Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe
-
Size
394KB
-
MD5
a2e6e46097ab26e58862d3cfb836f4f0
-
SHA1
62f1226a3e5574a369b298bb3495a85e2b3a0755
-
SHA256
3ca482c4b8b0e279797aaaacb8fcb98c70c30c4007c7112d5389b95fd634c044
-
SHA512
1a4a9460f217b4199353804277ba92992711c80654ed174befeeac4d4a9ae7c08b720cdf920bdbee8adfb3d71085d83569a3a7bdd0debd01696b36919bc057f9
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/6:n3C9ytvngQjZbz+xt4vFBy
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral1/memory/2912-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2276-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2548-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2444-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2428-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2920-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1608-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1272-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1588-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2300-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/240-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2308-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/536-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/540-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2192-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/948-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2916-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/980-258-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1692-267-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
3xlrllr.exebnbbbb.exepjdvd.exexrffllx.exe5pppp.exe9vvjj.exe3tbbbh.exenbnnnn.exe1xllrxx.exehthhtn.exe5vvvp.exe5rlfrxf.exebnhhnh.exe9tnnbb.exelxxlrrf.exehtbbnh.exedvppp.exerfrlrll.exehhtthh.exexlxlxxr.exebnbbhn.exedvjpj.exexxxrlfx.exe3nntnt.exejjdvd.exelxrlxxr.exexxxlxfx.exennbbnt.exelrlxfxl.exeffxfrxr.exedpvpp.exe9jddp.exeffrflrf.exenhttbn.exevpjjv.exejvppv.exefxlxlrf.exe7thntb.exetttbnt.exe7btntt.exejddjp.exexxrxlrf.exe3tthtb.exevvpdj.exejjjpj.exelffflrf.exe1bthtt.exehtnttt.exevjvjp.exe3rrfxfx.exerrrfrxf.exehnbnbh.exejpjvd.exe3frxffl.exexxllrrx.exehbtbnn.exevpjjv.exe7fxxllr.exeflrrxxf.exettnbhh.exedvvvd.exevjddp.exerxrlxfl.exe5thbth.exepid process 2912 3xlrllr.exe 2548 bnbbbb.exe 2676 pjdvd.exe 2588 xrffllx.exe 2444 5pppp.exe 2572 9vvjj.exe 2428 3tbbbh.exe 2920 nbnnnn.exe 1608 1xllrxx.exe 1272 hthhtn.exe 2396 5vvvp.exe 1588 5rlfrxf.exe 2300 bnhhnh.exe 240 9tnnbb.exe 1564 lxxlrrf.exe 2308 htbbnh.exe 2712 dvppp.exe 2948 rfrlrll.exe 536 hhtthh.exe 704 xlxlxxr.exe 540 bnbbhn.exe 2192 dvjpj.exe 948 xxxrlfx.exe 