Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe
-
Size
277KB
-
MD5
a0ee156c4fcf96a54fbd2daba4e76da0
-
SHA1
999ff00c9f3a42f7d60f8946c67be9f2ad65c494
-
SHA256
f37cbbc77eecbb6b1eabdc0ca76d4ca098c4b24527db81834d0349b997aa580e
-
SHA512
a5421622b15051d03f86f8bfc5a2ec72d5cf5b5c84c3e80160fdcc67347311763e6dd00dde8c77cf471dafcca9808b856489f65355b99fcef6388edddd654c27
-
SSDEEP
6144:n3C9BRIG0asYFm71m8+GdkB9yMu7VvemQ:n3C9uYA71kSMum
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1328-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1988-29-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1988-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1288-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1956-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1760-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2008-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2008-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1168-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/464-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2680-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1828-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2908-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3012-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/908-220-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2816-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/632-247-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-266-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1840-274-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pbldtl.exepbhptnx.exephjtfnl.exelfjfdpx.exefnxxlp.exentbrprb.exedhpjfvt.exebxnfntr.exehrrjbff.exenjltdj.exevddlt.exenhbbr.exedlpppf.exerjhhpvv.exexrlrll.exednflbxt.exexhnvl.exexvvhvht.exeljddnj.exebjvnb.exendpflr.exetjfnfh.exejfpptd.exejvfhx.exethjfnp.exertjphfd.exetjrlbh.exelbhdbhp.exetjdlfv.exedptxvp.exejdnxnxx.exebtvnbl.exextjfbhl.exetpnhft.exebpdjv.exeldhnxf.exejhvfd.exenlthl.exennnfd.exejhfpdfx.exettvtrx.exejjnhnh.exepppvt.exertndrlv.exeprltvx.exexhxph.exenhnvt.exevvxptx.exerlrfrtn.exevvtpvhr.exelfnvv.exefnvbt.exeprvdj.exedhnnlp.exeppnrtpn.exehbfvfbj.exehldptvb.exexjdlfvj.exejxlfll.exefvfnvlj.exevhfvtfp.exetrvrbf.exeflpvxtp.exerpxflfn.exepid process 1328 pbldtl.exe 1988 pbhptnx.exe 1288 phjtfnl.exe 1956 lfjfdpx.exe 1760 fnxxlp.exe 2008 ntbrprb.exe 464 dhpjfvt.exe 1168 bxnfntr.exe 2404 hrrjbff.exe 2480 njltdj.exe 2552 vddlt.exe 2528 nhbbr.exe 2856 dlpppf.exe 2680 rjhhpvv.exe 1868 xrlrll.exe 1828 dnflbxt.exe 1780 xhnvl.exe 2908 xvvhvht.exe 3012 ljddnj.exe 3060 bjvnb.exe 1512 ndpflr.exe 908 tjfnfh.exe 2816 jfpptd.exe 1044 jvfhx.exe 632 thjfnp.exe 2084 