Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 12:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
c89d57be31d4dcf75d6a4189305ce5d0
-
SHA1
65fc57a13d1ffd6325aeabc5de5eacd4dd1c38ae
-
SHA256
364392a9c0ddf4bd3b3741b54553e254b87bd7b2f30ef31c004e468e79267da5
-
SHA512
430229d2fde4a1c546d181e967b90592ea02aa058a6fafa83f94a283a071517ee7d744f608cc34ec41cec84f9281d670e5d550c4d2856ea643b157874b23730b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIhJm/wEa:ymb3NkkiQ3mdBjFILmi
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/4548-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3428-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5116-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/960-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1652-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2064-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1788-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4224-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2044-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2680-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1976-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4236-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3132-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4004-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5000-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3228-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/344-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/540-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3140-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2396-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4864-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3108-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3428 rlxxxxf.exe 960 nbnhtb.exe 5116 3ppdp.exe 1652 llflrxf.exe 2064 9bnhbt.exe 1788 7pvjv.exe 4224 xflfxxr.exe 4576 7lxlxll.exe 2044 5vjvp.exe 2680 fxffxfx.exe 1976 1nhnbt.exe 4236 pjpdv.exe 2116 lrxrffx.exe 3132 rxxrllf.exe 4004 tntnht.exe 5000 jjdjv.exe 3048 rflrfrr.exe 4756 7fffllf.exe 3228 ththbt.exe 3172 jddvp.exe 4168 fxxrrll.exe 344 hnnnnn.exe 624 htnbnh.exe 540 pdjvd.exe 3140 xrrlrxr.exe 2396 3hhtnn.exe 2912 pjddv.exe 4200 ppvjd.exe 4864 fflffxx.exe 3108 9hbthh.exe 2400 pjjdp.exe 3792 pjdvp.exe 3940 lxrxxff.exe 2472 tthnhb.exe 3420 djjdd.exe 856 vpvvp.exe 4000 xffffff.exe 996 xxfxrrr.exe 2932 1tnhbb.exe 1604 dpjdv.exe 4400 7xlrxlx.exe 804 3hhhbb.exe 4972 bnhnht.exe 2136 vvdvd.exe 1764 xflxlfr.exe 1960 5rfxxxr.exe 1612 thhhhh.exe 3852 tnhnht.exe 3324 vvppj.exe 3356 bhhbth.exe 1632 vpjjd.exe 4772 dvpdj.exe 1180 7rllfff.exe 2140 ttnhbb.exe 4860 7jjdd.exe 3680 pjpvv.exe 1216 9xxxrrf.exe 5068 bhnhnb.exe 2928 dpvjd.exe 3996 rxxlfrl.exe 4448 5hhtbt.exe 2764 tnhbtn.exe 4116 dvjjj.exe 4128 vdvpd.exe -
resource yara_rule behavioral2/memory/4548-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3428-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5116-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2064-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1788-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4224-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2044-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2680-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1976-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4236-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3132-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4004-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5000-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3228-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/344-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/624-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/540-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3140-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2396-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4864-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3108-202-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 