Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 08:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe
-
Size
392KB
-
MD5
b15b2e40bd5cd3b97098f4cf94e40210
-
SHA1
6ae0e427fc719e95aab13fdd3ab1b48c5801a112
-
SHA256
0c9c7f159d597fe6a8d9d832358a57de25bad7857add204ddbc0cc903bde5482
-
SHA512
6eaa8eac643005ca8eeb748750c003fc19d33169abddf7b87b74b97d4996a4944224c4e5807f75d47742eebfdd9498b7ac7256f74d7574146622fb7a853e7bdf
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOP:n3C9uYA7okVqdKwaO5CVJ
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2948-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2500-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2880-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2880-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/804-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1504-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2464-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1648-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1452-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1660-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2364-224-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/836-268-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1652-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2864-295-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-304-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
dvjpd.exe9rllrxl.exeppddj.exevddjp.exenhbhnt.exedvppd.exerrlxrxl.exetbnbnb.exe7jjpd.exexrffflr.exe9nbbhn.exepvdvv.exerfrlllr.exe1hthnb.exejdpjd.exexxxfrxr.exenbnttb.exebnttbt.exexfllxxf.exebttbhn.exedpddp.exexxrxrff.exehbbhbh.exedjjpv.exefxrxlxl.exerxfrrlf.exetthnbn.exexfrfrll.exennhhbh.exejdvdd.exelfllxxl.exe9nhhhn.exejvpvv.exe5xrrxfr.exe3rxxffl.exenhbhbb.exejjvjd.exerlffxxf.exejjdpd.exe7lxxflx.exebtntbh.exe3xrrlrl.exerllffxl.exebtnbtt.exejjddj.exelfffrxl.exerlxfflr.exe3bttbh.exejddpd.exe5rxlrll.exerflrfrx.exenhbhnt.exevvpdj.exelfxfxxr.exefrlrxfr.exetbthth.exejjppp.exelrrfrxr.exexrfxrxl.exehnnhht.exepjdjj.exelrxlllf.exexrxfflr.exetbtnhb.exepid process 2980 dvjpd.exe 2948 9rllrxl.exe 2596 ppddj.exe 2500 vddjp.exe 2796 nhbhnt.exe 2696 dvppd.exe 2408 rrlxrxl.exe 2880 tbnbnb.exe 804 7jjpd.exe 1504 xrffflr.exe 2464 9nbbhn.exe 1864 pvdvv.exe 2184 rfrlllr.exe 2316 1hthnb.exe 1648 jdpjd.exe 312 xxxfrxr.exe 1452 nbnttb.exe 2748 bnttbt.exe 1160 xfllxxf.exe 1404 bttbhn.exe 1660 dpddp.exe 2364 xxrxrff.exe 2336 hbbhbh.exe 2812 djjpv.exe 1464 fxrxlxl.exe 1736 rxfrrlf.exe 836 tthnbn.exe 1672 xfrfrll.exe 1652 nnhhbh.exe 2864 jdvdd.exe 1728 lfllxxl.exe 2788 9nhhhn.exe 1928 jvpvv.exe 