2280 3nntnt.exe 2916 jjdvd.exe 1708 lxrlxxr.exe 980 xxxlxfx.exe 1692 nnbbnt.exe 2344 lrlxfxl.exe 1848 ffxfrxr.exe 1648 dpvpp.exe 888 9jddp.exe 2804 ffrflrf.exe 1540 nhttbn.exe 2936 vpjjv.exe 1916 jvppv.exe 2512 fxlxlrf.exe 2632 7thntb.exe 2752 tttbnt.exe 2436 7btntt.exe 2580 jddjp.exe 2868 xxrxlrf.exe 2528 3tthtb.exe 2428 vvpdj.exe 1736 jjjpj.exe 1552 lffflrf.exe 1428 1bthtt.exe 2692 htnttt.exe 2704 vjvjp.exe 2320 3rrfxfx.exe 1612 rrrfrxf.exe 1560 hnbnbh.exe 1780 jpjvd.exe 2304 3frxffl.exe 2036 xxllrrx.exe 2352 hbtbnn.exe 3040 vpjjv.exe 484 7fxxllr.exe 1060 flrrxxf.exe 1424 ttnbhh.exe 1408 dvvvd.exe 608 vjddp.exe 1072 rxrlxfl.exe 1748 5thbth.exe -
Processes:
resource yara_rule behavioral1/memory/2912-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2276-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2548-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2444-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2428-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1608-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1272-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1588-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2300-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/240-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2308-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/536-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2192-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/948-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2916-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/980-258-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1692-267-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe3xlrllr.exebnbbbb.exepjdvd.exexrffllx.exe5pppp.exe9vvjj.exe3tbbbh.exenbnnnn.exe1xllrxx.exehthhtn.exe5vvvp.exe5rlfrxf.exebnhhnh.exe9tnnbb.exelxxlrrf.exedescription pid process target process PID 2276 wrote to memory of 2912 2276 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe 3xlrllr.exe PID 2276 wrote to memory of 2912 2276 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe 3xlrllr.exe PID 2276 wrote to memory of 2912 2276 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe 3xlrllr.exe PID 2276 wrote to memory of 2912 2276 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe 3xlrllr.exe PID 2912 wrote to memory of 2548 2912 3xlrllr.exe bnbbbb.exe PID 2912 wrote to memory of 2548 2912 3xlrllr.exe bnbbbb.exe PID 2912 wrote to memory of 2548 2912 3xlrllr.exe bnbbbb.exe PID 2912 wrote to memory of 2548 2912 3xlrllr.exe bnbbbb.exe PID 2548 wrote to memory of 2676 2548 bnbbbb.exe pjdvd.exe PID 2548 wrote to memory of 2676 