3428 4548 c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe 82 PID 4548 wrote to memory of 3428 4548 c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe 82 PID 4548 wrote to memory of 3428 4548 c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe 82 PID 3428 wrote to memory of 960 3428 rlxxxxf.exe 83 PID 3428 wrote to memory of 960 3428 rlxxxxf.exe 83 PID 3428 wrote to memory of 960 3428 rlxxxxf.exe 83 PID 960 wrote to memory of 5116 960 nbnhtb.exe 84 PID 960 wrote to memory of 5116 960 nbnhtb.exe 84 PID 960 wrote to memory of 5116 960 nbnhtb.exe 84 PID 5116 wrote to memory of 1652 5116 3ppdp.exe 85 PID 5116 wrote to memory of 1652 5116 3ppdp.exe 85 PID 5116 wrote to memory of 1652 5116 3ppdp.exe 85 PID 1652 wrote to memory of 2064 1652 llflrxf.exe 86 PID 1652 wrote to memory of 2064 1652 llflrxf.exe 86 PID 1652 wrote to memory of 2064 1652 llflrxf.exe 86 PID 2064 wrote to memory of 1788 2064 9bnhbt.exe 87 PID 2064 wrote to memory of 1788 2064 9bnhbt.exe 87 PID 2064 wrote to memory of 1788 2064 9bnhbt.exe 87 PID 1788 wrote to memory of 4224 1788 7pvjv.exe 88 PID 1788 wrote to memory of 4224 1788 7pvjv.exe 88 PID 1788 wrote to memory of 4224 1788 7pvjv.exe 88 PID 4224 wrote to memory of 4576 4224 xflfxxr.exe 89 PID 4224 wrote to memory of 4576 4224 xflfxxr.exe 89 PID 4224 wrote to memory of 4576 4224 xflfxxr.exe 89 PID 4576 wrote to memory of 2044 4576 7lxlxll.exe 90 PID 4576 wrote to memory of 2044 4576 7lxlxll.exe 90 PID 4576 wrote to memory of 2044 4576 7lxlxll.exe 90 PID 2044 wrote to memory of 2680 2044 5vjvp.exe 91 PID 2044 wrote to memory of 2680 2044 5vjvp.exe 91 PID 2044 wrote to memory of 2680 2044 5vjvp.exe 91 PID 2680 wrote to memory of 1976 2680 fxffxfx.exe 92 PID 2680 wrote to memory of 1976 2680 fxffxfx.exe 92 PID 2680 wrote to memory of 1976 2680 fxffxfx.exe 92 PID 1976 wrote to memory of 4236 1976 1nhnbt.exe 93 PID 1976 wrote to memory of 4236 1976 1nhnbt.exe 93 PID 1976 wrote to memory of 4236 1976 1nhnbt.exe 93 PID 4236 wrote to memory of 2116 4236 pjpdv.exe 94 PID 4236 wrote to memory of 2116 4236 pjpdv.exe 94 PID 4236 wrote to memory of 2116 4236 pjpdv.exe 94 PID 2116 wrote to memory of 3132 2116 lrxrffx.exe 95 PID 2116 wrote to memory of 3132 2116 lrxrffx.exe 95 PID 2116 wrote to memory of 3132 2116 lrxrffx.exe 95 PID 3132 wrote to memory of 4004 3132 rxxrllf.exe 96 PID 3132 wrote to memory of 4004 3132 rxxrllf.exe 96 PID 3132 wrote to memory of 4004 3132 rxxrllf.exe 96 PID 4004 wrote to memory of 5000 4004 tntnht.exe 97 PID 4004 wrote to memory of 5000 4004 tntnht.exe 97 PID 4004 wrote to memory of 5000 4004 tntnht.exe 97 PID 5000 wrote to memory of 3048 5000 jjdjv.exe 98 PID 5000 wrote to memory of 3048 5000 jjdjv.exe 98 PID 5000 wrote to memory of 3048 5000 jjdjv.exe 98 PID 3048 wrote to memory of 4756 3048 rflrfrr.exe 99 PID 3048 wrote to memory of 4756 3048 rflrfrr.exe 99 PID 3048 wrote to memory of 4756 3048 rflrfrr.exe 99 PID 4756 wrote to memory of 3228 4756 7fffllf.exe 100 PID 4756 wrote to memory of 3228 4756 7fffllf.exe 100 PID 4756 wrote to memory of 3228 4756 7fffllf.exe 100 PID 3228 wrote to memory of 3172 3228 ththbt.exe 101 PID 3228 wrote to memory of 3172 3228 ththbt.exe 101 PID 3228 wrote to memory of 3172 3228 ththbt.exe 101 PID 3172 wrote to memory of 4168 3172 