3028 5xrrxfr.exe 3036 3rxxffl.exe 2524 nhbhbb.exe 2948 jjvjd.exe 2592 rlffxxf.exe 2712 jjdpd.exe 2420 7lxxflx.exe 2612 btntbh.exe 1712 3xrrlrl.exe 2508 rllffxl.exe 1612 btnbtt.exe 1596 jjddj.exe 1556 lfffrxl.exe 2192 rlxfflr.exe 1860 3bttbh.exe 2644 jddpd.exe 1864 5rxlrll.exe 272 rflrfrx.exe 2320 nhbhnt.exe 2272 vvpdj.exe 2624 lfxfxxr.exe 2640 frlrxfr.exe 2664 tbthth.exe 2108 jjppp.exe 2768 lrrfrxr.exe 1396 xrfxrxl.exe 1244 hnnhht.exe 2652 pjdjj.exe 1036 lrxlllf.exe 828 xrxfflr.exe 2072 tbtnhb.exe -
Processes:
resource yara_rule behavioral1/memory/1776-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1776-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2696-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/804-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1504-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2464-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1648-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1452-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1660-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2364-224-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2336-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/836-268-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1652-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-295-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-304-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exedvjpd.exe9rllrxl.exeppddj.exevddjp.exenhbhnt.exedvppd.exerrlxrxl.exetbnbnb.exe7jjpd.exexrffflr.exe9nbbhn.exepvdvv.exerfrlllr.exe1hthnb.exejdpjd.exedescription pid process target process PID 1776 wrote to memory of 2980 1776 b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe dvjpd.exe PID 1776 wrote to memory of 2980 1776 b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe dvjpd.exe PID 1776 wrote to memory of 2980 1776 b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe dvjpd.exe PID 1776 wrote to memory of 2980 1776 b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe dvjpd.exe PID 2980 wrote to memory of 2948 2980 dvjpd.exe 9rllrxl.exe PID 2980 wrote to memory of 2948 2980 dvjpd.exe 9rllrxl.exe PID 2980 wrote to memory of 2948 2980 dvjpd.exe 9rllrxl.exe PID 2980 wrote to memory of 2948 2980 dvjpd.exe 9rllrxl.exe PID 2948 wrote to memory of 2596 2948 9rllrxl.exe ppddj.exe PID 2948 wrote to memory of 2596 2948 9rllrxl.exe ppddj.exe PID 2948 wrote to memory of 2596 2948 9rllrxl.exe ppddj.exe PID 2948 wrote to memory of 2596 2948 9rllrxl.exe ppddj.exe PID 2596 wrote to memory of 2500 2596 ppddj.exe vddjp.exe PID 2596 wrote to memory of 2500 2596 ppddj.exe