2548 bnbbbb.exe pjdvd.exe PID 2548 wrote to memory of 2676 2548 bnbbbb.exe pjdvd.exe PID 2548 wrote to memory of 2676 2548 bnbbbb.exe pjdvd.exe PID 2676 wrote to memory of 2588 2676 pjdvd.exe xrffllx.exe PID 2676 wrote to memory of 2588 2676 pjdvd.exe xrffllx.exe PID 2676 wrote to memory of 2588 2676 pjdvd.exe xrffllx.exe PID 2676 wrote to memory of 2588 2676 pjdvd.exe xrffllx.exe PID 2588 wrote to memory of 2444 2588 xrffllx.exe 5pppp.exe PID 2588 wrote to memory of 2444 2588 xrffllx.exe 5pppp.exe PID 2588 wrote to memory of 2444 2588 xrffllx.exe 5pppp.exe PID 2588 wrote to memory of 2444 2588 xrffllx.exe 5pppp.exe PID 2444 wrote to memory of 2572 2444 5pppp.exe 9vvjj.exe PID 2444 wrote to memory of 2572 2444 5pppp.exe 9vvjj.exe PID 2444 wrote to memory of 2572 2444 5pppp.exe 9vvjj.exe PID 2444 wrote to memory of 2572 2444 5pppp.exe 9vvjj.exe PID 2572 wrote to memory of 2428 2572 9vvjj.exe 3tbbbh.exe PID 2572 wrote to memory of 2428 2572 9vvjj.exe 3tbbbh.exe PID 2572 wrote to memory of 2428 2572 9vvjj.exe 3tbbbh.exe PID 2572 wrote to memory of 2428 2572 9vvjj.exe 3tbbbh.exe PID 2428 wrote to memory of 2920 2428 3tbbbh.exe nbnnnn.exe PID 2428 wrote to memory of 2920 2428 3tbbbh.exe nbnnnn.exe PID 2428 wrote to memory of 2920 2428 3tbbbh.exe nbnnnn.exe PID 2428 wrote to memory of 2920 2428 3tbbbh.exe nbnnnn.exe PID 2920 wrote to memory of 1608 2920 nbnnnn.exe 1xllrxx.exe PID 2920 wrote to memory of 1608 2920 nbnnnn.exe 1xllrxx.exe PID 2920 wrote to memory of 1608 2920 nbnnnn.exe 1xllrxx.exe PID 2920 wrote to memory of 1608 2920 nbnnnn.exe 1xllrxx.exe PID 1608 wrote to memory of 1272 1608 1xllrxx.exe hthhtn.exe PID 1608 wrote to memory of 1272 1608 1xllrxx.exe hthhtn.exe PID 1608 wrote to memory of 1272 1608 1xllrxx.exe hthhtn.exe PID 1608 wrote to memory of 1272 1608 1xllrxx.exe hthhtn.exe PID 1272 wrote to memory of 2396 1272 hthhtn.exe 5vvvp.exe PID 1272 wrote to memory of 2396 1272 hthhtn.exe 5vvvp.exe PID 1272 wrote to memory of 2396 1272 hthhtn.exe 5vvvp.exe PID 1272 wrote to memory of 2396 1272 hthhtn.exe 5vvvp.exe PID 2396 wrote to memory of 1588 2396 5vvvp.exe 5rlfrxf.exe PID 2396 wrote to memory of 1588 2396 5vvvp.exe 5rlfrxf.exe PID 2396 wrote to memory of 1588 2396 5vvvp.exe 5rlfrxf.exe PID 2396 wrote to memory of 1588 2396 5vvvp.exe 5rlfrxf.exe PID 1588 wrote to memory of 2300 1588 5rlfrxf.exe bnhhnh.exe PID 1588 wrote to memory of 2300 1588 5rlfrxf.exe bnhhnh.exe PID 1588 wrote to memory of 2300 1588 5rlfrxf.exe bnhhnh.exe PID 1588 wrote to memory of 2300 1588 5rlfrxf.exe bnhhnh.exe PID 2300 wrote to memory of 240 2300 bnhhnh.exe 9tnnbb.exe PID 2300 wrote to memory of 240 2300 bnhhnh.exe 