jddvp.exe 102 PID 3172 wrote to memory of 4168 3172 jddvp.exe 102 PID 3172 wrote to memory of 4168 3172 jddvp.exe 102 PID 4168 wrote to memory of 344 4168 fxxrrll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c89d57be31d4dcf75d6a4189305ce5d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\nbnhtb.exec:\nbnhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\3ppdp.exec:\3ppdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\llflrxf.exec:\llflrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\9bnhbt.exec:\9bnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\7pvjv.exec:\7pvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xflfxxr.exec:\xflfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\7lxlxll.exec:\7lxlxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\5vjvp.exec:\5vjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\fxffxfx.exec:\fxffxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\1nhnbt.exec:\1nhnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\pjpdv.exec:\pjpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\lrxrffx.exec:\lrxrffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\rxxrllf.exec:\rxxrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\tntnht.exec:\tntnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jjdjv.exec:\jjdjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\rflrfrr.exec:\rflrfrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\7fffllf.exec:\7fffllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\ththbt.exec:\ththbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\jddvp.exec:\jddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\fxxrrll.exec:\fxxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\hnnnnn.exec:\hnnnnn.exe23⤵
- Executes dropped EXE
PID:344 -
\??\c:\htnbnh.exec:\htnbnh.exe24⤵
- Executes dropped EXE
PID:624 -
\??\c:\pdjvd.exec:\pdjvd.exe25⤵
- Executes dropped EXE
PID:540 -
\??\c:\xrrlrxr.exec:\xrrlrxr.exe26⤵
- Executes dropped EXE
PID:3140 -
\??\c:\3hhtnn.exec:\3hhtnn.exe27⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pjddv.exec:\pjddv.exe28⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ppvjd.exec:\ppvjd.exe29⤵
- Executes dropped EXE
PID:4200 -
\??\c:\fflffxx.exec:\fflffxx.exe30⤵
- Executes dropped EXE
PID:4864 -
\??\c:\9hbthh.exec:\9hbthh.exe31⤵
- Executes dropped EXE
PID:3108 -
\??\c:\pjjdp.exec:\pjjdp.exe32⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pjdvp.exec:\pjdvp.exe33⤵
- Executes dropped EXE
PID:3792 -
\??\c:\lxrxxff.exec:\lxrxxff.exe34⤵
- Executes dropped EXE
PID:3940 -
\??\c:\tthnhb.exec:\tthnhb.exe35⤵
- Executes dropped EXE
PID:2472 -
\??\c:\djjdd.exec:\djjdd.exe36⤵
- Executes dropped EXE
PID:3420 -
\??\c:\vpvvp.exec:\vpvvp.exe37⤵
- Executes dropped EXE
PID:856 -
\??\c:\xffffff.exec:\xffffff.exe38⤵
- Executes dropped EXE
PID:4000 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe39⤵
- Executes dropped EXE
PID:996 -
\??\c:\1tnhbb.exec:\1tnhbb.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dpjdv.exec:\dpjdv.exe41⤵
- Executes dropped EXE
PID:1604 -
\??\c:\7xlrxlx.exec:\7xlrxlx.exe42⤵
- Executes dropped EXE
PID:4400 -
\??\c:\3hhhbb.exec:\3hhhbb.exe43⤵
- Executes dropped EXE
PID:804 -
\??\c:\bnhnht.exec:\bnhnht.exe44⤵
- Executes dropped EXE
PID:4972 -
\??\c:\vvdvd.exec:\vvdvd.exe45⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xflxlfr.exec:\xflxlfr.exe46⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5rfxxxr.exec:\5rfxxxr.exe47⤵
- Executes dropped EXE
PID:1960 -
\??\c:\thhhhh.exec:\thhhhh.exe48⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tnhnht.exec:\tnhnht.exe49⤵
- Executes dropped EXE
PID:3852 -
\??\c:\vvppj.exec:\vvppj.exe50⤵
- Executes dropped EXE
