Analysis
-
max time kernel
145s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe
Resource
win7-20231129-en
5 signatures
150 seconds
General
-
Target
caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe
-
Size
74KB
-
MD5
caf3fd8220d7fd196398eef36ba4d620
-
SHA1
cc518702f549ad574b7ae863bb58ef2eac4675ba
-
SHA256
e15eb17ce9b15f9a929edfcd4d8c3deaf4e8f115c05dedc8d18b464a2ac71fb3
-
SHA512
e7558aca39c689de06ca7745f9e98c7024cfc4a49fb58c547c8540ccf4876c3e3ff3c13c5383ca51d7902f06bd50b67e62854f831c6fe772bd088012d3a43349
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRMKeWqNSZh:ymb3NkkiQ3mdBjFIjek5E
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
resource yara_rule behavioral2/memory/1644-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4340-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3280-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1264-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2740-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2012-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2904-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4588-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3692-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/856-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/232-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/740-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4444-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2508-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4208-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5024-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1476-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1988-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1000-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3628-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4748-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4708-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2120-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2620-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4340 hhtttt.exe 3280 pdppd.exe 1264 xfffxlf.exe 2740 nnhhbb.exe 2012 tnbtbh.exe 2904 9pvpj.exe 1932 3lxxrrx.exe 4588 bthtbb.exe 3692 djvdv.exe 856 xlrlfrf.exe 4236 1bhtnh.exe 3668 5djdp.exe 2940 dvdjp.exe 232 xrxfrxr.exe 740 bhhbth.exe 4092 lfxrlfx.exe 4444 ttttnt.exe 2508 ppjvj.exe 4208 rxxrrrx.exe 5024 1xxrllf.exe 1476 tnhhnh.exe 1988 vjvvv.exe 4332 3rrllff.exe 1000 7ntnhh.exe 3628 9nnhbb.exe 4748 xrxrxrx.exe 4708 thbbbb.exe 2120 1vdvp.exe 1092 rlfxllf.exe 2620 9xffxxl.exe 2956 bnnnhb.exe 3108 btbtbt.exe 1764 9pvdp.exe 2364 9xlxrrl.exe 1736 bttnhh.exe 1152 dvdpv.exe 3496 lfxxlrl.exe 776 7xxxrlf.exe 3800 httnbb.exe 2404 jpdvp.exe 4840 djjvj.exe 2932 lfxlfrl.exe 2780 bhbthb.exe 4864 nbbnhh.exe 544 vdpdp.exe 5036 lxrfxlf.exe 3692 bhbbbb.exe 5060 5dddp.exe 3984 pdvpd.exe 3148 lfrrrrr.exe 3896 lxrrlff.exe 1700 ttbnhb.exe 232 vpppd.exe 740 vppjv.exe 2520 3llfrlf.exe 4600 rxlflfl.exe 3128 htnbtn.exe 2280 1pvpd.exe 4520 dpvpd.exe 1900 xrrfrrl.exe 1588 rrrlffr.exe 4968 hnnhbt.exe 4656 jvjdv.exe 5088 9pjdp.exe -
resource yara_rule behavioral2/memory/1644-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4340-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4340-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4340-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3280-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1264-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2740-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2012-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2904-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3692-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/856-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/232-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