9tnnbb.exe PID 2300 wrote to memory of 240 2300 bnhhnh.exe 9tnnbb.exe PID 2300 wrote to memory of 240 2300 bnhhnh.exe 9tnnbb.exe PID 240 wrote to memory of 1564 240 9tnnbb.exe lxxlrrf.exe PID 240 wrote to memory of 1564 240 9tnnbb.exe lxxlrrf.exe PID 240 wrote to memory of 1564 240 9tnnbb.exe lxxlrrf.exe PID 240 wrote to memory of 1564 240 9tnnbb.exe lxxlrrf.exe PID 1564 wrote to memory of 2308 1564 lxxlrrf.exe htbbnh.exe PID 1564 wrote to memory of 2308 1564 lxxlrrf.exe htbbnh.exe PID 1564 wrote to memory of 2308 1564 lxxlrrf.exe htbbnh.exe PID 1564 wrote to memory of 2308 1564 lxxlrrf.exe htbbnh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\3xlrllr.exec:\3xlrllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\bnbbbb.exec:\bnbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\pjdvd.exec:\pjdvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\xrffllx.exec:\xrffllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\5pppp.exec:\5pppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\9vvjj.exec:\9vvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\3tbbbh.exec:\3tbbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\nbnnnn.exec:\nbnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\1xllrxx.exec:\1xllrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\hthhtn.exec:\hthhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\5vvvp.exec:\5vvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\5rlfrxf.exec:\5rlfrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\bnhhnh.exec:\bnhhnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\9tnnbb.exec:\9tnnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:240 -
\??\c:\lxxlrrf.exec:\lxxlrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\htbbnh.exec:\htbbnh.exe17⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dvppp.exec:\dvppp.exe18⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rfrlrll.exec:\rfrlrll.exe19⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hhtthh.exec:\hhtthh.exe20⤵
- Executes dropped EXE
PID:536 -
\??\c:\xlxlxxr.exec:\xlxlxxr.exe21⤵
- Executes dropped EXE
PID:704 -
\??\c:\bnbbhn.exec:\bnbbhn.exe22⤵
- Executes dropped EXE
PID:540 -
\??\c:\dvjpj.exec:\dvjpj.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\3nntnt.exec:\3nntnt.exe25⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jjdvd.exec:\jjdvd.exe26⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe27⤵
- Executes dropped EXE
PID:1708 -
\??\c:\xxxlxfx.exec:\xxxlxfx.exe28⤵
- Executes dropped EXE
PID:980 -
\??\c:\nnbbnt.exec:\nnbbnt.exe29⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe30⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ffxfrxr.exec:\ffxfrxr.exe31⤵