vddjp.exe PID 2596 wrote to memory of 2500 2596 ppddj.exe vddjp.exe PID 2596 wrote to memory of 2500 2596 ppddj.exe vddjp.exe PID 2500 wrote to memory of 2796 2500 vddjp.exe nhbhnt.exe PID 2500 wrote to memory of 2796 2500 vddjp.exe nhbhnt.exe PID 2500 wrote to memory of 2796 2500 vddjp.exe nhbhnt.exe PID 2500 wrote to memory of 2796 2500 vddjp.exe nhbhnt.exe PID 2796 wrote to memory of 2696 2796 nhbhnt.exe dvppd.exe PID 2796 wrote to memory of 2696 2796 nhbhnt.exe dvppd.exe PID 2796 wrote to memory of 2696 2796 nhbhnt.exe dvppd.exe PID 2796 wrote to memory of 2696 2796 nhbhnt.exe dvppd.exe PID 2696 wrote to memory of 2408 2696 dvppd.exe rrlxrxl.exe PID 2696 wrote to memory of 2408 2696 dvppd.exe rrlxrxl.exe PID 2696 wrote to memory of 2408 2696 dvppd.exe rrlxrxl.exe PID 2696 wrote to memory of 2408 2696 dvppd.exe rrlxrxl.exe PID 2408 wrote to memory of 2880 2408 rrlxrxl.exe tbnbnb.exe PID 2408 wrote to memory of 2880 2408 rrlxrxl.exe tbnbnb.exe PID 2408 wrote to memory of 2880 2408 rrlxrxl.exe tbnbnb.exe PID 2408 wrote to memory of 2880 2408 rrlxrxl.exe tbnbnb.exe PID 2880 wrote to memory of 804 2880 tbnbnb.exe 7jjpd.exe PID 2880 wrote to memory of 804 2880 tbnbnb.exe 7jjpd.exe PID 2880 wrote to memory of 804 2880 tbnbnb.exe 7jjpd.exe PID 2880 wrote to memory of 804 2880 tbnbnb.exe 7jjpd.exe PID 804 wrote to memory of 1504 804 7jjpd.exe xrffflr.exe PID 804 wrote to memory of 1504 804 7jjpd.exe xrffflr.exe PID 804 wrote to memory of 1504 804 7jjpd.exe xrffflr.exe PID 804 wrote to memory of 1504 804 7jjpd.exe xrffflr.exe PID 1504 wrote to memory of 2464 1504 xrffflr.exe 9nbbhn.exe PID 1504 wrote to memory of 2464 1504 xrffflr.exe 9nbbhn.exe PID 1504 wrote to memory of 2464 1504 xrffflr.exe 9nbbhn.exe PID 1504 wrote to memory of 2464 1504 xrffflr.exe 9nbbhn.exe PID 2464 wrote to memory of 1864 2464 9nbbhn.exe pvdvv.exe PID 2464 wrote to memory of 1864 2464 9nbbhn.exe pvdvv.exe PID 2464 wrote to memory of 1864 2464 9nbbhn.exe pvdvv.exe PID 2464 wrote to memory of 1864 2464 9nbbhn.exe pvdvv.exe PID 1864 wrote to memory of 2184 1864 pvdvv.exe rfrlllr.exe PID 1864 wrote to memory of 2184 1864 pvdvv.exe rfrlllr.exe PID 1864 wrote to memory of 2184 1864 pvdvv.exe rfrlllr.exe PID 1864 wrote to memory of 2184 1864 pvdvv.exe rfrlllr.exe PID 2184 wrote to memory of 2316 2184 rfrlllr.exe 1hthnb.exe PID 2184 wrote to memory of 2316 2184 rfrlllr.exe 1hthnb.exe PID 2184 wrote to memory of 2316 2184 rfrlllr.exe 1hthnb.exe PID 2184 wrote to memory of 2316 2184 rfrlllr.exe 1hthnb.exe PID 2316 wrote to memory of 1648 2316 1hthnb.exe jdpjd.exe PID 2316 wrote to memory of 1648 2316 1hthnb.exe jdpjd.exe