Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:08
Behavioral task
behavioral1
Sample
9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe
-
Size
463KB
-
MD5
9ffc841ae5f592725c1a88eb97da3300
-
SHA1
a2b9b59131c99ec92d2665540ca0de92ba9ce12e
-
SHA256
5f4a0fac7c0ddc8aadc485422c4e1d641b7e3044e078e12be781884c193ea5d7
-
SHA512
8c6b405565ea252729b9f133712d66429cf93dfd1f57a763821add3664f13c7bd016f3d244c83d6e703d15f3da80c68d6064752ea69732568e737495a7763bd4
-
SSDEEP
12288:J4wFHoSTeR0oQRkay+eFp3IDvSbh5nPVP+OKaf1Vx:VeR0oykayRFp3lztP+OKaf1Vx
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
Processes:
resource yara_rule behavioral1/memory/3012-19-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1244-17-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2780-55-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1796-101-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2632-111-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2276-212-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2892-301-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2448-547-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2304-587-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2208-586-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2588-862-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1660-755-0x0000000000220000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1284-736-0x0000000000320000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2864-649-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2208-585-0x0000000000250000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1340-540-0x00000000005D0000-0x000000000060A000-memory.dmp family_blackmoon behavioral1/memory/268-507-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1656-499-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2472-354-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2720-328-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2300-314-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2188-307-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2400-285-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2904-270-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1624-258-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1328-249-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2276-210-0x0000000000220000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1648-174-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/376-141-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1936-131-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1772-129-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2768-120-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2168-85-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2440-78-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2612-74-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2744-64-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2712-44-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/2556-35-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral1/memory/1248-7-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/1248-0-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew C:\bhhnbb.exe family_berbew \??\c:\ppvdj.exe family_berbew behavioral1/memory/3012-19-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1244-17-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\lrrlxfx.exe family_berbew C:\nnhtnt.exe family_berbew \??