- Executes dropped EXE
PID:1848 -
\??\c:\dpvpp.exec:\dpvpp.exe32⤵
- Executes dropped EXE
PID:1648 -
\??\c:\9jddp.exec:\9jddp.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\ffrflrf.exec:\ffrflrf.exe34⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nhttbn.exec:\nhttbn.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\vpjjv.exec:\vpjjv.exe36⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jvppv.exec:\jvppv.exe37⤵
- Executes dropped EXE
PID:1916 -
\??\c:\fxlxlrf.exec:\fxlxlrf.exe38⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7thntb.exec:\7thntb.exe39⤵
- Executes dropped EXE
PID:2632 -
\??\c:\tttbnt.exec:\tttbnt.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7btntt.exec:\7btntt.exe41⤵
- Executes dropped EXE
PID:2436 -
\??\c:\jddjp.exec:\jddjp.exe42⤵
- Executes dropped EXE
PID:2580 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe43⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3tthtb.exec:\3tthtb.exe44⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vvpdj.exec:\vvpdj.exe45⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jjjpj.exec:\jjjpj.exe46⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lffflrf.exec:\lffflrf.exe47⤵
- Executes dropped EXE
PID:1552 -
\??\c:\1bthtt.exec:\1bthtt.exe48⤵
- Executes dropped EXE
PID:1428 -
\??\c:\htnttt.exec:\htnttt.exe49⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vjvjp.exec:\vjvjp.exe50⤵
- Executes dropped EXE
PID:2704 -
\??\c:\3rrfxfx.exec:\3rrfxfx.exe51⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rrrfrxf.exec:\rrrfrxf.exe52⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hnbnbh.exec:\hnbnbh.exe53⤵
- Executes dropped EXE
PID:1560 -
\??\c:\jpjvd.exec:\jpjvd.exe54⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3frxffl.exec:\3frxffl.exe55⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xxllrrx.exec:\xxllrrx.exe56⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hbtbnn.exec:\hbtbnn.exe57⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vpjjv.exec:\vpjjv.exe58⤵
- Executes dropped EXE
PID:3040 -
\??\c:\7fxxllr.exec:\7fxxllr.exe59⤵
- Executes dropped EXE
PID:484 -
\??\c:\flrrxxf.exec:\flrrxxf.exe60⤵
- Executes dropped EXE
PID:1060 -
\??\c:\ttnbhh.exec:\ttnbhh.exe61⤵
- Executes dropped EXE
PID:1424 -
\??\c:\dvvvd.exec:\dvvvd.exe62⤵
- Executes dropped EXE
PID:1408 -
\??\c:\vjddp.exec:\vjddp.exe63⤵
- Executes dropped EXE
PID:608 -
\??\c:\rxrlxfl.exec:\rxrlxfl.exe64⤵
- Executes dropped EXE
PID:1072 -
\??\c:\5thbth.exec:\5thbth.exe65⤵
- Executes dropped EXE
PID:1748 -
\??\c:\5pdjp.exec:\5pdjp.exe66⤵PID:2280
-
