Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 21:37
Behavioral task
behavioral1
Sample
8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
General
-
Target
8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe
-
Size
456KB
-
MD5
8f564889efe5d69367af0fd0b0a94380
-
SHA1
786a83d3c81657341e70b21b24ad37d9c95d9e27
-
SHA256
d741397ad7246413364e25066b4ee73d76ff27c0e3a6de2290f2f51a4a51e764
-
SHA512
24b37cfd608c910a0c2d5be91e5d4cb0e69be5a76546edeed1add3be08e201543bf71f0812a53a1228c5359883d590c7e5199eb31111ee10ca64128f004e1c40
-
SSDEEP
12288:04wFHoSyd0V3eFp3IDvSbh5nPYERM8mXzplo4MV:rd0gFp3lz1/uzplo9
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3432-0-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2900-6-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4032-12-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3760-17-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4936-30-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2724-42-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1432-47-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/980-53-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3964-72-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4200-190-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4476-267-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4220-254-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4440-246-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3784-243-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2236-239-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4588-205-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3960-202-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3880-185-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3568-180-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1904-170-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3112-163-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1168-158-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4416-142-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3104-136-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3224-133-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3756-123-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2124-107-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3312-102-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/964-96-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3080-89-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2068-83-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3592-60-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1888-36-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3672-23-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/696-295-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/396-307-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4732-312-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4308-319-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4756-323-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3112-338-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4228-343-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4008-348-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3328-367-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1180-399-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3816-407-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4964-416-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1696-430-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3084-458-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3084-462-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2320-485-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1916-488-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2136-513-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3180-520-