rtjphfd.exe 2844 tjrlbh.exe 1840 lbhdbhp.exe 2052 tjdlfv.exe 1304 dptxvp.exe 2128 jdnxnxx.exe 1680 btvnbl.exe 2300 xtjfbhl.exe 2332 tpnhft.exe 1252 bpdjv.exe 1612 ldhnxf.exe 1960 jhvfd.exe 1048 nlthl.exe 2324 nnnfd.exe 2020 jhfpdfx.exe 572 ttvtrx.exe 1152 jjnhnh.exe 516 pppvt.exe 1736 rtndrlv.exe 956 prltvx.exe 840 xhxph.exe 1348 nhnvt.exe 2876 vvxptx.exe 2600 rlrfrtn.exe 2544 vvtpvhr.exe 2696 lfnvv.exe 2688 fnvbt.exe 1896 prvdj.exe 1804 dhnnlp.exe 2944 ppnrtpn.exe 2988 hbfvfbj.exe 3020 hldptvb.exe 3064 xjdlfvj.exe 2984 jxlfll.exe 1404 fvfnvlj.exe 964 vhfvtfp.exe 560 trvrbf.exe 2712 flpvxtp.exe 1044 rpxflfn.exe -
Processes:
resource yara_rule behavioral1/memory/1776-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1328-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1988-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1288-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1956-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2008-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2008-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/464-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/464-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1168-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/464-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2552-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2680-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1828-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2908-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3012-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/908-220-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/632-247-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-266-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1840-274-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exepbldtl.exepbhptnx.exephjtfnl.exelfjfdpx.exefnxxlp.exentbrprb.exedhpjfvt.exebxnfntr.exehrrjbff.exenjltdj.exevddlt.exenhbbr.exedlpppf.exerjhhpvv.exexrlrll.exedescription pid process target process PID 1776 wrote to memory of 1328 1776 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe pbldtl.exe PID 1776 wrote to memory of 1328 1776 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe pbldtl.exe PID 1776 wrote to memory of 1328 1776 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe pbldtl.exe PID 1776 wrote to memory of 1328 1776 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe pbldtl.exe PID 1328 wrote to memory of 1988 1328 pbldtl.exe pbhptnx.exe PID 1328 wrote to memory of 1988 1328 pbldtl.exe pbhptnx.exe PID 1328 wrote to memory of 1988 1328 pbldtl.exe pbhptnx.exe PID 1328 wrote to memory of 