\??\c:\frffxxl.exec:\frffxxl.exe67⤵PID:1892
-
\??\c:\llxxxff.exec:\llxxxff.exe68⤵PID:380
-
\??\c:\bnbtbh.exec:\bnbtbh.exe69⤵PID:812
-
\??\c:\ddvvd.exec:\ddvvd.exe70⤵PID:912
-
\??\c:\3lffffx.exec:\3lffffx.exe71⤵PID:1936
-
\??\c:\9llrxfl.exec:\9llrxfl.exe72⤵PID:3052
-
\??\c:\nhtbbb.exec:\nhtbbb.exe73⤵PID:1848
-
\??\c:\jvdvd.exec:\jvdvd.exe74⤵PID:2872
-
\??\c:\pjvdj.exec:\pjvdj.exe75⤵PID:1032
-
\??\c:\rfxlrxr.exec:\rfxlrxr.exe76⤵PID:2272
-
\??\c:\xrlxflf.exec:\xrlxflf.exe77⤵PID:1644
-
\??\c:\bnbbbh.exec:\bnbbbh.exe78⤵PID:1536
-
\??\c:\9vjdj.exec:\9vjdj.exe79⤵PID:1544
-
\??\c:\rlrxrlf.exec:\rlrxrlf.exe80⤵PID:2080
-
\??\c:\frxxxff.exec:\frxxxff.exe81⤵PID:2652
-
\??\c:\3bbhnb.exec:\3bbhnb.exe82⤵PID:2756
-
\??\c:\pdpjj.exec:\pdpjj.exe83⤵PID:2096
-
\??\c:\dpddd.exec:\dpddd.exe84⤵PID:1724
-
\??\c:\3fxxrrx.exec:\3fxxrrx.exe85⤵PID:2580
-
\??\c:\9frrxrx.exec:\9frrxrx.exe86⤵PID:2576
-
\??\c:\tthnbb.exec:\tthnbb.exe87⤵PID:2528
-
\??\c:\pjvpv.exec:\pjvpv.exe88⤵PID:3064
-
\??\c:\1dvvd.exec:\1dvvd.exe89⤵PID:1736
-
\??\c:\fflflfl.exec:\fflflfl.exe90⤵PID:628
-
\??\c:\tnhhnn.exec:\tnhhnn.exe91⤵PID:356
-
\??\c:\hbbbnt.exec:\hbbbnt.exe92⤵PID:2640
-
\??\c:\vdddj.exec:\vdddj.exe93⤵PID:2704
-
\??\c:\xlxfffr.exec:\xlxfffr.exe94⤵PID:1572
-
\??\c:\frxxlfr.exec:\frxxlfr.exe95⤵PID:1016
-
\??\c:\nhtbtt.exec:\nhtbtt.exe96⤵PID:1760
-
\??\c:\ddvdv.exec:\ddvdv.exe97⤵PID:2700
-
\??\c:\frffflx.exec:\frffflx.exe98⤵PID:2720
-
\??\c:\lxrrlfl.exec:\lxrrlfl.exe99⤵PID:2032
-
\??\c:\7bnbhh.exec:\7bnbhh.exe100⤵PID:2244
-
\??\c:\tnbhnn.exec:\tnbhnn.exe101⤵PID:3040
-
\??\c:\dvvdj.exec:\dvvdj.exe102⤵PID:776
-
\??\c:\lfxflrf.exec:\lfxflrf.exe103⤵PID:576
-
\??\c:\hthhbb.exec:\hthhbb.exe104⤵PID:704
-
\??\c:\nbtnbt.exec:\nbtnbt.exe105⤵PID:1408
-
\??\c:\vpjjp.exec:\vpjjp.exe106⤵PID:1712
-
\??\c:\ddddp.exec:\ddddp.exe107⤵PID:1072
-
\??\c:\rrfrxfl.exec:\rrfrxfl.exe108⤵PID:1444
-
\??\c:\ffxrrrf.exec:\ffxrrrf.exe109⤵PID:1252
-
\??\c:\nbntnt.exec:\nbntnt.exe110⤵PID:1728
-
\??\c:\bnnhtn.exec:\bnnhtn.exe111⤵PID:1688
-
\??\c:\ppddp.exec:\ppddp.exe112⤵PID:288
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe113⤵PID:960
-
\??\c:\fxrrxrx.exec:\fxrrxrx.exe114⤵PID:1860
-
\??\c:\nbhhnn.exec:\nbhhnn.exe115⤵PID:3052
-
\??\c:\vpjjj.exec:\vpjjj.exe116⤵PID:2256
-
\??\c:\9pdpv.exec:\9pdpv.exe117⤵PID:2872
-
\??\c:\rlrxfll.exec:\rlrxfll.exe118⤵PID:1940
-
\??\c:\1htthh.exec:\1htthh.exe119⤵PID:2276
-
\??\c:\7htttb.exec:\7htttb.exe120⤵PID:2012
-
\??\c:\vvpvd.exec:\vvpvd.exe121⤵PID:2536
-
\??\c:\rrxxfxf.exec:\rrxxfxf.exe122⤵PID:2552
-
\??\c:\llxfllr.exec:\llxfllr.exe123⤵PID:1916
-
\??\c:\nhtbhn.exec:\nhtbhn.exe124⤵PID:2568
-
\??\c:\1jppp.exec:\1jppp.exe125⤵PID:2632
-
\??\c:\dvppj.exec:\dvppj.exe126⤵PID:2096