/740-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4444-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2508-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4208-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5024-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1476-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1988-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1000-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4748-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4708-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2120-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2620-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2956-206-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4340 1644 caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe 83 PID 1644 wrote to memory of 4340 1644 caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe 83 PID 1644 wrote to memory of 4340 1644 caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe 83 PID 4340 wrote to memory of 3280 4340 hhtttt.exe 84 PID 4340 wrote to memory of 3280 4340 hhtttt.exe 84 PID 4340 wrote to memory of 3280 4340 hhtttt.exe 84 PID 3280 wrote to memory of 1264 3280 pdppd.exe 85 PID 3280 wrote to memory of 1264 3280 pdppd.exe 85 PID 3280 wrote to memory of 1264 3280 pdppd.exe 85 PID 1264 wrote to memory of 2740 1264 xfffxlf.exe 86 PID 1264 wrote to memory of 2740 1264 xfffxlf.exe 86 PID 1264 wrote to memory of 2740 1264 xfffxlf.exe 86 PID 2740 wrote to memory of 2012 2740 nnhhbb.exe 87 PID 2740 wrote to memory of 2012 2740 nnhhbb.exe 87 PID 2740 wrote to memory of 2012 2740 nnhhbb.exe 87 PID 2012 wrote to memory of 2904 2012 tnbtbh.exe 88 PID 2012 wrote to memory of 2904 2012 tnbtbh.exe 88 PID 2012 wrote to memory of 2904 2012 tnbtbh.exe 88 PID 2904 wrote to memory of 1932 2904 9pvpj.exe 89 PID 2904 wrote to memory of 1932 2904 9pvpj.exe 89 PID 2904 wrote to memory of 1932 2904 9pvpj.exe 89 PID 1932 wrote to memory of 4588 1932 3lxxrrx.exe 90 PID 1932 wrote to memory of 4588 1932 3lxxrrx.exe 90 PID 1932 wrote to memory of 4588 1932 3lxxrrx.exe 90 PID 4588 wrote to memory of 3692 4588 bthtbb.exe 91 PID 4588 wrote to memory of 3692 4588 bthtbb.exe 91 PID 4588 wrote to memory of 3692 4588 bthtbb.exe 91 PID 3692 wrote to memory of 856 3692 djvdv.exe 92 PID 3692 wrote to memory of 856 3692 djvdv.exe 92 PID 3692 wrote to memory of 856 3692 djvdv.exe 92 PID 856 wrote to memory of 4236 856 xlrlfrf.exe 93 PID 856 wrote to memory of 4236 856 xlrlfrf.exe 93 PID 856 wrote to memory of 4236 856 xlrlfrf.exe 93 PID 4236 wrote to memory of 3668 4236 1bhtnh.exe 94 PID 4236 wrote to memory of 3668 4236 1bhtnh.exe 94 PID 4236 wrote to memory of 3668 4236 1bhtnh.exe 94 PID 3668 wrote to memory of 2940 3668 5djdp.exe 95 PID 3668 wrote to memory of 2940 3668 5djdp.exe 95 PID 3668 wrote to memory of 2940 3668 5djdp.exe 95 PID 2940 wrote to memory of 232 2940 dvdjp.exe 96 PID 2940 wrote to memory of 232 2940 dvdjp.exe 96 PID 2940 wrote to memory of 232 2940 dvdjp.exe 96 PID 232 wrote to memory of 740 232 xrxfrxr.exe 97 PID 232 wrote to memory of 740 232 xrxfrxr.exe 97 PID 232 wrote to memory of 740 232 xrxfrxr.exe 97 PID 740 wrote to memory of 4092 740 bhhbth.exe 98 PID 740 wrote to memory of 4092 740 bhhbth.exe 98 PID 740 wrote to memory of 4092 740 bhhbth.exe 98 PID 4092 wrote to memory of 4444 4092 lfxrlfx.exe 99 PID 4092 wrote to memory of 4444 4092 lfxrlfx.exe 99 PID 4092 wrote to memory of 4444 4092 lfxrlfx.exe 99 PID 4444 wrote to memory of 2508 4444 ttttnt.exe 100 PID 4444 wrote to memory of 2508 4444 ttttnt.exe 100 PID 4444 wrote to memory of 2508 4444 ttttnt.exe 100 PID 2508 wrote to memory of 4208 2508 ppjvj.exe 101 PID 2508 wrote to memory of 4208 2508 ppjvj.exe 101 PID 2508 wrote to memory of 4208 2508 ppjvj.exe 101 