1988 1328 pbldtl.exe pbhptnx.exe PID 1988 wrote to memory of 1288 1988 pbhptnx.exe phjtfnl.exe PID 1988 wrote to memory of 1288 1988 pbhptnx.exe phjtfnl.exe PID 1988 wrote to memory of 1288 1988 pbhptnx.exe phjtfnl.exe PID 1988 wrote to memory of 1288 1988 pbhptnx.exe phjtfnl.exe PID 1288 wrote to memory of 1956 1288 phjtfnl.exe lfjfdpx.exe PID 1288 wrote to memory of 1956 1288 phjtfnl.exe lfjfdpx.exe PID 1288 wrote to memory of 1956 1288 phjtfnl.exe lfjfdpx.exe PID 1288 wrote to memory of 1956 1288 phjtfnl.exe lfjfdpx.exe PID 1956 wrote to memory of 1760 1956 lfjfdpx.exe fnxxlp.exe PID 1956 wrote to memory of 1760 1956 lfjfdpx.exe fnxxlp.exe PID 1956 wrote to memory of 1760 1956 lfjfdpx.exe fnxxlp.exe PID 1956 wrote to memory of 1760 1956 lfjfdpx.exe fnxxlp.exe PID 1760 wrote to memory of 2008 1760 fnxxlp.exe ntbrprb.exe PID 1760 wrote to memory of 2008 1760 fnxxlp.exe ntbrprb.exe PID 1760 wrote to memory of 2008 1760 fnxxlp.exe ntbrprb.exe PID 1760 wrote to memory of 2008 1760 fnxxlp.exe ntbrprb.exe PID 2008 wrote to memory of 464 2008 ntbrprb.exe dhpjfvt.exe PID 2008 wrote to memory of 464 2008 ntbrprb.exe dhpjfvt.exe PID 2008 wrote to memory of 464 2008 ntbrprb.exe dhpjfvt.exe PID 2008 wrote to memory of 464 2008 ntbrprb.exe dhpjfvt.exe PID 464 wrote to memory of 1168 464 dhpjfvt.exe bxnfntr.exe PID 464 wrote to memory of 1168 464 dhpjfvt.exe bxnfntr.exe PID 464 wrote to memory of 1168 464 dhpjfvt.exe bxnfntr.exe PID 464 wrote to memory of 1168 464 dhpjfvt.exe bxnfntr.exe PID 1168 wrote to memory of 2404 1168 bxnfntr.exe hrrjbff.exe PID 1168 wrote to memory of 2404 1168 bxnfntr.exe hrrjbff.exe PID 1168 wrote to memory of 2404 1168 bxnfntr.exe hrrjbff.exe PID 1168 wrote to memory of 2404 1168 bxnfntr.exe hrrjbff.exe PID 2404 wrote to memory of 2480 2404 hrrjbff.exe njltdj.exe PID 2404 wrote to memory of 2480 2404 hrrjbff.exe njltdj.exe PID 2404 wrote to memory of 2480 2404 hrrjbff.exe njltdj.exe PID 2404 wrote to memory of 2480 2404 hrrjbff.exe njltdj.exe PID 2480 wrote to memory of 2552 2480 njltdj.exe vddlt.exe PID 2480 wrote to memory of 2552 2480 njltdj.exe vddlt.exe PID 2480 wrote to memory of 2552 2480 njltdj.exe vddlt.exe PID 2480 wrote to memory of 2552 2480 njltdj.exe vddlt.exe PID 2552 wrote to memory of 2528 2552 vddlt.exe nhbbr.exe PID 2552 wrote to memory of 2528 2552 vddlt.exe nhbbr.exe PID 2552 wrote to memory of 2528 2552 vddlt.exe nhbbr.exe PID 2552 wrote to memory of 2528 2552 vddlt.exe nhbbr.exe PID 2528 wrote to memory of 2856 2528 nhbbr.exe dlpppf.exe PID 2528 wrote to memory of 2856 2528 nhbbr.exe dlpppf.exe PID 2528 wrote to memory of 2856 2528 nhbbr.exe dlpppf.exe PID 2528 wrote to memory of 2856 