PID:3324 -
\??\c:\bhhbth.exec:\bhhbth.exe51⤵
- Executes dropped EXE
PID:3356 -
\??\c:\vpjjd.exec:\vpjjd.exe52⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dvpdj.exec:\dvpdj.exe53⤵
- Executes dropped EXE
PID:4772 -
\??\c:\7rllfff.exec:\7rllfff.exe54⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ttnhbb.exec:\ttnhbb.exe55⤵
- Executes dropped EXE
PID:2140 -
\??\c:\7jjdd.exec:\7jjdd.exe56⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pjpvv.exec:\pjpvv.exe57⤵
- Executes dropped EXE
PID:3680 -
\??\c:\9xxxrrf.exec:\9xxxrrf.exe58⤵
- Executes dropped EXE
PID:1216 -
\??\c:\bhnhnb.exec:\bhnhnb.exe59⤵
- Executes dropped EXE
PID:5068 -
\??\c:\dpvjd.exec:\dpvjd.exe60⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe61⤵
- Executes dropped EXE
PID:3996 -
\??\c:\5hhtbt.exec:\5hhtbt.exe62⤵
- Executes dropped EXE
PID:4448 -
\??\c:\tnhbtn.exec:\tnhbtn.exe63⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dvjjj.exec:\dvjjj.exe64⤵
- Executes dropped EXE
PID:4116 -
\??\c:\vdvpd.exec:\vdvpd.exe65⤵
- Executes dropped EXE
PID:4128 -
\??\c:\nbbtbb.exec:\nbbtbb.exe66⤵PID:3468
-
\??\c:\bttnhn.exec:\bttnhn.exe67⤵PID:116
-
\??\c:\vjjdp.exec:\vjjdp.exe68⤵PID:4168
-
\??\c:\7xffxlf.exec:\7xffxlf.exe69⤵PID:1556
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe70⤵PID:4104
-
\??\c:\1ttttb.exec:\1ttttb.exe71⤵PID:5080
-
\??\c:\ppppp.exec:\ppppp.exe72⤵PID:2368
-
\??\c:\vpddd.exec:\vpddd.exe73⤵PID:2920
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe74⤵PID:2336
-
\??\c:\bnbnnt.exec:\bnbnnt.exe75⤵PID:2412
-
\??\c:\nthbbb.exec:\nthbbb.exe76⤵PID:3984
-
\??\c:\djvvd.exec:\djvvd.exe77⤵PID:2376
-
\??\c:\9vppv.exec:\9vppv.exe78⤵PID:4408
-
\??\c:\ffxllfl.exec:\ffxllfl.exe79⤵PID:4228
-
\??\c:\ttntnh.exec:\ttntnh.exe80⤵PID:3136
-
\??\c:\nbbnbb.exec:\nbbnbb.exe81⤵PID:3104
-
\??\c:\7jppj.exec:\7jppj.exe82⤵PID:2248
-
\??\c:\7ppvj.exec:\7ppvj.exe83⤵PID:1148
-
\??\c:\frlfrlf.exec:\frlfrlf.exe84⤵PID:3796
-
\??\c:\thnhhh.exec:\thnhhh.exe85⤵PID:2308
-
\??\c:\btbhbt.exec:\btbhbt.exe86⤵PID:3212
-
\??\c:\vppjv.exec:\vppjv.exe87⤵PID:4108
-
\??\c:\jddpd.exec:\jddpd.exe88⤵PID:4396
-
\??\c:\frxllrl.exec:\frxllrl.exe89⤵PID:3088
-
\??\c:\bbnhth.exec:\bbnhth.exe90⤵PID:1828
-
\??\c:\bntnbb.exec:\bntnbb.exe91⤵PID:960
-
\??\c:\djvvd.exec:\djvvd.exe92⤵PID:4608
-
\??\c:\9ffrllf.exec:\9ffrllf.exe93⤵PID:4556
-
\??\c:\nhbtnh.exec:\nhbtnh.exe94⤵PID:868
-
\??\c:\tntbnt.exec:\tntbnt.exe95⤵PID:1612
-
\??\c:\pvvpp.exec:\pvvpp.exe96⤵PID:3852
-
\??\c:\pddvj.exec:\pddvj.exe97⤵PID:3324
-
\??\c:\rxxxlll.exec:\rxxxlll.exe98⤵PID:3356
-
\??\c:\bbttnn.exec:\bbttnn.exe99⤵PID:3184
-
\??\c:\tnhbnn.exec:\tnhbnn.exe100⤵PID:4772
-
\??\c:\bhntbb.exec:\bhntbb.exe101⤵PID:3300
-
\??\c:\pvdjd.exec:\pvdjd.exe102⤵PID:4224
-
\??\c:\rrfxrrl.exec:\rrfxrrl.exe103⤵PID:4860
-
\??\c:\tnhnhn.exec:\tnhnhn.exe104⤵PID:2188
-
\??\c:\htntnn.exec:\htntnn.exe105⤵PID:3444
-
\??\c:\vvvvj.exec:\vvvvj.exe106⤵PID:4508
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe107⤵PID:5068
-
\??\c:\lxffxxx.exec:\lxffxxx.exe108⤵PID:5000
-
\??\c:\hbbnnt.exec:\hbbnnt.exe109⤵PID:4856
-
\??\c:\hthhhb.exec:\hthhhb.exe110⤵PID:1688
-
\??\c:\pvpvp.exec:\pvpvp.exe111⤵PID:4084
-
\??\c:\djvdp.exec:\djvdp.exe112⤵PID:2704
-
\??\c:\rffxrrl.exec:\rffxrrl.exe113⤵PID:4116
-
\??\c:\rlrllrr.exec:\rlrllrr.exe114⤵PID:1696
-
\??\c:\3nhhhh.exec:\3nhhhh.exe115⤵PID:1564
-
\??\c:\htbtnh.exec:\htbtnh.exe116⤵PID:3156
-
\??\c:\jdvvp.exec:\jdvvp.exe117⤵PID:4196
-
\??\c:\dvvvp.exec:\dvvvp.exe118⤵PID:988
-
\??\c:\rlllllf.exec:\rlllllf.exe119⤵PID:4032
-
\??\c:\ttbbbb.exec:\ttbbbb.exe120⤵PID:3668
-
\??\c:\tbnhhh.exec:\tbnhhh.exe121⤵PID:2912
-
\??\c:\djdpd.exec:\djdpd.exe122⤵PID:1036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-