\c:\pjdvp.exe family_berbew behavioral1/memory/2744-56-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2780-55-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\fxfrrfx.exe family_berbew \??\c:\xlflxrl.exe family_berbew C:\vjdjj.exe family_berbew C:\9rlxlrl.exe family_berbew C:\btntnb.exe family_berbew behavioral1/memory/1796-101-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2632-111-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\5jjpv.exe family_berbew \??\c:\9frxlxr.exe family_berbew C:\bbtbbh.exe family_berbew \??\c:\jvpdj.exe family_berbew C:\hhttnt.exe family_berbew C:\5httnt.exe family_berbew C:\1btbnn.exe family_berbew C:\1nhnbh.exe family_berbew behavioral1/memory/2276-212-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\xrlrffl.exe family_berbew \??\c:\thhhhh.exe family_berbew C:\vpjpv.exe family_berbew behavioral1/memory/1388-239-0x00000000001B0000-0x00000000001EA000-memory.dmp family_berbew behavioral1/memory/1328-241-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\dvjjp.exe family_berbew \??\c:\9rllxff.exe family_berbew \??\c:\vjdjv.exe family_berbew C:\rlxflfl.exe family_berbew behavioral1/memory/2892-301-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2496-355-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2448-547-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2304-587-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2208-586-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2344-921-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2440-908-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2472-895-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/3040-876-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2588-862-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1732-807-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1560-788-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2752-756-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1660-755-0x0000000000220000-0x000000000025A000-memory.dmp family_berbew behavioral1/memory/1284-736-0x0000000000320000-0x000000000035A000-memory.dmp family_berbew behavioral1/memory/2864-649-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1340-540-0x00000000005D0000-0x000000000060A000-memory.dmp family_berbew behavioral1/memory/268-507-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/1656-499-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2292-467-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2776-398-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2472-354-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2472-347-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2720-328-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2576-321-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2300-314-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew behavioral1/memory/2188-307-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew \??\c:\rrfffrx.exe family_berbew behavioral1/memory/2400-285-0x0000000000400000-0x000000000043A000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
