Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
cafe89b4cd8d0d18e1b0dc511a56f7f0
-
SHA1
4aaa5981e06a8bc2e156cd76ef9b221be4276e90
-
SHA256
bb6f5a4092ee030bcdfc6dad9a2a924a340cd5f8bc4977bd79a280064ffc3d44
-
SHA512
c34c1faf26f47820503889ec8bfcca21e6cbc4464388f4cc53a8379f7e90ad70e0a14c72a4336f6023110a23bc1af669f5825b6ca65c5b386ac7bec0eb3a22bb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3AyXm4:ymb3NkkiQ3mdBjFI46TQyXm4
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/2180-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2180-9-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2532-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-19-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2412-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2412-71-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2624-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/616-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1616-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1620-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1612-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1460-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2952-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2816-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1144-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2172-242-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-269-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-296-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2128 u644066.exe 2692 26484.exe 2532 2006404.exe 2660 e68848.exe 2564 jvpjd.exe 2412 hbntbb.exe 2304 866026.exe 1112 fxlfflx.exe 2624 flrxrfl.exe 2760 fxfrrrx.exe 1616 8262880.exe 616 608844.exe 1960 1flrxfx.exe 1620 nttbtt.exe 384 484488.exe 1612 dvpvj.exe 1428 jddjp.exe 2188 1rfxxxx.exe 1460 8608622.exe 2952 xlxrrxl.exe 1204 w68466.exe 2816 08624.exe 2136 dpjpv.exe 1144 486228.exe 2172 fxllrrf.exe 1556 6028662.exe 292 042240.exe 2244 086242.exe 2008 hbnthn.exe 984 46006.exe 2796 bhhbbt.exe 2340 tnhtbh.exe 2216 rlrlrrf.exe 1216 4206284.exe 2548 pddvv.exe 1640 9hhntt.exe 2752 088800.exe 2536 80622.exe 2400 btbbhb.exe 2572 80606.exe 2404 08484.exe 2312 02006.exe 1660 a0460.exe 2612 9hbtnb.exe 2736 vpdjj.exe 2760 s8440.exe 2376 084422.exe 616 frxrfff.exe 1552 646240.exe 1880 2000266.exe 688 thhhhh.exe 1568 pjvpp.exe 1132 3djdp.exe 1160 2682840.exe 1428 lxlrfll.exe 1480 26062.exe 2932 xrffrrf.exe 2904 vvjvv.exe 2900 64880.exe 2824 pjvdv.exe 1788 1fffrrl.exe 1276 rlrrllx.exe 1144 lfxflxf.exe 2360 xlrrrrr.exe -
resource yara_rule behavioral1/memory/2180-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2412-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/616-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1616-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1620-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1460-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2952-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1144-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2172-242-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-269-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-296-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2128 2180 cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2128 2180 cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2128 2180 cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2128 2180 cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe 28 PID 2128 wrote to memory of 2692 2128 u644066.exe 29 PID 2128 wrote to memory of 2692 2128 u644066.exe 29 PID 2128 wrote to memory of 2692 2128 u644066.exe 29 PID 2128 wrote to memory of 2692 2128 u644066.exe 29 PID 2692 wrote to memory of 2532 2692 26484.exe 30 PID 2692 wrote to memory of 2532 2692 26484.exe 30 PID 2692 wrote to memory of 2532 2692 26484.exe 30 PID 2692 wrote to memory of 2532 2692 26484.exe 30 PID 2532 wrote to memory of 2660 2532 2006404.exe 31 PID 2532 wrote to memory of 2660 2532 2006404.exe 31 PID 2532 wrote to memory of 2660 2532 2006404.exe 31 PID 2532 wrote to memory of 2660 2532 2006404.exe 31 PID 2660 wrote to memory of 2564 2660 e68848.exe 32 PID 2660 wrote to memory of 2564 2660 e68848.exe 32 PID 2660 wrote to memory of 2564 2660 e68848.exe 32 PID 2660 wrote to memory of 2564 2660 e68848.exe 32 PID 2564 wrote to memory of 2412 2564 jvpjd.exe 33 PID 2564 wrote to memory of 2412 2564 jvpjd.exe 33 PID 2564 wrote to memory of 2412 2564 jvpjd.exe 33 PID 2564 wrote to memory of 2412 2564 jvpjd.exe 33 PID 2412 wrote to memory of 2304 2412 hbntbb.exe 34 PID 2412 wrote to memory of 2304 2412 hbntbb.exe 34 PID 2412 wrote to memory of 2304 2412 hbntbb.exe 34 PID 2412 wrote to memory of 2304 2412 hbntbb.exe 34 PID 2304 wrote to memory of 1112 2304 866026.exe 35 PID 2304 wrote to memory of 1112 2304 866026.exe 35 PID 2304 wrote to memory of 1112 2304 866026.exe 35 PID 2304 wrote to memory of 1112 2304 866026.exe 35 PID 1112 wrote to memory of 2624 1112 fxlfflx.exe 36 PID 1112 wrote to memory of 2624 1112 fxlfflx.exe 36 PID 1112 wrote to memory of 2624 1112 fxlfflx.exe 36 PID 1112 wrote to memory of 2624 1112 fxlfflx.exe 36 PID 2624 wrote to memory of 2760 2624 flrxrfl.exe 37 PID 2624 wrote to memory of 2760 2624 flrxrfl.exe 37 PID 2624 wrote to memory of 2760 2624 flrxrfl.exe 37 PID 2624 wrote to memory of 2760 2624 flrxrfl.exe 37 PID 2760 wrote to memory of 1616 2760 fxfrrrx.exe 38 PID 2760 wrote to memory of 1616 2760 fxfrrrx.exe 38 PID 2760 wrote to memory of 1616 2760 fxfrrrx.exe 38 PID 2760 wrote to memory of 1616 2760 fxfrrrx.exe 38 PID 1616 wrote to memory of 616 1616 8262880.exe 39 PID 1616 wrote to memory of 616 1616 8262880.exe 39 PID 1616 wrote to memory of 616 1616 8262880.exe 39 PID 1616 wrote to memory of 616 1616 8262880.exe 39 PID 616 wrote to memory of 1960 616 608844.exe 40 PID 616 wrote to memory of 1960 616 608844.exe 40 PID 616 wrote to memory of 1960 616 608844.exe 40 PID 616 wrote to memory of 1960 616 608844.exe 40 PID 1960 wrote to memory of 1620 1960 1flrxfx.exe 41 PID 1960 wrote to memory of 1620 1960 1flrxfx.exe 41 PID 1960 wrote to memory of 1620 1960 1flrxfx.exe 41 PID 1960 wrote to memory of 1620 1960 1flrxfx.exe 41 PID 1620 wrote to memory of 384 1620 nttbtt.exe 42 PID 1620 wrote to memory of 384 1620 nttbtt.exe 42 PID 1620 wrote to memory of 384 1620 nttbtt.exe 42 PID 1620 wrote to memory of 384 1620 nttbtt.exe 42 PID 384 wrote to memory of 1612 384 484488.exe 43 PID 384 wrote to memory of 1612 384 484488.exe 43 PID 384 wrote to memory of 1612 384 484488.exe 43 PID 384 wrote to memory of 1612 384 484488.