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4480-562-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2524-579-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/5032-591-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4432-604-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2928-685-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3500-751-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/208-755-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2936-852-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3660-910-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/208-1006-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3816-1047-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3432-0-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023276-3.dat family_berbew behavioral2/memory/2900-6-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/4032-12-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0008000000023419-10.dat family_berbew behavioral2/files/0x000700000002341a-16.dat family_berbew behavioral2/memory/3760-17-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002341c-27.dat family_berbew behavioral2/memory/4936-30-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002341d-34.dat family_berbew behavioral2/files/0x000700000002341e-40.dat family_berbew behavioral2/memory/2724-42-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-46.dat family_berbew behavioral2/memory/1432-47-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023420-52.dat family_berbew behavioral2/memory/980-53-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023422-63.dat family_berbew behavioral2/files/0x0007000000023423-68.dat family_berbew behavioral2/memory/3964-72-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023424-75.dat family_berbew behavioral2/files/0x0007000000023425-80.dat family_berbew behavioral2/files/0x0007000000023426-86.dat family_berbew behavioral2/files/0x0007000000023427-92.dat family_berbew behavioral2/files/0x0007000000023429-104.dat family_berbew behavioral2/files/0x000700000002342b-114.dat family_berbew behavioral2/files/0x000700000002342c-120.dat family_berbew behavioral2/files/0x000700000002342e-130.dat family_berbew behavioral2/files/0x0007000000023432-153.dat family_berbew behavioral2/memory/4200-190-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/4476-267-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/4220-254-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/4440-246-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3784-243-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/2236-239-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/4588-205-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3960-202-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3880-185-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023437-183.dat family_berbew behavioral2/memory/3568-180-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023436-177.dat family_berbew behavioral2/files/0x0007000000023435-172.dat family_berbew behavioral2/memory/1904-170-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023434-166.dat family_berbew behavioral2/memory/3112-163-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023433-160.dat family_berbew behavioral2/memory/4712-287-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/1168-158-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023431-149.dat family_berbew behavioral2/files/0x0007000000023430-144.dat family_berbew behavioral2/memory/4416-142-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002342f-138.dat family_berbew behavioral2/memory/3104-136-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3224-133-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002342d-126.dat family_berbew behavioral2/memory/3756-123-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x000700000002342a-110.dat family_berbew behavioral2/memory/2124-107-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3312-102-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023428-98.dat family_berbew behavioral2/memory/964-96-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3080-89-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/2068-83-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/memory/3592-60-0x0000000000400000-0x0000000000438000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-58.