bhhnbb.exeppvdj.exelrrlxfx.exennhtnt.exepjdvp.exefxfrrfx.exexlflxrl.exetnbtbt.exevjdjj.exe9rlxlrl.exebtntnb.exe5jjpv.exe9frxlxr.exebthbhb.exebbtbbh.exejvpdj.exefrxrrfl.exehhttnt.exe5httnt.exejvpdj.exexfxlxrx.exe1btbnn.exe1nhnbh.exe1pvdd.exexrlrffl.exethhhhh.exevpjpv.exedvjjp.exe9rllxff.exebthhnn.exevjdjv.exerrfffrx.exerlxflfl.exe3tbnht.exe1vdvp.exe9vddv.exefrlllfl.exehthhhh.exepjvvv.exefxllrxx.exe1xlxffl.exe7thnhb.exe9dpvd.exefrllrrx.exerlxflrf.exenntbhb.exe1jvvj.exe1xrxfff.exexrllrrl.exehbbhtb.exevpddj.exe3pdpd.exelxrrxfr.exehbntbh.exenhbhhn.exejjjvj.exe1vvpd.exelflxffr.exetnhnbb.exe9hnbbh.exejdvjp.exe9djdj.exe7fflflr.exehhbnhn.exepid process 1244 bhhnbb.exe 3012 ppvdj.exe 2556 lrrlxfx.exe 2712 nnhtnt.exe 2780 pjdvp.exe 2744 fxfrrfx.exe 2612 xlflxrl.exe 2440 tnbtbt.exe 2168 vjdjj.exe 1796 9rlxlrl.exe 2632 btntnb.exe 2768 5jjpv.exe 1772 9frxlxr.exe 1936 bthbhb.exe 376 bbtbbh.exe 1808 jvpdj.exe 2432 frxrrfl.exe 1648 hhttnt.exe 1528 5httnt.exe 2160 jvpdj.exe 2264 xfxlxrx.exe 632 1btbnn.exe 2276 1nhnbh.exe 992 1pvdd.exe 1656 xrlrffl.exe 1388 thhhhh.exe 1328 vpjpv.exe 1624 dvjjp.exe 708 9rllxff.exe 2904 bthhnn.exe 2400 vjdjv.exe 2960 rrfffrx.exe 2892 rlxflfl.exe 2188 3tbnht.exe 1620 1vdvp.exe 2300 9vddv.exe 2576 frlllfl.exe 2720 hthhhh.exe 3004 pjvvv.exe 2608 fxllrxx.exe 2472 1xlxffl.exe 2496 7thnhb.exe 2500 9dpvd.exe 2536 frllrrx.exe 2948 rlxflrf.exe 2788 nntbhb.exe 2680 1jvvj.exe 2636 1xrxfff.exe 2776 xrllrrl.exe 2012 hbbhtb.exe 1332 vpddj.exe 1672 3pdpd.exe 2408 lxrrxfr.exe 1808 hbntbh.exe 1632 nhbhhn.exe 2096 jjjvj.exe 2676 1vvpd.exe 2756 lflxffr.exe 2688 tnhnbb.exe 2292 9hnbbh.exe 684 jdvjp.exe 2276 9djdj.exe 2652 7fflflr.exe 1656 hhbnhn.exe -
Processes:
resource yara_rule behavioral1/memory/1248-0-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\bhhnbb.exe upx \??\c:\ppvdj.exe upx behavioral1/memory/3012-19-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/1244-17-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\lrrlxfx.exe upx C:\nnhtnt.exe upx \??\c:\pjdvp.exe upx behavioral1/memory/2744-56-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2780-55-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\fxfrrfx.exe upx \??\c:\xlflxrl.exe upx C:\vjdjj.exe upx C:\9rlxlrl.exe upx C:\btntnb.exe upx behavioral1/memory/1796-101-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2632-111-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\5jjpv.exe upx \??\c:\9frxlxr.exe upx C:\bbtbbh.exe upx \??\c:\jvpdj.exe upx C:\hhttnt.exe upx C:\5httnt.exe upx C:\1btbnn.exe upx C:\1nhnbh.exe upx behavioral1/memory/2276-212-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\xrlrffl.exe upx \??\c:\thhhhh.exe upx C:\vpjpv.exe upx behavioral1/memory/1328-241-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\dvjjp.exe upx \??\c:\9rllxff.exe upx \??\c:\vjdjv.exe upx C:\rlxflfl.exe upx behavioral1/memory/2892-301-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2496-355-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2448-547-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2304-587-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2208-586-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2344-921-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2440-908-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2472-895-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/3040-876-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2588-862-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/1732-807-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/1560-788-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2752-756-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/1284-735-0x0000000000320000-0x000000000035A000-memory.dmp upx