-
\??\c:\rrlrffl.exec:\rrlrffl.exe127⤵PID:2540
-
\??\c:\htbbnn.exec:\htbbnn.exe128⤵PID:2544
-
\??\c:\hbthnn.exec:\hbthnn.exe129⤵PID:2576
-
\??\c:\jvddj.exec:\jvddj.exe130⤵PID:2852
-
\??\c:\3pdjj.exec:\3pdjj.exe131⤵PID:1556
-
\??\c:\rlrxffl.exec:\rlrxffl.exe132⤵PID:2660
-
\??\c:\5nbhhh.exec:\5nbhhh.exe133⤵PID:1552
-
\??\c:\nhtntn.exec:\nhtntn.exe134⤵PID:1248
-
\??\c:\jjdpp.exec:\jjdpp.exe135⤵PID:2692
-
\??\c:\fxffllx.exec:\fxffllx.exe136⤵PID:1596
-
\??\c:\5xlxxfr.exec:\5xlxxfr.exe137⤵PID:1588
-
\??\c:\hntnnn.exec:\hntnnn.exe138⤵PID:1584
-
\??\c:\7jddj.exec:\7jddj.exe139⤵PID:1560
-
\??\c:\pdpjp.exec:\pdpjp.exe140⤵PID:1780
-
\??\c:\rfflxfl.exec:\rfflxfl.exe141⤵PID:2720
-
\??\c:\pdjpv.exec:\pdjpv.exe142⤵PID:2036
-
\??\c:\1xrxrxf.exec:\1xrxrxf.exe143⤵PID:2844
-
\??\c:\rfxrxrx.exec:\rfxrxrx.exe144⤵PID:2772
-
\??\c:\nbntbb.exec:\nbntbb.exe145⤵PID:776
-
\??\c:\dpdjj.exec:\dpdjj.exe146⤵PID:540
-
\??\c:\pjvdj.exec:\pjvdj.exe147⤵PID:704
-
\??\c:\rfllrrx.exec:\rfllrrx.exe148⤵PID:1672
-
\??\c:\nbhhhb.exec:\nbhhhb.exe149⤵PID:1712
-
\??\c:\3djdd.exec:\3djdd.exe150⤵PID:1748
-
\??\c:\dvddj.exec:\dvddj.exe151⤵PID:3044
-
\??\c:\rlfflrr.exec:\rlfflrr.exe152⤵PID:1252
-
\??\c:\9frxxxf.exec:\9frxxxf.exe153⤵PID:1328
-
\??\c:\nhnhnn.exec:\nhnhnn.exe154⤵PID:3024
-
\??\c:\vpvpj.exec:\vpvpj.exe155⤵PID:288
-
\??\c:\5ddvv.exec:\5ddvv.exe156⤵PID:960
-
\??\c:\lxflrlr.exec:\lxflrlr.exe157⤵PID:1860
-
\??\c:\9htnhb.exec:\9htnhb.exe158⤵PID:3052
-
\??\c:\nhtnbb.exec:\nhtnbb.exe159⤵PID:2256
-
\??\c:\jvdpv.exec:\jvdpv.exe160⤵PID:1944
-
\??\c:\xrfxxxf.exec:\xrfxxxf.exe161⤵PID:1032
-
\??\c:\lfrllfl.exec:\lfrllfl.exe162⤵PID:2276
-
\??\c:\btbtbb.exec:\btbtbb.exe163⤵PID:2012
-
\??\c:\5vjjp.exec:\5vjjp.exe164⤵PID:2536
-
\??\c:\pdvvj.exec:\pdvvj.exe165⤵PID:2676
-
\??\c:\rllflrl.exec:\rllflrl.exe166⤵PID:2080
-
\??\c:\nttbnb.exec:\nttbnb.exe167⤵PID:2432
-
\??\c:\bhthtb.exec:\bhthtb.exe168⤵PID:2632
-
\??\c:\jjpdj.exec:\jjpdj.exe169⤵PID:2572
-
\??\c:\lxlrlrl.exec:\lxlrlrl.exe170⤵PID:2452
-
\??\c:\1hnttt.exec:\1hnttt.exe171⤵PID:2544
-
\??\c:\7hthhn.exec:\7hthhn.exe172⤵PID:1196
-
\??\c:\jddvv.exec:\jddvv.exe173⤵PID:2852
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe174⤵PID:1364
-
\??\c:\nhbnbb.exec:\nhbnbb.exe175⤵PID:1280
-
\??\c:\3bnnhb.exec:\3bnnhb.exe176⤵PID:1288
-
\??\c:\pjvvj.exec:\pjvvj.exe177⤵PID:1248
-
\??\c:\fxrxflr.exec:\fxrxflr.exe178⤵PID:1256
-
\??\c:\rlrxfxf.exec:\rlrxfxf.exe179⤵PID:2116
-
\??\c:\nhnntt.exec:\nhnntt.exe180⤵PID:1236
-
\??\c:\vvjpd.exec:\vvjpd.exe181⤵PID:1592
-
\??\c:\vvvpv.exec:\vvvpv.exe182⤵PID:1700
-
\??\c:\rllfflr.exec:\rllfflr.exe183⤵PID:2808
-
\??\c:\btnthh.exec:\btnthh.exe184⤵PID:2736
-