2528 nhbbr.exe dlpppf.exe PID 2856 wrote to memory of 2680 2856 dlpppf.exe rjhhpvv.exe PID 2856 wrote to memory of 2680 2856 dlpppf.exe rjhhpvv.exe PID 2856 wrote to memory of 2680 2856 dlpppf.exe rjhhpvv.exe PID 2856 wrote to memory of 2680 2856 dlpppf.exe rjhhpvv.exe PID 2680 wrote to memory of 1868 2680 rjhhpvv.exe xrlrll.exe PID 2680 wrote to memory of 1868 2680 rjhhpvv.exe xrlrll.exe PID 2680 wrote to memory of 1868 2680 rjhhpvv.exe xrlrll.exe PID 2680 wrote to memory of 1868 2680 rjhhpvv.exe xrlrll.exe PID 1868 wrote to memory of 1828 1868 xrlrll.exe dnflbxt.exe PID 1868 wrote to memory of 1828 1868 xrlrll.exe dnflbxt.exe PID 1868 wrote to memory of 1828 1868 xrlrll.exe dnflbxt.exe PID 1868 wrote to memory of 1828 1868 xrlrll.exe dnflbxt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\pbldtl.exec:\pbldtl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\pbhptnx.exec:\pbhptnx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\phjtfnl.exec:\phjtfnl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\lfjfdpx.exec:\lfjfdpx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\fnxxlp.exec:\fnxxlp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\ntbrprb.exec:\ntbrprb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\dhpjfvt.exec:\dhpjfvt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\bxnfntr.exec:\bxnfntr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\hrrjbff.exec:\hrrjbff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\njltdj.exec:\njltdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\vddlt.exec:\vddlt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\nhbbr.exec:\nhbbr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\dlpppf.exec:\dlpppf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\rjhhpvv.exec:\rjhhpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xrlrll.exec:\xrlrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\dnflbxt.exec:\dnflbxt.exe17⤵
- Executes dropped EXE
PID:1828 -
\??\c:\xhnvl.exec:\xhnvl.exe18⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xvvhvht.exec:\xvvhvht.exe19⤵
- Executes dropped EXE
PID:2908 -
\??\c:\ljddnj.exec:\ljddnj.exe20⤵
- Executes dropped EXE
PID:3012 -
\??\c:\bjvnb.exec:\bjvnb.exe21⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ndpflr.exec:\ndpflr.exe22⤵
- Executes dropped EXE
PID:1512 -
\??\c:\tjfnfh.exec:\tjfnfh.exe23⤵
- Executes dropped EXE
PID:908 -
\??\c:\jfpptd.exec:\jfpptd.exe24⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jvfhx.exec:\jvfhx.exe25⤵
- Executes dropped EXE
PID:1044 -
\??\c:\thjfnp.exec:\thjfnp.exe26⤵
- Executes dropped EXE
PID:632 -
\??\c:\rtjphfd.exec:\rtjphfd.exe27⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tjrlbh.exec:\tjrlbh.exe28⤵