behavioral1/memory/2864-649-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/268-507-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/1656-499-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2292-467-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2776-398-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2472-354-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2472-347-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2720-328-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2576-321-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2300-314-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2188-307-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\rrfffrx.exe upx behavioral1/memory/2400-285-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/memory/2904-270-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\bthhnn.exe upx behavioral1/memory/1624-258-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exebhhnbb.exeppvdj.exelrrlxfx.exennhtnt.exepjdvp.exefxfrrfx.exexlflxrl.exetnbtbt.exevjdjj.exe9rlxlrl.exebtntnb.exe5jjpv.exe9frxlxr.exebthbhb.exebbtbbh.exedescription pid process target process PID 1248 wrote to memory of 1244 1248 9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe bhhnbb.exe PID 1248 wrote to memory of 1244 1248 9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe bhhnbb.exe PID 1248 wrote to memory of 1244 1248 9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe bhhnbb.exe PID 1248 wrote to memory of 1244 1248 9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe bhhnbb.exe PID 1244 wrote to memory of 3012 1244 bhhnbb.exe ppvdj.exe PID 1244 wrote to memory of 3012 1244 bhhnbb.exe ppvdj.exe PID 1244 wrote to memory of 3012 1244 bhhnbb.exe ppvdj.exe PID 1244 wrote to memory of 3012 1244 bhhnbb.exe ppvdj.exe PID 3012 wrote to memory of 2556 3012 ppvdj.exe xrflxrl.exe PID 3012 wrote to memory of 2556 3012 ppvdj.exe xrflxrl.exe PID 3012 wrote to memory of 2556 3012 ppvdj.exe xrflxrl.exe PID 3012 wrote to memory of 2556 3012 ppvdj.exe xrflxrl.exe PID 2556 wrote to memory of 2712 2556 lrrlxfx.exe nnhtnt.exe PID 2556 wrote to memory of 2712 2556 lrrlxfx.exe nnhtnt.exe PID 2556 wrote to memory of 2712 2556 lrrlxfx.exe nnhtnt.exe PID 2556 wrote to memory of 2712 2556 lrrlxfx.exe nnhtnt.exe PID 2712 wrote to memory of 2780 2712 nnhtnt.exe pjdvp.exe PID 2712 wrote to memory of 2780 2712 nnhtnt.exe pjdvp.exe PID 2712 wrote to memory of 2780 2712 nnhtnt.exe pjdvp.exe PID 2712 wrote to memory of 2780 2712 nnhtnt.exe pjdvp.exe PID 2780 wrote to memory of 2744 2780 pjdvp.exe fxfrrfx.exe PID 2780 wrote to memory of 2744 2780 pjdvp.exe fxfrrfx.exe PID 2780 wrote to memory of 2744 2780 pjdvp.exe fxfrrfx.exe PID 2780 wrote to memory of 2744 2780 pjdvp.exe fxfrrfx.exe PID 2744 wrote to memory of 2612 2744 fxfrrfx.exe xlflxrl.exe PID 2744 wrote to memory of 2612 2744 fxfrrfx.exe xlflxrl.exe PID 2744 wrote to memory of 2612 2744 fxfrrfx.exe xlflxrl.exe PID 2744 wrote to memory of 2612 2744 fxfrrfx.exe xlflxrl.exe PID 2612 wrote to memory of 2440 2612 xlflxrl.exe tnbtbt.exe PID 2612 wrote to memory of 2440 2612 xlflxrl.exe tnbtbt.exe PID 2612 wrote to memory of 2440 2612 xlflxrl.exe tnbtbt.exe PID 2612 wrote to memory of 2440 2612 xlflxrl.exe tnbtbt.exe PID 2440 wrote to memory of 2168 2440 tnbtbt.exe vjdjj.exe PID 2440 wrote to memory of 2168 2440 tnbtbt.exe vjdjj.exe PID 2440 wrote to memory of 2168 2440 tnbtbt.exe vjdjj.exe PID 2440 wrote to memory of 2168 2440 tnbtbt.exe vjdjj.exe PID 2168 wrote to memory of 1796 2168 vjdjj.exe 9rlxlrl.exe PID 2168 wrote to memory of 1796 2168 vjdjj.exe 9rlxlrl.exe PID 2168 wrote to memory of 1796 2168 vjdjj.exe 9rlxlrl.exe PID 2168 wrote to memory of 1796 2168 vjdjj.exe 