83a9edb0_NeikiAnalytics.exejxmktrq.exe_

Filesize
824KB

MD5
df4c3258b1787546a9caa598b9fe740f

SHA1
43525098551d4d601e423ef6cbc4abb2e9053adf

SHA256
eb700b9142395565f60da84af4289b713e30f90c760e1d4f689cdcc358963fd6

SHA512
19e06487a6a7b188af9aab91d8f90bda949f133282c50edaff3afec305b6b45bb9958b31c2224ffd89c7c33edea68ca6626f62d444160b388f05a71e45109c08

Download Submit
C:\Windows\RCXDE31.tmp

Filesize
532KB

MD5
9882d65cd9bde105282f2224e7690708

SHA1
b872121bf11466ac9b70af94a1554211a36ae62c

SHA256
aea946b0337fa67749906262f79d0fa2ee286b6ef79d1ccfe5ecc1d53326c8ca

SHA512
6e140ff421117ac76ccc2351a6c023291057a237a0f99bbba5875d7d8fa424e3ca6e4d58c95db05e86a09d22abddb201e824c9cd26b03f2a2c7f1c2e95c1f7f9

Download Submit
C:\Windows\SysWOW64\bbbtesy.exe

Filesize
678KB

MD5
0098d8dc5e56a2f364c17fbca5f28eba

SHA1
e40113d68c6e92c1df885ad9adc48bcf914f4b30

SHA256
1db883911616ec79e910aed2f0cbd3e26e88cbe06490e90bbe74633ba3faaaba

SHA512
9469d528efa6a3084758b4a2add0d81995c2a4ab5b00c844f279b0e8727e342b45a7cd22b249fec2dc1fc1a4472812a0df91740e860b98929f102302fc1b2253

Download Submit
C:\Windows\jrdom.exe

Filesize
727KB

MD5
d9f045e0dca0b3fa8b5c66ffb97bd667

SHA1
0d6f4dfdb7835ccb230bbc2a1018d3a5e00a83cf

SHA256
ee1d2d723d4fcb42a690cdb7d924f252abace2007d9afd6d2e53177f589dca36

SHA512
e45e5bf9e37ac592fdf7280bf54e926f351710e7d279f127174f1922be388898a763a29e781fbf740ac612ba7bcbfad4c0a3a509e616b2435c3007d7f9129d26

Download Submit