PID 2316 wrote to memory of 1648 2316 1hthnb.exe jdpjd.exe PID 2316 wrote to memory of 1648 2316 1hthnb.exe jdpjd.exe PID 1648 wrote to memory of 312 1648 jdpjd.exe xxxfrxr.exe PID 1648 wrote to memory of 312 1648 jdpjd.exe xxxfrxr.exe PID 1648 wrote to memory of 312 1648 jdpjd.exe xxxfrxr.exe PID 1648 wrote to memory of 312 1648 jdpjd.exe xxxfrxr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b15b2e40bd5cd3b97098f4cf94e40210_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\dvjpd.exec:\dvjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\9rllrxl.exec:\9rllrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\ppddj.exec:\ppddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vddjp.exec:\vddjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\nhbhnt.exec:\nhbhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\dvppd.exec:\dvppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rrlxrxl.exec:\rrlxrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\tbnbnb.exec:\tbnbnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\7jjpd.exec:\7jjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\xrffflr.exec:\xrffflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\9nbbhn.exec:\9nbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\pvdvv.exec:\pvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\rfrlllr.exec:\rfrlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\1hthnb.exec:\1hthnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\jdpjd.exec:\jdpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe17⤵
- Executes dropped EXE
PID:312 -
\??\c:\nbnttb.exec:\nbnttb.exe18⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bnttbt.exec:\bnttbt.exe19⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xfllxxf.exec:\xfllxxf.exe20⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bttbhn.exec:\bttbhn.exe21⤵
- Executes dropped EXE
PID:1404 -
\??\c:\dpddp.exec:\dpddp.exe22⤵
- Executes dropped EXE
PID:1660 -
\??\c:\xxrxrff.exec:\xxrxrff.exe23⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hbbhbh.exec:\hbbhbh.exe24⤵
- Executes dropped EXE
PID:2336 -
\??\c:\djjpv.exec:\djjpv.exe25⤵
- Executes dropped EXE
PID:2812 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe26⤵
- Executes dropped EXE
PID:1464 -
\??\c:\rxfrrlf.exec:\rxfrrlf.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\tthnbn.exec:\tthnbn.exe28⤵
- Executes dropped EXE
PID:836 -
\??\c:\xfrfrll.exec:\xfrfrll.exe29⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nnhhbh.exec:\nnhhbh.exe30⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdvdd.exec:\jdvdd.exe31⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lfllxxl.exec:\lfllxxl.exe32⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9nhhhn.exec:\9nhhhn.exe33⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jvpvv.exec:\jvpvv.exe34⤵