9rlxlrl.exe PID 1796 wrote to memory of 2632 1796 9rlxlrl.exe btntnb.exe PID 1796 wrote to memory of 2632 1796 9rlxlrl.exe btntnb.exe PID 1796 wrote to memory of 2632 1796 9rlxlrl.exe btntnb.exe PID 1796 wrote to memory of 2632 1796 9rlxlrl.exe btntnb.exe PID 2632 wrote to memory of 2768 2632 btntnb.exe 5jjpv.exe PID 2632 wrote to memory of 2768 2632 btntnb.exe 5jjpv.exe PID 2632 wrote to memory of 2768 2632 btntnb.exe 5jjpv.exe PID 2632 wrote to memory of 2768 2632 btntnb.exe 5jjpv.exe PID 2768 wrote to memory of 1772 2768 5jjpv.exe 9frxlxr.exe PID 2768 wrote to memory of 1772 2768 5jjpv.exe 9frxlxr.exe PID 2768 wrote to memory of 1772 2768 5jjpv.exe 9frxlxr.exe PID 2768 wrote to memory of 1772 2768 5jjpv.exe 9frxlxr.exe PID 1772 wrote to memory of 1936 1772 9frxlxr.exe bthbhb.exe PID 1772 wrote to memory of 1936 1772 9frxlxr.exe bthbhb.exe PID 1772 wrote to memory of 1936 1772 9frxlxr.exe bthbhb.exe PID 1772 wrote to memory of 1936 1772 9frxlxr.exe bthbhb.exe PID 1936 wrote to memory of 376 1936 bthbhb.exe bbtbbh.exe PID 1936 wrote to memory of 376 1936 bthbhb.exe bbtbbh.exe PID 1936 wrote to memory of 376 1936 bthbhb.exe bbtbbh.exe PID 1936 wrote to memory of 376 1936 bthbhb.exe bbtbbh.exe PID 376 wrote to memory of 1808 376 bbtbbh.exe jvpdj.exe PID 376 wrote to memory of 1808 376 bbtbbh.exe jvpdj.exe PID 376 wrote to memory of 1808 376 bbtbbh.exe jvpdj.exe PID 376 wrote to memory of 1808 376 bbtbbh.exe jvpdj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9ffc841ae5f592725c1a88eb97da3300_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\bhhnbb.exec:\bhhnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\ppvdj.exec:\ppvdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\lrrlxfx.exec:\lrrlxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\nnhtnt.exec:\nnhtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\pjdvp.exec:\pjdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\fxfrrfx.exec:\fxfrrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xlflxrl.exec:\xlflxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\tnbtbt.exec:\tnbtbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\vjdjj.exec:\vjdjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\9rlxlrl.exec:\9rlxlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\btntnb.exec:\btntnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\5jjpv.exec:\5jjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\9frxlxr.exec:\9frxlxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\bthbhb.exec:\bthbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\bbtbbh.exec:\bbtbbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\jvpdj.exec:\jvpdj.exe17⤵
- Executes dropped EXE
PID:1808 -
\??\c:\frxrrfl.exec:\frxrrfl.exe18⤵
- Executes dropped EXE
PID:2432 -
\??\c:\hhttnt.exec:\hhttnt.exe19⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5httnt.exec:\5httnt.exe20⤵
- Executes dropped EXE
PID:1528 -
\??\c:\jvpdj.exec:\jvpdj.exe21⤵
- Executes dropped EXE
PID:2160 -
\??\c:\xfxlxrx.exec:\xfxlxrx.exe22⤵
- Executes dropped EXE
PID:2264 -
\??\c:\1btbnn.exec:\1btbnn.exe23⤵
- Executes dropped EXE
PID:632 -
\??\c:\1nhnbh.exec:\1nhnbh.exe24⤵
- Executes dropped EXE
PID:2276 -
\??\c:\1pvdd.exec:\1pvdd.exe25⤵
- Executes dropped EXE
PID:992 -
\??\c:\xrlrffl.exec:\xrlrffl.exe26⤵
- Executes dropped EXE
PID:1656 -
\??\c:\thhhhh.exec:\thhhhh.exe27⤵
- Executes dropped EXE
PID:1388 -
\??\c:\vpjpv.exec:\vpjpv.exe28⤵
- Executes dropped EXE
PID:1328 -