PID 4208 wrote to memory of 5024 4208 rxxrrrx.exe 102 PID 4208 wrote to memory of 5024 4208 rxxrrrx.exe 102 PID 4208 wrote to memory of 5024 4208 rxxrrrx.exe 102 PID 5024 wrote to memory of 1476 5024 1xxrllf.exe 103 PID 5024 wrote to memory of 1476 5024 1xxrllf.exe 103 PID 5024 wrote to memory of 1476 5024 1xxrllf.exe 103 PID 1476 wrote to memory of 1988 1476 tnhhnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\caf3fd8220d7fd196398eef36ba4d620_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\hhtttt.exec:\hhtttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\pdppd.exec:\pdppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\xfffxlf.exec:\xfffxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\nnhhbb.exec:\nnhhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\tnbtbh.exec:\tnbtbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\9pvpj.exec:\9pvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\3lxxrrx.exec:\3lxxrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\bthtbb.exec:\bthtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\djvdv.exec:\djvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\xlrlfrf.exec:\xlrlfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\1bhtnh.exec:\1bhtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\5djdp.exec:\5djdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\dvdjp.exec:\dvdjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\xrxfrxr.exec:\xrxfrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\bhhbth.exec:\bhhbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\ttttnt.exec:\ttttnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\ppjvj.exec:\ppjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\rxxrrrx.exec:\rxxrrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\1xxrllf.exec:\1xxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\tnhhnh.exec:\tnhhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\vjvvv.exec:\vjvvv.exe23⤵
- Executes dropped EXE
PID:1988 -
\??\c:\3rrllff.exec:\3rrllff.exe24⤵
- Executes dropped EXE
PID:4332 -
\??\c:\7ntnhh.exec:\7ntnhh.exe25⤵
- Executes dropped EXE
PID:1000 -
\??\c:\9nnhbb.exec:\9nnhbb.exe26⤵
- Executes dropped EXE
PID:3628 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe27⤵
- Executes dropped EXE
PID:4748 -
\??\c:\thbbbb.exec:\thbbbb.exe28⤵
- Executes dropped EXE
PID:4708 -
\??\c:\1vdvp.exec:\1vdvp.exe29⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rlfxllf.exec:\rlfxllf.exe30⤵
- Executes dropped EXE
PID:1092 -
\??\c:\9xffxxl.exec:\9xffxxl.exe31⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bnnnhb.exec:\bnnnhb.exe32⤵
- Executes dropped EXE
PID:2956 -
\??\c:\btbtbt.exec:\btbtbt.exe33⤵
- Executes dropped EXE
PID:3108 -
\??\c:\9pvdp.exec:\9pvdp.exe34⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9xlxrrl.exec:\9xlxrrl.exe35⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bhhhbb.exec:\bhhhbb.exe36⤵PID:4908
-
\??\c:\bttnhh.exec:\bttnhh.exe37⤵
- Executes dropped EXE
PID:1736 -
\??\c:\dvdpv.exec:\dvdpv.exe38⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lfxxlrl.exec:\lfxxlrl.exe39⤵
- Executes dropped EXE
PID:3496 -
\??\c:\7xxxrlf.exec:\7xxxrlf.exe40⤵
- Executes dropped EXE
PID:776 -
\??\c:\httnbb.exec:\httnbb.exe41⤵
- Executes dropped EXE
PID:3800 -
\??\c:\jpdvp.exec:\jpdvp.exe42⤵
- Executes dropped EXE
PID:2404 -
\??\c:\djjvj.exec:\djjvj.exe43⤵
- Executes dropped EXE
PID:4840 -
\??\c:\lfxlfrl.exec:\lfxlfrl.exe44⤵
- Executes dropped EXE
PID:2932 -
\??\c:\bhbthb.exec:\bhbthb.exe45⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nbbnhh.exec:\nbbnhh.exe46⤵
- Executes dropped EXE
PID:4864 -
\??\c:\vdpdp.exec:\vdpdp.exe47⤵
- Executes dropped EXE
PID:544 -
\??\c:\lxrfxlf.exec:\lxrfxlf.exe48⤵
- Executes dropped EXE
PID:5036 -
\??\c:\bhbbbb.exec:\bhbbbb.exe49⤵
- Executes dropped EXE
PID:3692 -