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2900 rlrllll.exe 4032 bbhhnh.exe 3760 jppjp.exe 3672 xrrrrll.exe 4936 thtntt.exe 1888 djvvv.exe 2724 7frlxrf.exe 1432 rxlfllx.exe 980 bnbhhb.exe 3592 vvdvv.exe 3964 7lxrrrf.exe 5012 nbnhhb.exe 2068 djvvd.exe 3080 rllxrrl.exe 964 xxlflfl.exe 3312 hnbttt.exe 2124 jvjpp.exe 3264 lfffxxr.exe 4732 xfxrlff.exe 3756 hbbtnh.exe 3224 9jjdv.exe 3104 rfrrffr.exe 4416 hntnhh.exe 868 hbtnhb.exe 2084 dvjdv.exe 1168 lfrflxf.exe 3112 ntnntt.exe 1904 vvjjj.exe 4652 xrffllr.exe 3568 xlflffl.exe 3880 tbbbbh.exe 4200 pvjjd.exe 1668 ffllflf.exe 5072 xlrxxxx.exe 3960 nhthbh.exe 4588 ddvpp.exe 1064 lfrrlff.exe 516 ffffffx.exe 1956 thtnhh.exe 2012 jddjp.exe 408 djppp.exe 3436 5llfffx.exe 4412 7bhbtt.exe 4276 7ttnth.exe 3252 3djvv.exe 4572 xrllfff.exe 2236 hnnhbt.exe 3784 vjjvp.exe 4440 rfxfflx.exe 1800 hbbnht.exe 4220 ntttnh.exe 3448 pvdjj.exe 3696 rrxxxxr.exe 4076 hhhntb.exe 4476 jdjdj.exe 4708 lxxxrxx.exe 2864 3xxrfxr.exe 4112 bthbbt.exe 1872 pjpjp.exe 5084 5xfxxxx.exe 4904 xfffxxr.exe 5040 bttttt.exe 4712 dpvdv.exe 2068 tbhbbb.exe -
resource yara_rule behavioral2/memory/3432-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023276-3.dat upx behavioral2/memory/2900-6-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4032-12-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0008000000023419-10.dat upx behavioral2/files/0x000700000002341a-16.dat upx behavioral2/memory/3760-17-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002341c-27.dat upx behavioral2/memory/4936-30-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002341d-34.dat upx behavioral2/files/0x000700000002341e-40.dat upx behavioral2/memory/2724-42-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002341f-46.dat upx behavioral2/memory/1432-47-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023420-52.dat upx behavioral2/memory/980-53-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023422-63.dat upx behavioral2/files/0x0007000000023423-68.dat upx behavioral2/memory/3964-72-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023424-75.dat upx behavioral2/files/0x0007000000023425-80.dat upx behavioral2/files/0x0007000000023426-86.dat upx behavioral2/files/0x0007000000023427-92.dat upx behavioral2/files/0x0007000000023429-104.dat upx behavioral2/files/0x000700000002342b-114.dat upx behavioral2/files/0x000700000002342c-120.dat upx behavioral2/files/0x000700000002342e-130.dat upx behavioral2/files/0x0007000000023432-153.dat upx behavioral2/memory/4200-190-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4476-267-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4220-254-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4440-246-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3784-243-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2236-239-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4588-205-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3960-202-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3880-185-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023437-183.dat upx behavioral2/memory/3568-180-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023436-177.dat upx behavioral2/files/0x0007000000023435-172.dat upx behavioral2/memory/1904-170-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023434-166.dat upx behavioral2/memory/3112-163-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023433-160.dat