- Executes dropped EXE
PID:1928 -
\??\c:\5xrrxfr.exec:\5xrrxfr.exe35⤵
- Executes dropped EXE
PID:3028 -
\??\c:\3rxxffl.exec:\3rxxffl.exe36⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nhbhbb.exec:\nhbhbb.exe37⤵
- Executes dropped EXE
PID:2524 -
\??\c:\jjvjd.exec:\jjvjd.exe38⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rlffxxf.exec:\rlffxxf.exe39⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jjdpd.exec:\jjdpd.exe40⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7lxxflx.exec:\7lxxflx.exe41⤵
- Executes dropped EXE
PID:2420 -
\??\c:\btntbh.exec:\btntbh.exe42⤵
- Executes dropped EXE
PID:2612 -
\??\c:\3xrrlrl.exec:\3xrrlrl.exe43⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rllffxl.exec:\rllffxl.exe44⤵
- Executes dropped EXE
PID:2508 -
\??\c:\btnbtt.exec:\btnbtt.exe45⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jjddj.exec:\jjddj.exe46⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lfffrxl.exec:\lfffrxl.exe47⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rlxfflr.exec:\rlxfflr.exe48⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3bttbh.exec:\3bttbh.exe49⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jddpd.exec:\jddpd.exe50⤵
- Executes dropped EXE
PID:2644 -
\??\c:\5rxlrll.exec:\5rxlrll.exe51⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rflrfrx.exec:\rflrfrx.exe52⤵
- Executes dropped EXE
PID:272 -
\??\c:\nhbhnt.exec:\nhbhnt.exe53⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vvpdj.exec:\vvpdj.exe54⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lfxfxxr.exec:\lfxfxxr.exe55⤵
- Executes dropped EXE
PID:2624 -
\??\c:\frlrxfr.exec:\frlrxfr.exe56⤵
- Executes dropped EXE
PID:2640 -
\??\c:\tbthth.exec:\tbthth.exe57⤵
- Executes dropped EXE
PID:2664 -
\??\c:\jjppp.exec:\jjppp.exe58⤵
- Executes dropped EXE
PID:2108 -
\??\c:\lrrfrxr.exec:\lrrfrxr.exe59⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xrfxrxl.exec:\xrfxrxl.exe60⤵
- Executes dropped EXE
PID:1396 -
\??\c:\hnnhht.exec:\hnnhht.exe61⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjdjj.exec:\pjdjj.exe62⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lrxlllf.exec:\lrxlllf.exe63⤵
- Executes dropped EXE
PID:1036 -
\??\c:\xrxfflr.exec:\xrxfflr.exe64⤵
- Executes dropped EXE
PID:828 -
\??\c:\tbtnhb.exec:\tbtnhb.exe65⤵
- Executes dropped EXE
PID:2072 -
\??\c:\pddpj.exec:\pddpj.exe66⤵PID:956
-
\??\c:\vjjdj.exec:\vjjdj.exe67⤵PID:1464
-