\??\c:\5dddp.exec:\5dddp.exe50⤵
- Executes dropped EXE
PID:5060 -
\??\c:\pdvpd.exec:\pdvpd.exe51⤵
- Executes dropped EXE
PID:3984 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe52⤵
- Executes dropped EXE
PID:3148 -
\??\c:\lxrrlff.exec:\lxrrlff.exe53⤵
- Executes dropped EXE
PID:3896 -
\??\c:\ttbnhb.exec:\ttbnhb.exe54⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vpppd.exec:\vpppd.exe55⤵
- Executes dropped EXE
PID:232 -
\??\c:\vppjv.exec:\vppjv.exe56⤵
- Executes dropped EXE
PID:740 -
\??\c:\3llfrlf.exec:\3llfrlf.exe57⤵
- Executes dropped EXE
PID:2520 -
\??\c:\rxlflfl.exec:\rxlflfl.exe58⤵
- Executes dropped EXE
PID:4600 -
\??\c:\htnbtn.exec:\htnbtn.exe59⤵
- Executes dropped EXE
PID:3128 -
\??\c:\1pvpd.exec:\1pvpd.exe60⤵
- Executes dropped EXE
PID:2280 -
\??\c:\dpvpd.exec:\dpvpd.exe61⤵
- Executes dropped EXE
PID:4520 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe62⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rrrlffr.exec:\rrrlffr.exe63⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hnnhbt.exec:\hnnhbt.exe64⤵
- Executes dropped EXE
PID:4968 -
\??\c:\jvjdv.exec:\jvjdv.exe65⤵
- Executes dropped EXE
PID:4656 -
\??\c:\9pjdp.exec:\9pjdp.exe66⤵
- Executes dropped EXE
PID:5088 -
\??\c:\9lxrxrf.exec:\9lxrxrf.exe67⤵PID:1000
-
\??\c:\5hbtbt.exec:\5hbtbt.exe68⤵PID:5048
-
\??\c:\btntnt.exec:\btntnt.exe69⤵PID:3680
-
\??\c:\7vvjv.exec:\7vvjv.exe70⤵PID:3440
-
\??\c:\vjdpd.exec:\vjdpd.exe71⤵PID:884
-
\??\c:\lllrfrl.exec:\lllrfrl.exe72⤵PID:3052
-
\??\c:\5xrlfrl.exec:\5xrlfrl.exe73⤵PID:4576
-
\??\c:\bthbtn.exec:\bthbtn.exe74⤵PID:1492
-
\??\c:\1bbnhb.exec:\1bbnhb.exe75⤵PID:4596
-
\??\c:\7pjjj.exec:\7pjjj.exe76⤵PID:412
-
\??\c:\xxfxlff.exec:\xxfxlff.exe77⤵PID:4776
-
\??\c:\9bbttn.exec:\9bbttn.exe78⤵PID:4568
-
\??\c:\5tnhtn.exec:\5tnhtn.exe79⤵PID:4380
-
\??\c:\tnbthb.exec:\tnbthb.exe80⤵PID:644
-
\??\c:\vddvp.exec:\vddvp.exe81⤵PID:4744
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe82⤵PID:3524
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe83⤵PID:2876
-
\??\c:\bthhbb.exec:\bthhbb.exe84⤵PID:4064
-
\??\c:\7vddp.exec:\7vddp.exe85⤵PID:1264
-
\??\c:\frfxxrf.exec:\frfxxrf.exe86⤵PID:3664
-
\??\c:\3xlfxff.exec:\3xlfxff.exe87⤵PID:2012
-
\??\c:\5flxxrr.exec:\5flxxrr.exe88⤵PID:4640
-
\??\c:\bthbtn.exec:\bthbtn.exe89⤵PID:3860
-
\??\c:\hbbnhb.exec:\hbbnhb.exe90⤵PID:1344
-
\??\c:\pjpdj.exec:\pjpdj.exe91⤵PID:3296
-
\??\c:\fxxlxrf.exec:\fxxlxrf.exe92⤵PID:5004
-
\??\c:\7xxrlfr.exec:\7xxrlfr.exe93⤵PID:4088
-
\??\c:\ttnbtn.exec:\ttnbtn.exe94⤵PID:4120
-
\??\c:\nnhbhb.exec:\nnhbhb.exe95⤵PID:4552
-
\??\c:\pdpdp.exec:\pdpdp.exe96⤵PID:3724
-
\??\c:\9pdpp.exec:\9pdpp.exe97⤵PID:180
-
\??\c:\flrlxrl.exec:\flrlxrl.exe98⤵PID:4416
-
\??\c:\httnhb.exec:\httnhb.exe99⤵PID:3160
-
\??\c:\nhhthb.exec:\nhhthb.exe100⤵PID:3236
-
\??\c:\nbbthb.exec:\nbbthb.exe101⤵PID:4480
-
\??\c:\vvpdp.exec:\vvpdp.exe102⤵PID:876
-
\??\c:\7xrrxfr.exec:\7xrrxfr.exe103⤵PID:2700
-
\??\c:\hnbtnh.exec:\hnbtnh.exe104⤵PID:2096
-
\??\c:\btnhnt.exec:\btnhnt.exe105⤵PID:3000
-
\??\c:\ttttbt.exec:\ttttbt.exe106⤵PID:3180
-
\??\c:\dvvpd.exec:\dvvpd.exe107⤵PID:1588
-
\??\c:\jpdvp.exec:\jpdvp.exe108⤵PID:1988
-
\??\c:\lffxxrf.exec:\lffxxrf.exe109⤵PID:4860
-
\??\c:\lrlxfxl.exec:\lrlxfxl.exe110⤵PID:1784
-
\??\c:\bbhhbb.exec:\bbhhbb.exe111⤵PID:2376
-
\??\c:\vvdvj.exec:\vvdvj.exe112⤵PID:4528
-
\??\c:\ppjdj.exec:\ppjdj.exe113⤵PID:3680
-
\??\c:\lfxlrfl.exec:\lfxlrfl.exe114⤵PID:3760
-
\??\c:\xxrfllx.exec:\xxrfllx.exe115⤵PID:3096
-
\??\c:\1hbtht.exec:\1hbtht.exe116⤵PID:2856
-
\??\c:\vvdvp.exec:\vvdvp.exe117⤵PID:4576
-
\??\c:\dvdpj.exec:\dvdpj.exe118⤵PID:2560
-
\??\c:\3rlfrlf.exec:\3rlfrlf.exe119⤵PID:2620
-
\??\c:\xfxxlfr.exec:\xfxxlfr.exe120⤵PID:2956
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe121⤵PID:4712
-
\??\c:\tththt.exec:\tththt.exe122⤵PID:4368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-