upx behavioral2/memory/4712-287-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1168-158-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023431-149.dat upx behavioral2/files/0x0007000000023430-144.dat upx behavioral2/memory/4416-142-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002342f-138.dat upx behavioral2/memory/3104-136-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3224-133-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002342d-126.dat upx behavioral2/memory/3756-123-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002342a-110.dat upx behavioral2/memory/2124-107-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3312-102-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023428-98.dat upx behavioral2/memory/964-96-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3080-89-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2068-83-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3592-60-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023421-58.dat upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3432 wrote to memory of 2900 3432 8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe 82 PID 3432 wrote to memory of 2900 3432 8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe 82 PID 3432 wrote to memory of 2900 3432 8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe 82 PID 2900 wrote to memory of 4032 2900 rlrllll.exe 83 PID 2900 wrote to memory of 4032 2900 rlrllll.exe 83 PID 2900 wrote to memory of 4032 2900 rlrllll.exe 83 PID 4032 wrote to memory of 3760 4032 bbhhnh.exe 84 PID 4032 wrote to memory of 3760 4032 bbhhnh.exe 84 PID 4032 wrote to memory of 3760 4032 bbhhnh.exe 84 PID 3760 wrote to memory of 3672 3760 jppjp.exe 85 PID 3760 wrote to memory of 3672 3760 jppjp.exe 85 PID 3760 wrote to memory of 3672 3760 jppjp.exe 85 PID 3672 wrote to memory of 4936 3672 xrrrrll.exe 86 PID 3672 wrote to memory of 4936 3672 xrrrrll.exe 86 PID 3672 wrote to memory of 4936 3672 xrrrrll.exe 86 PID 4936 wrote to memory of 1888 4936 thtntt.exe 87 PID 4936 wrote to memory of 1888 4936 thtntt.exe 87 PID 4936 wrote to memory of 1888 4936 thtntt.exe 87 PID 1888 wrote to memory of 2724 1888 djvvv.exe 88 PID 1888 wrote to memory of 2724 1888 djvvv.exe 88 PID 1888 wrote to memory of 2724 1888 djvvv.exe 88 PID 2724 wrote to memory of 1432 2724 7frlxrf.exe 89 PID 2724 wrote to memory of 1432 2724 7frlxrf.exe 89 PID 2724 wrote to memory of 1432 2724 7frlxrf.exe 89 PID 1432 wrote to memory of 980 1432 rxlfllx.exe 90 PID 1432 wrote to memory of 980 1432 rxlfllx.exe 90 PID 1432 wrote to memory of 980 1432 rxlfllx.exe 90 PID 980 wrote to memory of 3592 980 bnbhhb.exe 91 PID 980 wrote to memory of 3592 980 bnbhhb.exe 91 PID 980 wrote to memory of 3592 980 bnbhhb.exe 91 PID 3592 wrote to memory of 3964 3592 vvdvv.exe 92 PID 3592 wrote to memory of 3964 3592 vvdvv.exe 92 PID 3592 wrote to memory of 3964 3592 vvdvv.exe 92 PID 3964 wrote to memory of 5012 3964 7lxrrrf.exe 93 PID 3964 wrote to memory of 5012 3964 7lxrrrf.exe 93 PID 3964 wrote to memory of 5012 3964 7lxrrrf.exe 93 PID 5012 wrote to memory of 2068 5012 nbnhhb.exe 94 PID 5012 wrote to memory of 2068 5012 nbnhhb.exe 94 PID 5012 wrote to memory of 2068 5012 nbnhhb.exe 94 PID 2068 wrote to memory of 3080 2068 djvvd.exe 95 PID 2068 wrote to memory of 3080 2068 djvvd.exe 95 PID 2068 wrote to memory of 3080 2068 djvvd.exe 95 PID 3080 wrote to memory of 964 3080 rllxrrl.exe 96 PID 3080 wrote to memory of 964 3080 rllxrrl.exe 96 PID 3080 wrote to memory of 964 3080 rllxrrl.exe 96 PID 964 wrote to memory of 3312 964 xxlflfl.exe 97 PID 964 wrote to memory of 3312 964 xxlflfl.exe 97 PID 964 wrote to memory of 3312 964 xxlflfl.exe 97 PID 3312 wrote to memory of 2124 3312 hnbttt.exe 98 PID 3312 wrote to memory of 2124 3312 hnbttt.exe 98 PID 3312 wrote to memory of 2124 3312 hnbttt.exe 98 PID 2124 wrote to memory of 3264 2124 jvjpp.exe 99 