\??\c:\dvjjp.exec:\dvjjp.exe29⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9rllxff.exec:\9rllxff.exe30⤵
- Executes dropped EXE
PID:708 -
\??\c:\bthhnn.exec:\bthhnn.exe31⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vjdjv.exec:\vjdjv.exe32⤵
- Executes dropped EXE
PID:2400 -
\??\c:\rrfffrx.exec:\rrfffrx.exe33⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rlxflfl.exec:\rlxflfl.exe34⤵
- Executes dropped EXE
PID:2892 -
\??\c:\3tbnht.exec:\3tbnht.exe35⤵
- Executes dropped EXE
PID:2188 -
\??\c:\1vdvp.exec:\1vdvp.exe36⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9vddv.exec:\9vddv.exe37⤵
- Executes dropped EXE
PID:2300 -
\??\c:\frlllfl.exec:\frlllfl.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hthhhh.exec:\hthhhh.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pjvvv.exec:\pjvvv.exe40⤵
- Executes dropped EXE
PID:3004 -
\??\c:\fxllrxx.exec:\fxllrxx.exe41⤵
- Executes dropped EXE
PID:2608 -
\??\c:\1xlxffl.exec:\1xlxffl.exe42⤵
- Executes dropped EXE
PID:2472 -
\??\c:\7thnhb.exec:\7thnhb.exe43⤵
- Executes dropped EXE
PID:2496 -
\??\c:\9dpvd.exec:\9dpvd.exe44⤵
- Executes dropped EXE
PID:2500 -
\??\c:\frllrrx.exec:\frllrrx.exe45⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rlxflrf.exec:\rlxflrf.exe46⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nntbhb.exec:\nntbhb.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\1jvvj.exec:\1jvvj.exe48⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1xrxfff.exec:\1xrxfff.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xrllrrl.exec:\xrllrrl.exe50⤵
- Executes dropped EXE
PID:2776 -
\??\c:\hbbhtb.exec:\hbbhtb.exe51⤵
- Executes dropped EXE
PID:2012 -
\??\c:\vpddj.exec:\vpddj.exe52⤵
- Executes dropped EXE
PID:1332 -
\??\c:\3pdpd.exec:\3pdpd.exe53⤵
- Executes dropped EXE
PID:1672 -
\??\c:\lxrrxfr.exec:\lxrrxfr.exe54⤵
- Executes dropped EXE
PID:2408 -
\??\c:\hbntbh.exec:\hbntbh.exe55⤵
- Executes dropped EXE
PID:1808 -
\??\c:\nhbhhn.exec:\nhbhhn.exe56⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jjjvj.exec:\jjjvj.exe57⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1vvpd.exec:\1vvpd.exe58⤵
- Executes dropped EXE
PID:2676 -
\??\c:\lflxffr.exec:\lflxffr.exe59⤵
- Executes dropped EXE
PID:2756 -
\??\c:\tnhnbb.exec:\tnhnbb.exe60⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9hnbbh.exec:\9hnbbh.exe61⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jdvjp.exec:\jdvjp.exe62⤵
- Executes dropped EXE
PID:684 -
\??\c:\9djdj.exec:\9djdj.exe63⤵
- Executes dropped EXE
PID:2276 -
\??\c:\7fflflr.exec:\7fflflr.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hhbnhn.exec:\hhbnhn.exe65⤵
- Executes dropped EXE
PID:1656 -
\??\c:\ntnbnh.exec:\ntnbnh.exe66⤵PID:1388
-
\??\c:\jdpvp.exec:\jdpvp.exe67⤵PID:268
-
\??\c:\vvjpd.exec:\vvjpd.exe68⤵PID:1988
-
\??\c:\fxlrxrf.exec:\fxlrxrf.exe69⤵PID:1916
-
\??\c:\3htthn.exec:\3htthn.exe70⤵PID:1624
-
\??\c:\5hbntb.exec:\5hbntb.exe71⤵PID:1340
-
\??\c:\jddvj.exec:\jddvj.exe72⤵PID:2448
-
\??\c:\7fllrrx.exec:\7fllrrx.exe73⤵PID:3068
-
\??\c:\xrlrxrf.exec:\xrlrxrf.exe74⤵PID:2852
-
\??\c:\thtttn.exec:\thtttn.exe75⤵PID:2172
-
\??\c:\hhbnbb.exec:\hhbnbb.exe76⤵PID:1616
-
\??\c:\vpddj.exec:\vpddj.exe77⤵PID:2540
-
\??\c:\xxlrxrx.exec:\xxlrxrx.exe78⤵PID:2208
-
\??\c:\bbbbtt.exec:\bbbbtt.exe79⤵PID:2304
-
\??\c:\ttthbn.exec:\ttthbn.exe80⤵PID:3040
-
\??\c:\vjjpj.exec:\vjjpj.exe81⤵PID:2600
-
\??\c:\5jvjv.exec:\5jvjv.exe82⤵PID:3004
-
\??\c:\rrllxxl.exec:\rrllxxl.exe83⤵PID:2484
-
\??\c:\xffllxl.exec:\xffllxl.exe84⤵PID:2616
-
\??\c:\nbntnb.exec:\nbntnb.exe85⤵PID:2596
-
\??\c:\9pjvv.exec:\9pjvv.exe86⤵PID:2792