\??\c:\lxlllrf.exec:\lxlllrf.exe68⤵PID:2840
-
\??\c:\ttntnh.exec:\ttntnh.exe69⤵PID:3004
-
\??\c:\hhhnhn.exec:\hhhnhn.exe70⤵PID:2476
-
\??\c:\dvjpj.exec:\dvjpj.exe71⤵PID:1672
-
\??\c:\rrlfllx.exec:\rrlfllx.exe72⤵PID:1900
-
\??\c:\nhbhbt.exec:\nhbhbt.exe73⤵PID:1300
-
\??\c:\nnhbnt.exec:\nnhbnt.exe74⤵PID:3056
-
\??\c:\jpvvp.exec:\jpvvp.exe75⤵PID:1920
-
\??\c:\lllxrxx.exec:\lllxrxx.exe76⤵PID:2788
-
\??\c:\3bbhnn.exec:\3bbhnn.exe77⤵PID:2212
-
\??\c:\jjdjv.exec:\jjdjv.exe78⤵PID:2488
-
\??\c:\pjjpv.exec:\pjjpv.exe79⤵PID:2980
-
\??\c:\xlxxlrr.exec:\xlxxlrr.exe80⤵PID:2676
-
\??\c:\bthhtt.exec:\bthhtt.exe81⤵PID:2800
-
\??\c:\3pdvv.exec:\3pdvv.exe82⤵PID:2704
-
\??\c:\3jvpp.exec:\3jvpp.exe83⤵PID:2424
-
\??\c:\xlxxflx.exec:\xlxxflx.exe84⤵PID:2568
-
\??\c:\xrrrffr.exec:\xrrrffr.exe85⤵PID:2772
-
\??\c:\hbbtnh.exec:\hbbtnh.exe86⤵PID:2696
-
\??\c:\pjdjv.exec:\pjdjv.exe87⤵PID:1712
-
\??\c:\lrlfllr.exec:\lrlfllr.exe88⤵PID:548
-
\??\c:\lxllrrr.exec:\lxllrrr.exe89⤵PID:2348
-
\??\c:\tbnhth.exec:\tbnhth.exe90⤵PID:2892
-
\??\c:\ppvpp.exec:\ppvpp.exe91⤵PID:1504
-
\??\c:\hthhhn.exec:\hthhhn.exe92⤵PID:1352
-
\??\c:\dvjjj.exec:\dvjjj.exe93⤵PID:352
-
\??\c:\pjdjp.exec:\pjdjp.exe94⤵PID:1896
-
\??\c:\ffrrxrx.exec:\ffrrxrx.exe95⤵PID:308
-
\??\c:\bbnnbt.exec:\bbnnbt.exe96⤵PID:2316
-
\??\c:\ddvvd.exec:\ddvvd.exe97⤵PID:628
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe98⤵PID:2632
-
\??\c:\lfrrrrl.exec:\lfrrrrl.exe99⤵PID:2300
-
\??\c:\htnnbh.exec:\htnnbh.exe100⤵PID:1436
-
\??\c:\jpvvj.exec:\jpvvj.exe101⤵PID:2984
-
\??\c:\lxrlfll.exec:\lxrlfll.exe102⤵PID:584
-
\??\c:\7rxlfrx.exec:\7rxlfrx.exe103⤵PID:2068
-
\??\c:\ttntht.exec:\ttntht.exe104⤵PID:2084
-
\??\c:\ntthbb.exec:\ntthbb.exe105⤵PID:876
-
\??\c:\jjdpv.exec:\jjdpv.exe106⤵PID:1044
-
\??\c:\rlxfrrl.exec:\rlxfrrl.exe107⤵PID:2816
-
\??\c:\hhtbnt.exec:\hhtbnt.exe108⤵PID:2088
-
\??\c:\htntnt.exec:\htntnt.exe109⤵PID:2252
-
\??\c:\pdpdv.exec:\pdpdv.exe110⤵PID:908
-
\??\c:\jjdjv.exec:\jjdjv.exe111⤵PID:2340
-
\??\c:\rrlfxfx.exec:\rrlfxfx.exe112⤵PID:2244
-
\??\c:\tttbtt.exec:\tttbtt.exe113⤵PID:1912
-
\??\c:\tnhthn.exec:\tnhthn.exe114⤵PID:2344
-
\??\c:\pdpjp.exec:\pdpjp.exe115⤵PID:2040
-
\??\c:\frllrrf.exec:\frllrrf.exe116⤵PID:2864
-
\??\c:\1xfxlfl.exec:\1xfxlfl.exe117⤵PID:1300
-
\??\c:\9hbbhh.exec:\9hbbhh.exe118⤵PID:1704
-
\??\c:\tnhhth.exec:\tnhhth.exe119⤵PID:1628
-
\??\c:\7pddj.exec:\7pddj.exe120⤵PID:3020
-
\??\c:\llrxrfx.exec:\llrxrfx.exe121⤵PID:2504
-
\??\c:\hbhhnn.exec:\hbhhnn.exe122⤵PID:2540
-
\??\c:\tthnbh.exec:\tthnbh.exe123⤵PID:2716
-
\??\c:\pdpdj.exec:\pdpdj.exe124⤵PID:2548
-
\??\c:\llfflll.exec:\llfflll.exe125⤵PID:2556
-
\??\c:\lfxrrfr.exec:\lfxrrfr.exe126⤵PID:2708