\??\c:\5nhttn.exec:\5nhttn.exe185⤵PID:1124
-
\??\c:\jdppd.exec:\jdppd.exe186⤵PID:2180
-
\??\c:\3frrrxr.exec:\3frrrxr.exe187⤵PID:1412
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe188⤵PID:1792
-
\??\c:\3hnttn.exec:\3hnttn.exe189⤵PID:2356
-
\??\c:\jdppd.exec:\jdppd.exe190⤵PID:2940
-
\??\c:\rlffllx.exec:\rlffllx.exe191⤵PID:1092
-
\??\c:\ffxxrlx.exec:\ffxxrlx.exe192⤵PID:2380
-
\??\c:\hhtbhb.exec:\hhtbhb.exe193⤵PID:1712
-
\??\c:\htbhnn.exec:\htbhnn.exe194⤵PID:1304
-
\??\c:\7jvvd.exec:\7jvvd.exe195⤵PID:3044
-
\??\c:\xrxffxf.exec:\xrxffxf.exe196⤵PID:980
-
\??\c:\1lxxffl.exec:\1lxxffl.exe197⤵PID:1328
-
\??\c:\tnbbhh.exec:\tnbbhh.exe198⤵PID:1696
-
\??\c:\9pjjv.exec:\9pjjv.exe199⤵PID:1576
-
\??\c:\7jjjj.exec:\7jjjj.exe200⤵PID:876
-
\??\c:\xrffffr.exec:\xrffffr.exe201⤵PID:1436
-
\??\c:\htnntt.exec:\htnntt.exe202⤵PID:888
-
\??\c:\nbnhnt.exec:\nbnhnt.exe203⤵PID:2988
-
\??\c:\ddddj.exec:\ddddj.exe204⤵PID:2820
-
\??\c:\1xlrlrf.exec:\1xlrlrf.exe205⤵PID:2600
-
\??\c:\nnhhnn.exec:\nnhhnn.exe206⤵PID:2908
-
\??\c:\9bbbnt.exec:\9bbbnt.exe207⤵PID:2548
-
\??\c:\9djpv.exec:\9djpv.exe208⤵PID:2536
-
\??\c:\lxlxlrr.exec:\lxlxlrr.exe209⤵PID:2588
-
\??\c:\hbnbhh.exec:\hbnbhh.exe210⤵PID:2080
-
\??\c:\bthbhh.exec:\bthbhh.exe211⤵PID:2444
-
\??\c:\ppjvj.exec:\ppjvj.exe212⤵PID:2456
-
\??\c:\fxlxffl.exec:\fxlxffl.exe213⤵PID:2572
-
\??\c:\1llflrf.exec:\1llflrf.exe214⤵PID:2884
-
\??\c:\3nhtbn.exec:\3nhtbn.exe215⤵PID:2292
-
\??\c:\1jvpv.exec:\1jvpv.exe216⤵PID:852
-
\??\c:\5dpvd.exec:\5dpvd.exe217⤵PID:1428
-
\??\c:\xrrxrrf.exec:\xrrxrrf.exe218⤵PID:1028
-
\??\c:\xlfxfxf.exec:\xlfxfxf.exe219⤵PID:1448
-
\??\c:\nbnntt.exec:\nbnntt.exe220⤵PID:1288
-
\??\c:\7jjdv.exec:\7jjdv.exe221⤵PID:2704
-
\??\c:\fxlrflf.exec:\fxlrflf.exe222⤵PID:1256
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe223⤵PID:2044
-
\??\c:\nhbbhh.exec:\nhbbhh.exe224⤵PID:1236
-
\??\c:\pjjpd.exec:\pjjpd.exe225⤵PID:1228
-
\??\c:\vjjpp.exec:\vjjpp.exe226⤵PID:2084
-
\??\c:\frxflfl.exec:\frxflfl.exe227⤵PID:2032
-
\??\c:\frflllr.exec:\frflllr.exe228⤵PID:2736
-
\??\c:\thbnnh.exec:\thbnnh.exe229⤵PID:2144
-
\??\c:\vdvjp.exec:\vdvjp.exe230⤵PID:1636
-
\??\c:\jdppp.exec:\jdppp.exe231⤵PID:576
-
\??\c:\rfrrxfr.exec:\rfrrxfr.exe232⤵PID:1920
-
\??\c:\5btbhh.exec:\5btbhh.exe233⤵PID:2148
-
\??\c:\dvddd.exec:\dvddd.exe234⤵PID:456
-
\??\c:\3dvjp.exec:\3dvjp.exe235⤵PID:1744
-
\??\c:\1lllrrf.exec:\1lllrrf.exe236⤵PID:2916
-
\??\c:\bnbtbb.exec:\bnbtbb.exe237⤵PID:1472
-
\??\c:\ttnbnt.exec:\ttnbnt.exe238⤵PID:376
-
\??\c:\1jddj.exec:\1jddj.exe239⤵PID:1688
-
\??\c:\xrlxlxf.exec:\xrlxlxf.exe240⤵PID:2788
-
\??\c:\5tthnn.exec:\5tthnn.exe241⤵PID:2284
-
\??\c:\ttthnt.exec:\ttthnt.exe242⤵PID:1696