- Executes dropped EXE
PID:2844 -
\??\c:\lbhdbhp.exec:\lbhdbhp.exe29⤵
- Executes dropped EXE
PID:1840 -
\??\c:\tjdlfv.exec:\tjdlfv.exe30⤵
- Executes dropped EXE
PID:2052 -
\??\c:\dptxvp.exec:\dptxvp.exe31⤵
- Executes dropped EXE
PID:1304 -
\??\c:\jdnxnxx.exec:\jdnxnxx.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\btvnbl.exec:\btvnbl.exe33⤵
- Executes dropped EXE
PID:1680 -
\??\c:\xtjfbhl.exec:\xtjfbhl.exe34⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tpnhft.exec:\tpnhft.exe35⤵
- Executes dropped EXE
PID:2332 -
\??\c:\bpdjv.exec:\bpdjv.exe36⤵
- Executes dropped EXE
PID:1252 -
\??\c:\ldhnxf.exec:\ldhnxf.exe37⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jhvfd.exec:\jhvfd.exe38⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nlthl.exec:\nlthl.exe39⤵
- Executes dropped EXE
PID:1048 -
\??\c:\nnnfd.exec:\nnnfd.exe40⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jhfpdfx.exec:\jhfpdfx.exe41⤵
- Executes dropped EXE
PID:2020 -
\??\c:\ttvtrx.exec:\ttvtrx.exe42⤵
- Executes dropped EXE
PID:572 -
\??\c:\jjnhnh.exec:\jjnhnh.exe43⤵
- Executes dropped EXE
PID:1152 -
\??\c:\pppvt.exec:\pppvt.exe44⤵
- Executes dropped EXE
PID:516 -
\??\c:\rtndrlv.exec:\rtndrlv.exe45⤵
- Executes dropped EXE
PID:1736 -
\??\c:\prltvx.exec:\prltvx.exe46⤵
- Executes dropped EXE
PID:956 -
\??\c:\xhxph.exec:\xhxph.exe47⤵
- Executes dropped EXE
PID:840 -
\??\c:\nhnvt.exec:\nhnvt.exe48⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vvxptx.exec:\vvxptx.exe49⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rlrfrtn.exec:\rlrfrtn.exe50⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vvtpvhr.exec:\vvtpvhr.exe51⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lfnvv.exec:\lfnvv.exe52⤵
- Executes dropped EXE
PID:2696 -
\??\c:\fnvbt.exec:\fnvbt.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\prvdj.exec:\prvdj.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\dhnnlp.exec:\dhnnlp.exe55⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ppnrtpn.exec:\ppnrtpn.exe56⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hbfvfbj.exec:\hbfvfbj.exe57⤵
- Executes dropped EXE
PID:2988 -
\??\c:\hldptvb.exec:\hldptvb.exe58⤵
- Executes dropped EXE
PID:3020 -
\??\c:\xjdlfvj.exec:\xjdlfvj.exe59⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jxlfll.exec:\jxlfll.exe60⤵
- Executes dropped EXE
PID:2984 -
\??\c:\fvfnvlj.exec:\fvfnvlj.exe61⤵
- Executes dropped EXE
PID:1404 -
\??\c:\vhfvtfp.exec:\vhfvtfp.exe62⤵
- Executes dropped EXE
PID:964 -
\??\c:\trvrbf.exec:\trvrbf.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\flpvxtp.exec:\flpvxtp.exe64⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rpxflfn.exec:\rpxflfn.exe65⤵