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cafe89b4cd8d0d18e1b0dc511a56f7f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\u644066.exec:\u644066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\26484.exec:\26484.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\2006404.exec:\2006404.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\e68848.exec:\e68848.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jvpjd.exec:\jvpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\hbntbb.exec:\hbntbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\866026.exec:\866026.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\fxlfflx.exec:\fxlfflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\flrxrfl.exec:\flrxrfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\fxfrrrx.exec:\fxfrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\8262880.exec:\8262880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\608844.exec:\608844.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\1flrxfx.exec:\1flrxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\nttbtt.exec:\nttbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\484488.exec:\484488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\dvpvj.exec:\dvpvj.exe17⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jddjp.exec:\jddjp.exe18⤵
- Executes dropped EXE
PID:1428 -
\??\c:\1rfxxxx.exec:\1rfxxxx.exe19⤵
- Executes dropped EXE
PID:2188 -
\??\c:\8608622.exec:\8608622.exe20⤵
- Executes dropped EXE
PID:1460 -
\??\c:\xlxrrxl.exec:\xlxrrxl.exe21⤵
- Executes dropped EXE
PID:2952 -
\??\c:\w68466.exec:\w68466.exe22⤵
- Executes dropped EXE
PID:1204 -
\??\c:\08624.exec:\08624.exe23⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dpjpv.exec:\dpjpv.exe24⤵
- Executes dropped EXE
PID:2136 -
\??\c:\486228.exec:\486228.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\fxllrrf.exec:\fxllrrf.exe26⤵
- Executes dropped EXE
PID:2172 -
\??\c:\6028662.exec:\6028662.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\042240.exec:\042240.exe28⤵
- Executes dropped EXE
PID:292 -
\??\c:\086242.exec:\086242.exe29⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hbnthn.exec:\hbnthn.exe30⤵
- Executes dropped EXE
PID:2008 -
\??\c:\46006.exec:\46006.exe31⤵
- Executes dropped EXE
PID:984 -
\??\c:\bhhbbt.exec:\bhhbbt.exe32⤵
- Executes dropped EXE
PID:2796 -
\??\c:\tnhtbh.exec:\tnhtbh.exe33⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rlrlrrf.exec:\rlrlrrf.exe34⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xxffxfr.exec:\xxffxfr.exe35⤵PID:2688
-
\??\c:\4206284.exec:\4206284.exe36⤵
- Executes dropped EXE
PID:1216 -
\??\c:\pddvv.exec:\pddvv.exe37⤵
- Executes dropped EXE
PID:2548 -
\??\c:\9hhntt.exec:\9hhntt.exe38⤵
- Executes dropped EXE
PID:1640 -
\??\c:\088800.exec:\088800.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\80622.exec:\80622.exe40⤵
- Executes dropped EXE
PID:2536 -
\??\c:\btbbhb.exec:\btbbhb.exe41⤵
- Executes dropped EXE
PID:2400 -
\??\c:\80606.exec:\80606.exe42⤵
- Executes dropped EXE
PID:2572 -
\??\c:\08484.exec:\08484.exe43⤵
- Executes dropped EXE
PID:2404 -
\??\c:\02006.exec:\02006.exe44⤵
- Executes dropped EXE
PID:2312 -
\??\c:\a0460.exec:\a0460.exe45⤵
- Executes dropped EXE
PID:1660 -
\??\c:\9hbtnb.exec:\9hbtnb.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vpdjj.exec:\vpdjj.exe47⤵