-
\??\c:\jvjvd.exec:\jvjvd.exe87⤵PID:2344
-
\??\c:\xxlxflx.exec:\xxlxflx.exe88⤵PID:2864
-
\??\c:\3ttthh.exec:\3ttthh.exe89⤵PID:2516
-
\??\c:\hhtbhh.exec:\hhtbhh.exe90⤵PID:2988
-
\??\c:\vvddp.exec:\vvddp.exe91⤵PID:2640
-
\??\c:\vvpdj.exec:\vvpdj.exe92⤵PID:2820
-
\??\c:\fxllxfr.exec:\fxllxfr.exe93⤵PID:2760
-
\??\c:\5tnhtt.exec:\5tnhtt.exe94⤵PID:2768
-
\??\c:\hbnhhn.exec:\hbnhhn.exe95⤵PID:2060
-
\??\c:\vpjjj.exec:\vpjjj.exe96⤵PID:2716
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe97⤵PID:400
-
\??\c:\rlxxflr.exec:\rlxxflr.exe98⤵PID:1672
-
\??\c:\btnbnn.exec:\btnbnn.exe99⤵PID:1660
-
\??\c:\9hhhhn.exec:\9hhhhn.exe100⤵PID:1540
-
\??\c:\1vpvj.exec:\1vpvj.exe101⤵PID:1292
-
\??\c:\dpjdp.exec:\dpjdp.exe102⤵PID:1284
-
\??\c:\3xlrxxx.exec:\3xlrxxx.exe103⤵PID:1448
-
\??\c:\3tbhtt.exec:\3tbhtt.exe104⤵PID:2016
-
\??\c:\tnhtbb.exec:\tnhtbb.exe105⤵PID:1924
-
\??\c:\vvvpp.exec:\vvvpp.exe106⤵PID:2752
-
\??\c:\dvjvp.exec:\dvjvp.exe107⤵PID:2336
-
\??\c:\fflffxx.exec:\fflffxx.exe108⤵PID:1088
-
\??\c:\xxrxllr.exec:\xxrxllr.exe109⤵PID:2032
-
\??\c:\tnhthn.exec:\tnhthn.exe110⤵PID:840
-
\??\c:\dpddd.exec:\dpddd.exe111⤵PID:1560
-
\??\c:\pdjjj.exec:\pdjjj.exe112⤵PID:2812
-
\??\c:\lrlrlrf.exec:\lrlrlrf.exe113⤵PID:1040
-
\??\c:\rlrxllr.exec:\rlrxllr.exe114⤵PID:1732
-
\??\c:\hbtbnn.exec:\hbtbnn.exe115⤵PID:1488
-
\??\c:\bthhnb.exec:\bthhnb.exe116⤵PID:1752
-
\??\c:\1ddvp.exec:\1ddvp.exe117⤵PID:892
-
\??\c:\lxlxffr.exec:\lxlxffr.exe118⤵PID:2400
-
\??\c:\lxfrrrr.exec:\lxfrrrr.exe119⤵PID:1588
-
\??\c:\9ttbnn.exec:\9ttbnn.exe120⤵PID:2172
-
\??\c:\hthhtb.exec:\hthhtb.exe121⤵PID:2848
-
\??\c:\djdpj.exec:\djdpj.exe122⤵PID:2996
-
\??\c:\ffrrlff.exec:\ffrrlff.exe123⤵PID:2588
-
\??\c:\xrflxrl.exec:\xrflxrl.exe124⤵PID:2556
-
\??\c:\tthhtb.exec:\tthhtb.exe125⤵PID:3040
-
\??\c:\hbhhhb.exec:\hbhhhb.exe126⤵PID:2720
-
\??\c:\vvpdj.exec:\vvpdj.exe127⤵PID:2560
-
\??\c:\1pvvd.exec:\1pvvd.exe128⤵PID:2472
-
\??\c:\xxxfrrx.exec:\xxxfrrx.exe129⤵PID:2084
-
\??\c:\ffxfxxl.exec:\ffxfxxl.exe130⤵PID:2440
-
\??\c:\1tnttn.exec:\1tnttn.exe131⤵PID:2564
-
\??\c:\pjdjp.exec:\pjdjp.exe132⤵PID:2344
-
\??\c:\jdvdp.exec:\jdvdp.exe133⤵PID:2648
-
\??\c:\llflflf.exec:\llflflf.exe134⤵PID:2216
-
\??\c:\nnhtht.exec:\nnhtht.exe135⤵PID:2832
-
\??\c:\hhtthb.exec:\hhtthb.exe136⤵PID:1812
-
\??\c:\vppvd.exec:\vppvd.exe137⤵PID:2964
-
\??\c:\dvvdd.exec:\dvvdd.exe138⤵PID:1136
-
\??\c:\llfrffl.exec:\llfrffl.exe139⤵PID:1936
-
\??\c:\3lfrxxr.exec:\3lfrxxr.exe140⤵PID:1216
-
\??\c:\nbtntt.exec:\nbtntt.exe141⤵PID:2320
-
\??\c:\bnbhtb.exec:\bnbhtb.exe142⤵PID:1968
-
\??\c:\jjvjj.exec:\jjvjj.exe143⤵PID:1796
-
\??\c:\rlllxff.exec:\rlllxff.exe144⤵PID:1808
-
\??\c:\rrfxflr.exec:\rrfxflr.exe145⤵PID:2972
-
\??\c:\nhttbn.exec:\nhttbn.exe146⤵PID:2880
-
\??\c:\nnhntb.exec:\nnhntb.exe147⤵PID:2676
-
\??\c:\pjdjd.exec:\pjdjd.exe148⤵PID:2132
-
\??\c:\1pdvd.exec:\1pdvd.exe149⤵PID:2688
-
\??\c:\1lfrfxf.exec:\1lfrfxf.exe150⤵PID:664
-
\??\c:\5xllrxf.exec:\5xllrxf.exe151⤵PID:688
-
\??\c:\9thhhh.exec:\9thhhh.exe152⤵PID:2064
-
\??\c:\djvvj.exec:\djvvj.exe153⤵PID:1788
-
\??\c:\vpdvj.exec:\vpdvj.exe154⤵PID:640
-
\??\c:\ppjpd.exec:\ppjpd.exe155⤵PID:2032
-
\??\c:\xxrllfx.exec:\xxrllfx.exe156⤵PID:2008
-
\??\c:\htbhht.exec:\htbhht.exe157⤵PID:1712
-
\??\c:\thbhnt.exec:\thbhnt.exe158⤵PID:1500
-
\??\c:\5jvvp.exec:\5jvvp.exe159⤵PID:2764
-
\??\c:\9jpvv.exec:\9jpvv.exe160⤵PID:2056
-
\??\c:\9rfrlll.exec:\9rfrlll.exe161⤵PID:1512
-
\??\c:\rlxxflx.exec:\rlxxflx.exe162⤵PID:1752
-
\??\c:\3lxrxxf.exec:\3lxrxxf.exe163⤵PID:1516
-
\??\c:\nttbht.exec:\nttbht.exe164⤵PID:3068