- Executes dropped EXE
PID:1044 -
\??\c:\lvvddrd.exec:\lvvddrd.exe66⤵PID:2796
-
\??\c:\hldxdx.exec:\hldxdx.exe67⤵PID:2196
-
\??\c:\xbpbltj.exec:\xbpbltj.exe68⤵PID:1728
-
\??\c:\bplnjj.exec:\bplnjj.exe69⤵PID:1888
-
\??\c:\pbdjt.exec:\pbdjt.exe70⤵PID:1840
-
\??\c:\jhjxbl.exec:\jhjxbl.exe71⤵PID:2140
-
\??\c:\tdxphjb.exec:\tdxphjb.exe72⤵PID:1664
-
\??\c:\nrtpfp.exec:\nrtpfp.exe73⤵PID:2076
-
\??\c:\lpdrb.exec:\lpdrb.exe74⤵PID:2128
-
\??\c:\lbhbx.exec:\lbhbx.exe75⤵PID:1680
-
\??\c:\xdpfj.exec:\xdpfj.exe76⤵PID:2364
-
\??\c:\jxthd.exec:\jxthd.exe77⤵PID:1552
-
\??\c:\bvndxvl.exec:\bvndxvl.exe78⤵PID:1976
-
\??\c:\flxvxvp.exec:\flxvxvp.exe79⤵PID:1320
-
\??\c:\rbhfblx.exec:\rbhfblx.exe80⤵PID:1608
-
\??\c:\ntbpjtf.exec:\ntbpjtf.exe81⤵PID:2248
-
\??\c:\nnbjr.exec:\nnbjr.exe82⤵PID:2024
-
\??\c:\rjbrrtv.exec:\rjbrrtv.exe83⤵PID:2016
-
\??\c:\hrdjnxb.exec:\hrdjnxb.exe84⤵PID:872
-
\??\c:\nlfxhnd.exec:\nlfxhnd.exe85⤵PID:596
-
\??\c:\fdnbbv.exec:\fdnbbv.exe86⤵PID:1060
-
\??\c:\lhtrrl.exec:\lhtrrl.exe87⤵PID:1596
-
\??\c:\jtthjl.exec:\jtthjl.exe88⤵PID:1168
-
\??\c:\fjbrlvl.exec:\fjbrlvl.exe89⤵PID:956
-
\??\c:\jdvrdvl.exec:\jdvrdvl.exe90⤵PID:840
-
\??\c:\jfjdnn.exec:\jfjdnn.exe91⤵PID:2488
-
\??\c:\jxtjfb.exec:\jxtjfb.exe92⤵PID:2832
-
\??\c:\fpnlvhv.exec:\fpnlvhv.exe93⤵PID:2600
-
\??\c:\dbdjrn.exec:\dbdjrn.exe94⤵PID:2544
-
\??\c:\rprrpd.exec:\rprrpd.exe95⤵PID:2668
-
\??\c:\pdxhxrp.exec:\pdxhxrp.exe96⤵PID:2680
-
\??\c:\ljtjhjv.exec:\ljtjhjv.exe97⤵PID:1828
-
\??\c:\fxdpbxv.exec:\fxdpbxv.exe98⤵PID:1872
-
\??\c:\dxffrr.exec:\dxffrr.exe99⤵PID:2924
-
\??\c:\dpddndf.exec:\dpddndf.exe100⤵PID:3000
-
\??\c:\hrvvf.exec:\hrvvf.exe101⤵PID:2976
-
\??\c:\xpxrv.exec:\xpxrv.exe102⤵PID:1516
-
\??\c:\bxprlx.exec:\bxprlx.exe103⤵PID:768
-
\??\c:\jbfjdf.exec:\jbfjdf.exe104⤵PID:1604
-
\??\c:\xrdrh.exec:\xrdrh.exe105⤵PID:2608
-
\??\c:\bplddfj.exec:\bplddfj.exe106⤵PID:2492
-
\??\c:\fvvdjf.exec:\fvvdjf.exe107⤵PID:2712
-
\??\c:\rlxdrfd.exec:\rlxdrfd.exe108⤵PID:1452
-
\??\c:\jbpbnn.exec:\jbpbnn.exe109⤵PID:2416
-
\??\c:\dntjl.exec:\dntjl.exe110⤵PID:2892
-
\??\c:\frndt.exec:\frndt.exe111⤵PID:2512
-
\??\c:\jlrtvbr.exec:\jlrtvbr.exe112⤵PID:1748
-
\??\c:\vxxtl.exec:\vxxtl.exe113⤵PID:2288
-
\??\c:\lbfvhn.exec:\lbfvhn.exe114⤵PID:2584
-
\??\c:\tnjhjr.exec:\tnjhjr.exe115⤵PID:1768
-
\??\c:\jjllr.exec:\jjllr.exe116⤵PID:2576
-
\??\c:\nbjddlv.exec:\nbjddlv.exe117⤵PID:1040
-
\??\c:\dtndvf.exec:\dtndvf.exe118⤵PID:1116
-
\??\c:\vvphpb.exec:\vvphpb.exe119⤵PID:2300
-
\??\c:\vhnbjnl.exec:\vhnbjnl.exe120⤵PID:1552
-
\??\c:\rvlrx.exec:\rvlrx.exe121⤵PID:1636
-
\??\c:\tdtrl.exec:\tdtrl.exe122⤵PID:1972
-
\??\c:\rbphf.exec:\rbphf.exe123⤵PID:1612