PID 2124 wrote to memory of 3264 2124 jvjpp.exe 99 PID 2124 wrote to memory of 3264 2124 jvjpp.exe 99 PID 3264 wrote to memory of 4732 3264 lfffxxr.exe 150 PID 3264 wrote to memory of 4732 3264 lfffxxr.exe 150 PID 3264 wrote to memory of 4732 3264 lfffxxr.exe 150 PID 4732 wrote to memory of 3756 4732 xfxrlff.exe 101 PID 4732 wrote to memory of 3756 4732 xfxrlff.exe 101 PID 4732 wrote to memory of 3756 4732 xfxrlff.exe 101 PID 3756 wrote to memory of 3224 3756 hbbtnh.exe 102 PID 3756 wrote to memory of 3224 3756 hbbtnh.exe 102 PID 3756 wrote to memory of 3224 3756 hbbtnh.exe 102 PID 3224 wrote to memory of 3104 3224 9jjdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8f564889efe5d69367af0fd0b0a94380_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\rlrllll.exec:\rlrllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\bbhhnh.exec:\bbhhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\jppjp.exec:\jppjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\xrrrrll.exec:\xrrrrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\thtntt.exec:\thtntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\djvvv.exec:\djvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\7frlxrf.exec:\7frlxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\rxlfllx.exec:\rxlfllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\bnbhhb.exec:\bnbhhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\vvdvv.exec:\vvdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\7lxrrrf.exec:\7lxrrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\nbnhhb.exec:\nbnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\djvvd.exec:\djvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\rllxrrl.exec:\rllxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\xxlflfl.exec:\xxlflfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\hnbttt.exec:\hnbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\jvjpp.exec:\jvjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lfffxxr.exec:\lfffxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\xfxrlff.exec:\xfxrlff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\hbbtnh.exec:\hbbtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\9jjdv.exec:\9jjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\rfrrffr.exec:\rfrrffr.exe23⤵
- Executes dropped EXE
PID:3104 -
\??\c:\hntnhh.exec:\hntnhh.exe24⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hbtnhb.exec:\hbtnhb.exe25⤵
- Executes dropped EXE
PID:868 -
\??\c:\dvjdv.exec:\dvjdv.exe26⤵
- Executes dropped EXE
PID:2084 -
\??\c:\lfrflxf.exec:\lfrflxf.exe27⤵
- Executes dropped EXE
PID:1168 -
\??\c:\ntnntt.exec:\ntnntt.exe28⤵
- Executes dropped EXE
PID:3112 -
\??\c:\vvjjj.exec:\vvjjj.exe29⤵
- Executes dropped EXE
PID:1904 -
\??\c:\xrffllr.exec:\xrffllr.exe30⤵
- Executes dropped EXE
PID:4652 -
\??\c:\xlflffl.exec:\xlflffl.exe31⤵
- Executes dropped EXE
PID:3568 -
\??\c:\tbbbbh.exec:\tbbbbh.exe32⤵
- Executes dropped EXE
PID:3880 -
\??\c:\pvjjd.exec:\pvjjd.exe33⤵
- Executes dropped EXE
PID:4200 -
\??\c:\ffllflf.exec:\ffllflf.exe34⤵
- Executes dropped EXE
PID:1668 -
\??\c:\xlrxxxx.exec:\xlrxxxx.exe35⤵
- Executes dropped EXE
PID:5072 -
\??\c:\nhthbh.exec:\nhthbh.exe36⤵
- Executes dropped EXE
PID:3960 -
\??\c:\ddvpp.exec:\ddvpp.exe37⤵
- Executes dropped EXE
PID:4588 -
\??\c:\lfrrlff.exec:\lfrrlff.exe38⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ffffffx.exec:\ffffffx.exe39⤵
- Executes dropped EXE
PID:516 -
\??\c:\thtnhh.exec:\thtnhh.exe40⤵
- Executes dropped EXE
PID:1956 -
\??\c:\jddjp.exec:\jddjp.exe41⤵
- Executes dropped EXE
PID:2012 -
\??\c:\djppp.exec:\djppp.exe42⤵
- Executes dropped EXE
PID:408 -
\??\c:\5llfffx.exec:\5llfffx.exe43⤵
- Executes dropped EXE
PID:3436 -
\??\c:\7bhbtt.exec:\7bhbtt.exe44⤵
- Executes dropped EXE
PID:4412 -
\??\c:\7ttnth.exec:\7ttnth.exe45⤵
- Executes dropped EXE
PID:4276 -
\??\c:\3djvv.exec:\3djvv.exe46⤵
- Executes dropped EXE