-
\??\c:\nbhntt.exec:\nbhntt.exe165⤵PID:1508
-
\??\c:\3vjjj.exec:\3vjjj.exe166⤵PID:1620
-
\??\c:\dvjpp.exec:\dvjpp.exe167⤵PID:2604
-
\??\c:\xfrxfrx.exec:\xfrxfrx.exe168⤵PID:1668
-
\??\c:\hbhbbt.exec:\hbhbbt.exe169⤵PID:2784
-
\??\c:\vjpjj.exec:\vjpjj.exe170⤵PID:2572
-
\??\c:\7pdvj.exec:\7pdvj.exe171⤵PID:2808
-
\??\c:\rllfxrf.exec:\rllfxrf.exe172⤵PID:2804
-
\??\c:\hbhntb.exec:\hbhntb.exe173⤵PID:3020
-
\??\c:\bbbhhb.exec:\bbbhhb.exe174⤵PID:2748
-
\??\c:\5bnnbt.exec:\5bnnbt.exe175⤵PID:2596
-
\??\c:\dvjjj.exec:\dvjjj.exe176⤵PID:2496
-
\??\c:\pdpdj.exec:\pdpdj.exe177⤵PID:2000
-
\??\c:\frfxxrr.exec:\frfxxrr.exe178⤵PID:2864
-
\??\c:\7rxrlfx.exec:\7rxrlfx.exe179⤵PID:2664
-
\??\c:\thttbb.exec:\thttbb.exe180⤵PID:2988
-
\??\c:\nhtnnh.exec:\nhtnnh.exe181⤵PID:1172
-
\??\c:\3dvdp.exec:\3dvdp.exe182⤵PID:2576
-
\??\c:\vjvvp.exec:\vjvvp.exe183⤵PID:2476
-
\??\c:\9lrrllr.exec:\9lrrllr.exe184⤵PID:2820
-
\??\c:\xlxxlfx.exec:\xlxxlfx.exe185⤵PID:1784
-
\??\c:\tnbhhh.exec:\tnbhhh.exe186⤵PID:1332
-
\??\c:\nbhnhh.exec:\nbhnhh.exe187⤵PID:1436
-
\??\c:\vvddv.exec:\vvddv.exe188⤵PID:1692
-
\??\c:\pjddj.exec:\pjddj.exe189⤵PID:2980
-
\??\c:\3xrlrlr.exec:\3xrlrlr.exe190⤵PID:2256
-
\??\c:\lfrfllr.exec:\lfrfllr.exe191⤵PID:1632
-
\??\c:\5bhttn.exec:\5bhttn.exe192⤵PID:2096
-
\??\c:\hbtbnn.exec:\hbtbnn.exe193⤵PID:2512
-
\??\c:\dpvpp.exec:\dpvpp.exe194⤵PID:1192
-
\??\c:\vpvdj.exec:\vpvdj.exe195⤵PID:2004
-
\??\c:\rflfxrr.exec:\rflfxrr.exe196⤵PID:2292
-
\??\c:\fxrfrxr.exec:\fxrfrxr.exe197⤵PID:3032
-
\??\c:\1htntb.exec:\1htntb.exe198⤵PID:1860
-
\??\c:\tbtttn.exec:\tbtttn.exe199⤵PID:1756
-
\??\c:\dpjvp.exec:\dpjvp.exe200⤵PID:1656
-
\??\c:\ppjpp.exec:\ppjpp.exe201⤵PID:1740
-
\??\c:\lxrxflx.exec:\lxrxflx.exe202⤵PID:2756
-
\??\c:\rrrlrrf.exec:\rrrlrrf.exe203⤵PID:2224
-
\??\c:\ttntbb.exec:\ttntbb.exe204⤵PID:2296
-
\??\c:\7nbbbn.exec:\7nbbbn.exe205⤵PID:1500
-
\??\c:\ppjvp.exec:\ppjvp.exe206⤵PID:2116
-
\??\c:\jdjjp.exec:\jdjjp.exe207⤵PID:2904
-
\??\c:\3lfrffl.exec:\3lfrffl.exe208⤵PID:3048
-
\??\c:\llxlfxr.exec:\llxlfxr.exe209⤵PID:1248
-
\??\c:\nhthnn.exec:\nhthnn.exe210⤵PID:1800
-
\??\c:\nhnntt.exec:\nhnntt.exe211⤵PID:2892
-
\??\c:\vjvvd.exec:\vjvvd.exe212⤵PID:2172
-
\??\c:\jvjvv.exec:\jvjvv.exe213⤵PID:1484
-
\??\c:\xrffllf.exec:\xrffllf.exe214⤵PID:2996
-
\??\c:\lxllllr.exec:\lxllllr.exe215⤵PID:1636
-
\??\c:\bbnttt.exec:\bbnttt.exe216⤵PID:3008
-
\??\c:\1bhntt.exec:\1bhntt.exe217⤵PID:2304
-
\??\c:\dvpvj.exec:\dvpvj.exe218⤵PID:2580
-
\??\c:\jdppj.exec:\jdppj.exe219⤵PID:2584
-
\??\c:\lfrxfrl.exec:\lfrxfrl.exe220⤵PID:2396
-
\??\c:\xrrrlfl.exec:\xrrrlfl.exe221⤵PID:320
-
\??\c:\nhtnhh.exec:\nhtnhh.exe222⤵PID:1952
-
\??\c:\jjvdv.exec:\jjvdv.exe223⤵PID:2944
-
\??\c:\dvppp.exec:\dvppp.exe224⤵PID:2508
-
\??\c:\ffrxffx.exec:\ffrxffx.exe225⤵PID:1004
-
\??\c:\lfxxffx.exec:\lfxxffx.exe226⤵PID:2672
-
\??\c:\7bhhnn.exec:\7bhhnn.exe227⤵PID:2816
-
\??\c:\1htbhb.exec:\1htbhb.exe228⤵PID:2632
-
\??\c:\jdpvd.exec:\jdpvd.exe229⤵PID:2736
-
\??\c:\ddvvd.exec:\ddvvd.exe230⤵PID:2504
-
\??\c:\frllxlx.exec:\frllxlx.exe231⤵PID:2080
-
\??\c:\xrfxllr.exec:\xrfxllr.exe232⤵PID:2636
-
\??\c:\thhhhb.exec:\thhhhb.exe233⤵PID:1936
-
\??\c:\7thbbn.exec:\7thbbn.exe234⤵PID:1216
-
\??\c:\dpdjp.exec:\dpdjp.exe235⤵PID:2320
-
\??\c:\vvpvd.exec:\vvpvd.exe236⤵PID:1968
-
\??\c:\xxrxxxl.exec:\xxrxxxl.exe237⤵PID:1796
-
\??\c:\lfffxxf.exec:\lfffxxf.exe238⤵PID:1808
-
\??\c:\tththt.exec:\tththt.exe239⤵PID:2972
-
\??\c:\jddpd.exec:\jddpd.exe240⤵PID:2880
-
\??\c:\vjdjj.exec:\vjdjj.exe241⤵PID:2676
-
\??\c:\1rllrlx.exec:\1rllrlx.exe242⤵PID:2132