-
\??\c:\ndhntbj.exec:\ndhntbj.exe124⤵PID:2352
-
\??\c:\jvbvrr.exec:\jvbvrr.exe125⤵PID:2324
-
\??\c:\dtnxp.exec:\dtnxp.exe126⤵PID:2020
-
\??\c:\hljnn.exec:\hljnn.exe127⤵PID:580
-
\??\c:\vnxfjdb.exec:\vnxfjdb.exe128⤵PID:596
-
\??\c:\dffvtf.exec:\dffvtf.exe129⤵PID:1152
-
\??\c:\pdnvjtf.exec:\pdnvjtf.exe130⤵PID:1596
-
\??\c:\xvbbfr.exec:\xvbbfr.exe131⤵PID:2484
-
\??\c:\ttjpbd.exec:\ttjpbd.exe132⤵PID:956
-
\??\c:\nbtfdnr.exec:\nbtfdnr.exe133⤵PID:2888
-
\??\c:\thxnvt.exec:\thxnvt.exe134⤵PID:2488
-
\??\c:\tnphjfd.exec:\tnphjfd.exe135⤵PID:2876
-
\??\c:\nrhxhh.exec:\nrhxhh.exe136⤵PID:2600
-
\??\c:\tjnlv.exec:\tjnlv.exe137⤵PID:2904
-
\??\c:\vlfdpf.exec:\vlfdpf.exe138⤵PID:2696
-
\??\c:\xtflbh.exec:\xtflbh.exe139⤵PID:2436
-
\??\c:\tnvdf.exec:\tnvdf.exe140⤵PID:2972
-
\??\c:\pnnxhl.exec:\pnnxhl.exe141⤵PID:1804
-
\??\c:\xxppr.exec:\xxppr.exe142⤵PID:2924
-
\??\c:\jxbhvfh.exec:\jxbhvfh.exe143⤵PID:3020
-
\??\c:\brtrhpv.exec:\brtrhpv.exe144⤵PID:3064
-
\??\c:\tppvd.exec:\tppvd.exe145⤵PID:864
-
\??\c:\hfpnjd.exec:\hfpnjd.exe146⤵PID:2984
-
\??\c:\nnnxjx.exec:\nnnxjx.exe147⤵PID:1456
-
\??\c:\flvfnx.exec:\flvfnx.exe148⤵PID:964
-
\??\c:\lbnbpr.exec:\lbnbpr.exe149⤵PID:896
-
\??\c:\fdhdt.exec:\fdhdt.exe150⤵PID:2712
-
\??\c:\nrfjhrj.exec:\nrfjhrj.exe151⤵PID:2160
-
\??\c:\jttrvb.exec:\jttrvb.exe152⤵PID:1660
-
\??\c:\trptlxj.exec:\trptlxj.exe153⤵PID:2112
-
\??\c:\hxpdpp.exec:\hxpdpp.exe154⤵PID:692
-
\??\c:\ffbdd.exec:\ffbdd.exe155⤵PID:1764
-
\??\c:\hrffx.exec:\hrffx.exe156⤵PID:2264
-
\??\c:\bvvhdnt.exec:\bvvhdnt.exe157⤵PID:2096
-
\??\c:\tlhddbv.exec:\tlhddbv.exe158⤵PID:2344
-
\??\c:\vpnhnx.exec:\vpnhnx.exe159⤵PID:1776
-
\??\c:\frfpv.exec:\frfpv.exe160⤵PID:2368
-
\??\c:\lllnh.exec:\lllnh.exe161⤵PID:2332
-
\??\c:\dtvptff.exec:\dtvptff.exe162⤵PID:2300
-
\??\c:\vvjrrv.exec:\vvjrrv.exe163⤵PID:2604
-
\??\c:\hhnhp.exec:\hhnhp.exe164⤵PID:1976
-
\??\c:\tdplv.exec:\tdplv.exe165⤵PID:1160
-
\??\c:\xpfllxf.exec:\xpfllxf.exe166⤵PID:1608
-
\??\c:\vpnlxdf.exec:\vpnlxdf.exe167⤵PID:2024
-
\??\c:\jdvfhb.exec:\jdvfhb.exe168⤵PID:524
-
\??\c:\dhrtxhv.exec:\dhrtxhv.exe169⤵PID:872
-
\??\c:\xffdnj.exec:\xffdnj.exe170⤵PID:1628
-
\??\c:\hbphld.exec:\hbphld.exe171⤵PID:1752
-
\??\c:\vnhhpvr.exec:\vnhhpvr.exe172⤵PID:2452
-
\??\c:\bpvdlpr.exec:\bpvdlpr.exe173⤵PID:1168
-
\??\c:\lrvtnlp.exec:\lrvtnlp.exe174⤵PID:2872
-
\??\c:\frdln.exec:\frdln.exe175⤵PID:1848
-
\??\c:\bdvlndf.exec:\bdvlndf.exe176⤵PID:2632
-
\??\c:\lbrvx.exec:\lbrvx.exe177⤵PID:2628
-
\??\c:\httfv.exec:\httfv.exe178⤵PID:2876
-
\??\c:\lxvnv.exec:\lxvnv.exe179⤵PID:2544
-
\??\c:\bjdhbd.exec:\bjdhbd.exe180⤵PID:2856
-
\??\c:\jnnpnp.exec:\jnnpnp.exe181⤵PID:2688
-
\??\c:\fjfnd.exec:\fjfnd.exe182⤵PID:2912
-