-
\??\c:\1thnht.exec:\1thnht.exe127⤵PID:2436
-
\??\c:\vpjvp.exec:\vpjvp.exe128⤵PID:2516
-
\??\c:\7jpvd.exec:\7jpvd.exe129⤵PID:2408
-
\??\c:\fxrxrrf.exec:\fxrxrrf.exe130⤵PID:2468
-
\??\c:\nnhnbn.exec:\nnhnbn.exe131⤵PID:1836
-
\??\c:\7tbbhh.exec:\7tbbhh.exe132⤵PID:1592
-
\??\c:\5lxrxxr.exec:\5lxrxxr.exe133⤵PID:1216
-
\??\c:\hnntnt.exec:\hnntnt.exe134⤵PID:2356
-
\??\c:\7pdjd.exec:\7pdjd.exe135⤵PID:764
-
\??\c:\djdvp.exec:\djdvp.exe136⤵PID:1576
-
\??\c:\3xlrfrl.exec:\3xlrfrl.exe137⤵PID:1868
-
\??\c:\nnhbtb.exec:\nnhbtb.exe138⤵PID:2324
-
\??\c:\pjdvj.exec:\pjdvj.exe139⤵PID:1880
-
\??\c:\jjjvv.exec:\jjjvv.exe140⤵PID:628
-
\??\c:\1frxfrr.exec:\1frxfrr.exe141⤵PID:1364
-
\??\c:\thnbbt.exec:\thnbbt.exe142⤵PID:2752
-
\??\c:\ntbtnb.exec:\ntbtnb.exe143⤵PID:1436
-
\??\c:\5vvpj.exec:\5vvpj.exe144⤵PID:1444
-
\??\c:\llllxfx.exec:\llllxfx.exe145⤵PID:2204
-
\??\c:\9xlxlxl.exec:\9xlxlxl.exe146⤵PID:2068
-
\??\c:\5nnbnt.exec:\5nnbnt.exe147⤵PID:2084
-
\??\c:\3vpdp.exec:\3vpdp.exe148⤵PID:896
-
\??\c:\vppdj.exec:\vppdj.exe149⤵PID:1044
-
\??\c:\rrxrlrf.exec:\rrxrlrf.exe150⤵PID:2816
-
\??\c:\bhhbbn.exec:\bhhbbn.exe151⤵PID:2088
-
\??\c:\ttnnbb.exec:\ttnnbb.exe152⤵PID:2252
-
\??\c:\3vpdv.exec:\3vpdv.exe153⤵PID:1688
-
\??\c:\frrrffx.exec:\frrrffx.exe154⤵PID:1016
-
\??\c:\3bbbhn.exec:\3bbbhn.exe155⤵PID:2244
-
\??\c:\bbtnbt.exec:\bbtnbt.exe156⤵PID:784
-
\??\c:\7jvvd.exec:\7jvvd.exe157⤵PID:2908
-
\??\c:\pjjpd.exec:\pjjpd.exe158⤵PID:2040
-
\??\c:\xxrxrfx.exec:\xxrxrfx.exe159⤵PID:868
-
\??\c:\bnhhnh.exec:\bnhhnh.exe160⤵PID:1300
-
\??\c:\ntnbht.exec:\ntnbht.exe161⤵PID:1524
-
\??\c:\1jdjv.exec:\1jdjv.exe162⤵PID:2788
-
\??\c:\fxllrxl.exec:\fxllrxl.exe163⤵PID:2960
-
\??\c:\3lrxrrl.exec:\3lrxrrl.exe164⤵PID:2504
-
\??\c:\7btbtb.exec:\7btbtb.exe165⤵PID:2668
-
\??\c:\pppvp.exec:\pppvp.exe166⤵PID:2716
-
\??\c:\pjdjp.exec:\pjdjp.exe167⤵PID:2800
-
\??\c:\5lxflrx.exec:\5lxflrx.exe168⤵PID:2556
-
\??\c:\rllfxrr.exec:\rllfxrr.exe169⤵PID:2428
-
\??\c:\nnhntb.exec:\nnhntb.exe170⤵PID:2436
-
\??\c:\bnbnbn.exec:\bnbnbn.exe171⤵PID:2452
-
\??\c:\pjjvv.exec:\pjjvv.exe172⤵PID:1712
-
\??\c:\fllfrfr.exec:\fllfrfr.exe173⤵PID:2468
-
\??\c:\lxfrllf.exec:\lxfrllf.exe174⤵PID:1836
-
\??\c:\3nbthh.exec:\3nbthh.exe175⤵PID:2348
-
\??\c:\1pdjp.exec:\1pdjp.exe176⤵PID:1216
-
\??\c:\dvjvj.exec:\dvjvj.exe177⤵PID:2156
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe178⤵PID:2356
-
\??\c:\bbnbht.exec:\bbnbht.exe179⤵PID:764
-
\??\c:\bhnbbb.exec:\bhnbbb.exe180⤵PID:1576
-
\??\c:\jjdjv.exec:\jjdjv.exe181⤵PID:1896
-
\??\c:\lrrxlrl.exec:\lrrxlrl.exe182⤵PID:2272
-
\??\c:\lfrrrxl.exec:\lfrrrxl.exe183⤵PID:2636
-
\??\c:\hbnnnn.exec:\hbnnnn.exe184⤵PID:2740