PID:3252 -
\??\c:\xrllfff.exec:\xrllfff.exe47⤵
- Executes dropped EXE
PID:4572 -
\??\c:\hnnhbt.exec:\hnnhbt.exe48⤵
- Executes dropped EXE
PID:2236 -
\??\c:\vjjvp.exec:\vjjvp.exe49⤵
- Executes dropped EXE
PID:3784 -
\??\c:\rfxfflx.exec:\rfxfflx.exe50⤵
- Executes dropped EXE
PID:4440 -
\??\c:\hbbnht.exec:\hbbnht.exe51⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ntttnh.exec:\ntttnh.exe52⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pvdjj.exec:\pvdjj.exe53⤵
- Executes dropped EXE
PID:3448 -
\??\c:\rrxxxxr.exec:\rrxxxxr.exe54⤵
- Executes dropped EXE
PID:3696 -
\??\c:\hhhntb.exec:\hhhntb.exe55⤵
- Executes dropped EXE
PID:4076 -
\??\c:\jdjdj.exec:\jdjdj.exe56⤵
- Executes dropped EXE
PID:4476 -
\??\c:\lxxxrxx.exec:\lxxxrxx.exe57⤵
- Executes dropped EXE
PID:4708 -
\??\c:\3xxrfxr.exec:\3xxrfxr.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\bthbbt.exec:\bthbbt.exe59⤵
- Executes dropped EXE
PID:4112 -
\??\c:\pjpjp.exec:\pjpjp.exe60⤵
- Executes dropped EXE
PID:1872 -
\??\c:\5xfxxxx.exec:\5xfxxxx.exe61⤵
- Executes dropped EXE
PID:5084 -
\??\c:\xfffxxr.exec:\xfffxxr.exe62⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bttttt.exec:\bttttt.exe63⤵
- Executes dropped EXE
PID:5040 -
\??\c:\dpvdv.exec:\dpvdv.exe64⤵
- Executes dropped EXE
PID:4712 -
\??\c:\tbhbbb.exec:\tbhbbb.exe65⤵
- Executes dropped EXE
PID:2068 -
\??\c:\ppvvv.exec:\ppvvv.exe66⤵PID:696
-
\??\c:\3ffxxxx.exec:\3ffxxxx.exe67⤵PID:4728
-
\??\c:\btnhnh.exec:\btnhnh.exe68⤵PID:968
-
\??\c:\dppvj.exec:\dppvj.exe69⤵PID:396
-
\??\c:\xllfxxr.exec:\xllfxxr.exe70⤵PID:4732
-
\??\c:\3nhbnt.exec:\3nhbnt.exe71⤵PID:4176
-
\??\c:\1dpjd.exec:\1dpjd.exe72⤵PID:4308
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe73⤵PID:4756
-
\??\c:\9bbtnn.exec:\9bbtnn.exe74⤵PID:868
-
\??\c:\vpvpp.exec:\vpvpp.exe75⤵PID:2084
-
\??\c:\rfrlfff.exec:\rfrlfff.exe76⤵PID:3240
-
\??\c:\9ttbtt.exec:\9ttbtt.exe77⤵PID:3112
-
\??\c:\djpdj.exec:\djpdj.exe78⤵PID:4228
-
\??\c:\rllffxx.exec:\rllffxx.exe79⤵PID:4008
-
\??\c:\btbbbt.exec:\btbbbt.exe80⤵PID:428
-
\??\c:\pjvjj.exec:\pjvjj.exe81⤵PID:1668
-
\??\c:\3flfxxr.exec:\3flfxxr.exe82⤵PID:1648
-
\??\c:\5tbbtn.exec:\5tbbtn.exe83⤵PID:3388
-
\??\c:\jjppp.exec:\jjppp.exe84⤵PID:4588
-
\??\c:\lrxrrll.exec:\lrxrrll.exe85⤵PID:3328
-
\??\c:\bttttb.exec:\bttttb.exe86⤵PID:1932
-
\??\c:\vdjjj.exec:\vdjjj.exe87⤵PID:1956
-
\??\c:\rflxrll.exec:\rflxrll.exe88⤵PID:2452
-
\??\c:\lfrfxfx.exec:\lfrfxfx.exe89⤵PID:808
-
\??\c:\btbbbt.exec:\btbbbt.exe90⤵PID:1296
-
\??\c:\3jjvv.exec:\3jjvv.exe91⤵PID:1484
-
\??\c:\xlrfxxl.exec:\xlrfxxl.exe92⤵PID:4876
-
\??\c:\thnnnn.exec:\thnnnn.exe93⤵PID:4500
-
\??\c:\pvvvp.exec:\pvvvp.exe94⤵PID:1680
-
\??\c:\jdddp.exec:\jdddp.exe95⤵PID:1180
-
\??\c:\rllfrrl.exec:\rllfrrl.exe96⤵PID:4408
-
\??\c:\tbbttn.exec:\tbbttn.exe97⤵PID:4608
-
\??\c:\hhtnth.exec:\hhtnth.exe98⤵PID:3816
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:4444
-
\??\c:\xlrrlff.exec:\xlrrlff.exe100⤵PID:4964
-
\??\c:\bnbbbb.exec:\bnbbbb.exe101⤵PID:216
-
\??\c:\vpvvv.exec:\vpvvv.exe102⤵PID:1272
-
\??\c:\xflllrl.exec:\xflllrl.exe103⤵PID:4704
-
\??\c:\vjjjp.exec:\vjjjp.exe104⤵PID:1696
-
\??\c:\dpjdv.exec:\dpjdv.exe105⤵PID:2864
-
\??\c:\nhnhtn.exec:\nhnhtn.exe106⤵PID:1720
-
\??\c:\dvjdj.exec:\dvjdj.exe107⤵PID:4504
-
\??\c:\lllrllf.exec:\lllrllf.exe108⤵PID:1584
-
\??\c:\7hnhhb.exec:\7hnhhb.exe109⤵PID:3016
-
\??\c:\jddjp.exec:\jddjp.exe110⤵PID:3928
-
\??\c:\rxxrrfr.exec:\rxxrrfr.exe111⤵PID:1636
-
\??\c:\hbnhhh.exec:\hbnhhh.exe112⤵PID:4904
-
\??\c:\jjjjv.exec:\jjjjv.exe113⤵PID:1772
-
\??\c:\1rfxlrr.exec:\1rfxlrr.exe114⤵PID:3084
-
\??\c:\1hnnnt.exec:\1hnnnt.exe115⤵PID:2520
-
\??\c:\1pjdv.exec:\1pjdv.exe116⤵PID:3312
-
\??\c:\lrrrlxx.exec:\lrrrlxx.exe117⤵PID:4972
-
\??\c:\5flxrrl.exec:\5flxrrl.exe118⤵PID:2596
-
\??\c:\hbhhhb.exec:\hbhhhb.exe119⤵PID:2432
-
\??\c:\ppvdv.exec:\ppvdv.exe120⤵PID:4176
-
\??\c:\xxfxfxx.exec:\xxfxfxx.exe121⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-