\??\c:\rjtltt.exec:\rjtltt.exe183⤵PID:3004
-
\??\c:\vlnvf.exec:\vlnvf.exe184⤵PID:1804
-
\??\c:\fftlrxt.exec:\fftlrxt.exe185⤵PID:3000
-
\??\c:\vpftvv.exec:\vpftvv.exe186⤵PID:3020
-
\??\c:\rvjlvv.exec:\rvjlvv.exe187⤵PID:2980
-
\??\c:\xdpnx.exec:\xdpnx.exe188⤵PID:980
-
\??\c:\vvxxt.exec:\vvxxt.exe189⤵PID:2384
-
\??\c:\nvxxnbl.exec:\nvxxnbl.exe190⤵PID:2984
-
\??\c:\bnnxfl.exec:\bnnxfl.exe191⤵PID:1528
-
\??\c:\ffrrbn.exec:\ffrrbn.exe192⤵PID:1432
-
\??\c:\ldblxn.exec:\ldblxn.exe193⤵PID:1044
-
\??\c:\ldhtp.exec:\ldhtp.exe194⤵PID:2084
-
\??\c:\brdjr.exec:\brdjr.exe195⤵PID:2056
-
\??\c:\nhbjdj.exec:\nhbjdj.exe196⤵PID:888
-
\??\c:\vjfxpf.exec:\vjfxpf.exe197⤵PID:2844
-
\??\c:\bnffj.exec:\bnffj.exe198⤵PID:2164
-
\??\c:\hhdpftd.exec:\hhdpftd.exe199⤵PID:2124
-
\??\c:\vvlbnfv.exec:\vvlbnfv.exe200⤵PID:2280
-
\??\c:\vjjvf.exec:\vjjvf.exe201⤵PID:2284
-
\??\c:\jhxhr.exec:\jhxhr.exe202⤵PID:1208
-
\??\c:\bhftvr.exec:\bhftvr.exe203⤵PID:876
-
\??\c:\lxjvph.exec:\lxjvph.exe204⤵PID:1584
-
\??\c:\vfxrxr.exec:\vfxrxr.exe205⤵PID:944
-
\??\c:\nbbrl.exec:\nbbrl.exe206⤵PID:2564
-
\??\c:\xlfbxf.exec:\xlfbxf.exe207⤵PID:1124
-
\??\c:\hfhffnf.exec:\hfhffnf.exe208⤵PID:1960
-
\??\c:\lvldbh.exec:\lvldbh.exe209⤵PID:1236
-
\??\c:\nnjhdpf.exec:\nnjhdpf.exe210⤵PID:1984
-
\??\c:\lxfxx.exec:\lxfxx.exe211⤵PID:2016
-
\??\c:\drljf.exec:\drljf.exe212⤵PID:1388
-
\??\c:\vhdlp.exec:\vhdlp.exe213⤵PID:1744
-
\??\c:\dbfbnjt.exec:\dbfbnjt.exe214⤵PID:1740
-
\??\c:\jnldnb.exec:\jnldnb.exe215⤵PID:2412
-
\??\c:\plnvdnj.exec:\plnvdnj.exe216⤵PID:1520
-
\??\c:\bjpbnr.exec:\bjpbnr.exe217⤵PID:2664
-
\??\c:\jltntjn.exec:\jltntjn.exe218⤵PID:2828
-
\??\c:\ftphr.exec:\ftphr.exe219⤵PID:2556
-
\??\c:\fpvtd.exec:\fpvtd.exe220⤵PID:2640
-
\??\c:\hnptht.exec:\hnptht.exe221⤵PID:2860
-
\??\c:\rppdbf.exec:\rppdbf.exe222⤵PID:1832
-
\??\c:\hxnfn.exec:\hxnfn.exe223⤵PID:1824
-
\??\c:\plxxdh.exec:\plxxdh.exe224⤵PID:2920
-
\??\c:\dlbnx.exec:\dlbnx.exe225⤵PID:2948
-
\??\c:\vljvnt.exec:\vljvnt.exe226⤵PID:2908
-
\??\c:\pbbbfj.exec:\pbbbfj.exe227⤵PID:1648
-
\??\c:\hrlfxbb.exec:\hrlfxbb.exe228⤵PID:1524
-
\??\c:\ptvdj.exec:\ptvdj.exe229⤵PID:3060
-
\??\c:\ddrnr.exec:\ddrnr.exe230⤵PID:2896
-
\??\c:\nnprhbl.exec:\nnprhbl.exe231⤵PID:2424
-
\??\c:\bltdx.exec:\bltdx.exe232⤵PID:1604
-
\??\c:\fldnp.exec:\fldnp.exe233⤵PID:1456
-
\??\c:\nftvfdh.exec:\nftvfdh.exe234⤵PID:2608
-
\??\c:\rbpjttr.exec:\rbpjttr.exe235⤵PID:2428
-
\??\c:\fbtffpl.exec:\fbtffpl.exe236⤵PID:2712
-
\??\c:\pvvthd.exec:\pvvthd.exe237⤵PID:1044
-
\??\c:\jjvnjv.exec:\jjvnjv.exe238⤵PID:1836
-
\??\c:\dlpnv.exec:\dlpnv.exe239⤵PID:2056
-
\??\c:\ndjtnr.exec:\ndjtnr.exe240⤵PID:2108
-
\??\c:\vtrhbvd.exec:\vtrhbvd.exe241⤵PID:280
-
\??\c:\dlplxh.exec:\dlplxh.exe242⤵PID:2268