-
\??\c:\3nhbbb.exec:\3nhbbb.exe185⤵PID:1364
-
\??\c:\ddddv.exec:\ddddv.exe186⤵PID:2732
-
\??\c:\fxrxrxr.exec:\fxrxrxr.exe187⤵PID:1676
-
\??\c:\xxlfrlf.exec:\xxlfrlf.exe188⤵PID:1604
-
\??\c:\7nnhhn.exec:\7nnhhn.exe189⤵PID:1244
-
\??\c:\vpdjj.exec:\vpdjj.exe190⤵PID:2068
-
\??\c:\1jppv.exec:\1jppv.exe191⤵PID:2084
-
\??\c:\lfllrfr.exec:\lfllrfr.exe192⤵PID:2232
-
\??\c:\bttbnn.exec:\bttbnn.exe193⤵PID:1780
-
\??\c:\3hbhnt.exec:\3hbhnt.exe194⤵PID:2816
-
\??\c:\ppjdp.exec:\ppjdp.exe195⤵PID:2088
-
\??\c:\lfxlrxr.exec:\lfxlrxr.exe196⤵PID:900
-
\??\c:\tbthtb.exec:\tbthtb.exe197⤵PID:1688
-
\??\c:\nhbtbh.exec:\nhbtbh.exe198⤵PID:2852
-
\??\c:\pjppv.exec:\pjppv.exe199⤵PID:1232
-
\??\c:\jjddv.exec:\jjddv.exe200⤵PID:1424
-
\??\c:\1lflfll.exec:\1lflfll.exe201⤵PID:2908
-
\??\c:\3nbtnn.exec:\3nbtnn.exe202⤵PID:2864
-
\??\c:\tbhttt.exec:\tbhttt.exe203⤵PID:868
-
\??\c:\jpvdd.exec:\jpvdd.exe204⤵PID:1300
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe205⤵PID:1524
-
\??\c:\xlrxffr.exec:\xlrxffr.exe206⤵PID:2788
-
\??\c:\nhbhhn.exec:\nhbhhn.exe207⤵PID:2960
-
\??\c:\vppjv.exec:\vppjv.exe208⤵PID:2504
-
\??\c:\vjjpv.exec:\vjjpv.exe209⤵PID:2668
-
\??\c:\xrffllr.exec:\xrffllr.exe210⤵PID:2572
-
\??\c:\tnhnbh.exec:\tnhnbh.exe211⤵PID:2580
-
\??\c:\ntbnbb.exec:\ntbnbb.exe212⤵PID:2796
-
\??\c:\pjvpp.exec:\pjvpp.exe213⤵PID:2692
-
\??\c:\ddpdp.exec:\ddpdp.exe214⤵PID:2400
-
\??\c:\ffxrxxx.exec:\ffxrxxx.exe215⤵PID:1536
-
\??\c:\tnbbnt.exec:\tnbbnt.exe216⤵PID:1712
-
\??\c:\1btttb.exec:\1btttb.exe217⤵PID:1540
-
\??\c:\vpjvd.exec:\vpjvd.exe218⤵PID:1836
-
\??\c:\jdppv.exec:\jdppv.exe219⤵PID:1616
-
\??\c:\llflrrx.exec:\llflrrx.exe220⤵PID:2216
-
\??\c:\tnbhbh.exec:\tnbhbh.exe221⤵PID:2156
-
\??\c:\tbntth.exec:\tbntth.exe222⤵PID:2132
-
\??\c:\pjdjp.exec:\pjdjp.exe223⤵PID:2140
-
\??\c:\9pddj.exec:\9pddj.exe224⤵PID:808
-
\??\c:\rrrfxfx.exec:\rrrfxfx.exe225⤵PID:1668
-
\??\c:\xxrlflx.exec:\xxrlflx.exe226⤵PID:1656
-
\??\c:\tnbhnt.exec:\tnbhnt.exe227⤵PID:2636
-
\??\c:\1jdpj.exec:\1jdpj.exe228⤵PID:2100
-
\??\c:\vvpdv.exec:\vvpdv.exe229⤵PID:1096
-
\??\c:\xxrrffr.exec:\xxrrffr.exe230⤵PID:2756
-
\??\c:\7rrfflf.exec:\7rrfflf.exe231⤵PID:1740
-
\??\c:\nhbbnt.exec:\nhbbnt.exe232⤵PID:1460
-
\??\c:\djvjp.exec:\djvjp.exe233⤵PID:2264
-
\??\c:\1pdjd.exec:\1pdjd.exe234⤵PID:2820
-
\??\c:\fffrlrr.exec:\fffrlrr.exe235⤵PID:828
-
\??\c:\bbtbht.exec:\bbtbht.exe236⤵PID:2072
-
\??\c:\nnhnbh.exec:\nnhnbh.exe237⤵PID:1240
-
\??\c:\dvvjd.exec:\dvvjd.exe238⤵PID:3024
-
\??\c:\jdpvp.exec:\jdpvp.exe239⤵PID:568
-
\??\c:\lrlfrfr.exec:\lrlfrfr.exe240⤵PID:608
-
\??\c:\rrllxff.exec:\rrllxff.exe241⤵PID:1288
-
\??\c:\tnbhtb.exec:\tnbhtb.exe242⤵PID:1968