- Executes dropped EXE
PID:2736 -
\??\c:\s8440.exec:\s8440.exe48⤵
- Executes dropped EXE
PID:2760 -
\??\c:\084422.exec:\084422.exe49⤵
- Executes dropped EXE
PID:2376 -
\??\c:\frxrfff.exec:\frxrfff.exe50⤵
- Executes dropped EXE
PID:616 -
\??\c:\646240.exec:\646240.exe51⤵
- Executes dropped EXE
PID:1552 -
\??\c:\2000266.exec:\2000266.exe52⤵
- Executes dropped EXE
PID:1880 -
\??\c:\thhhhh.exec:\thhhhh.exe53⤵
- Executes dropped EXE
PID:688 -
\??\c:\pjvpp.exec:\pjvpp.exe54⤵
- Executes dropped EXE
PID:1568 -
\??\c:\3djdp.exec:\3djdp.exe55⤵
- Executes dropped EXE
PID:1132 -
\??\c:\2682840.exec:\2682840.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lxlrfll.exec:\lxlrfll.exe57⤵
- Executes dropped EXE
PID:1428 -
\??\c:\26062.exec:\26062.exe58⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xrffrrf.exec:\xrffrrf.exe59⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vvjvv.exec:\vvjvv.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\64880.exec:\64880.exe61⤵
- Executes dropped EXE
PID:2900 -
\??\c:\pjvdv.exec:\pjvdv.exe62⤵
- Executes dropped EXE
PID:2824 -
\??\c:\1fffrrl.exec:\1fffrrl.exe63⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rlrrllx.exec:\rlrrllx.exe64⤵
- Executes dropped EXE
PID:1276 -
\??\c:\lfxflxf.exec:\lfxflxf.exe65⤵
- Executes dropped EXE
PID:1144 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe66⤵
- Executes dropped EXE
PID:2360 -
\??\c:\c646824.exec:\c646824.exe67⤵PID:1592
-
\??\c:\9thhnt.exec:\9thhnt.exe68⤵PID:856
-
\??\c:\20040.exec:\20040.exe69⤵PID:1920
-
\??\c:\206282.exec:\206282.exe70⤵PID:2976
-
\??\c:\c844088.exec:\c844088.exe71⤵PID:1240
-
\??\c:\pjdjp.exec:\pjdjp.exe72⤵PID:1684
-
\??\c:\pdppd.exec:\pdppd.exe73⤵PID:2788
-
\??\c:\dpvvv.exec:\dpvvv.exe74⤵PID:1924
-
\??\c:\6400226.exec:\6400226.exe75⤵PID:1656
-
\??\c:\6002440.exec:\6002440.exe76⤵PID:2732
-
\??\c:\u244042.exec:\u244042.exe77⤵PID:2676
-
\??\c:\20606.exec:\20606.exe78⤵PID:2532
-
\??\c:\lrrffrr.exec:\lrrffrr.exe79⤵PID:2408
-
\??\c:\frlxffl.exec:\frlxffl.exe80⤵PID:2712
-
\??\c:\2088420.exec:\2088420.exe81⤵PID:2776
-
\??\c:\8246228.exec:\8246228.exe82⤵PID:1724
-
\??\c:\c468628.exec:\c468628.exe83⤵PID:2988
-
\??\c:\xrxfrxf.exec:\xrxfrxf.exe84⤵PID:2416
-
\??\c:\6424664.exec:\6424664.exe85⤵PID:760
-
\??\c:\lfrrllf.exec:\lfrrllf.exe86⤵PID:1696
-
\??\c:\vppdp.exec:\vppdp.exe87⤵PID:2460
-
\??\c:\dvddj.exec:\dvddj.exe88⤵PID:2624
-
\??\c:\9vvjj.exec:\9vvjj.exe89⤵PID:1648
-
\??\c:\nntbhn.exec:\nntbhn.exe90⤵PID:2792
-
\??\c:\xrffxxx.exec:\xrffxxx.exe91⤵PID:1796
-
\??\c:\hbnnbh.exec:\hbnnbh.exe92⤵PID:332
-
\??\c:\xrrxxfl.exec:\xrrxxfl.exe93⤵PID:1552
-
\??\c:\5hthnt.exec:\5hthnt.exe94⤵PID:808
-
\??\c:\60880.exec:\60880.exe95⤵PID:1752
-
\??\c:\64666.exec:\64666.exe96⤵PID:2876
-
\??\c:\dpjjd.exec:\dpjjd.exe97⤵PID:596
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe98⤵PID:1408
-
\??\c:\4284602.exec:\4284602.exe99⤵PID:2188
-
\??\c:\vpvdj.exec:\vpvdj.exe100⤵PID:2888
-
\??\c:\hnnnnn.exec:\hnnnnn.exe101⤵PID:2932
-
\??\c:\44662.exec:\44662.exe102⤵PID:2088
-
\??\c:\vpvvj.exec:\vpvvj.exe103⤵PID:2496
-
\??\c:\868400.exec:\868400.exe104⤵PID:2028
-
\??\c:\m0280.exec:\m0280.exe105⤵PID:636
-
\??\c:\o240280.exec:\o240280.exe106⤵PID:2068
-
\??\c:\a0846.exec:\a0846.exe107⤵PID:3012
-
\??\c:\642682.exec:\642682.exe108⤵PID:2240
-
\??\c:\tnhhtt.exec:\tnhhtt.exe109⤵PID:280
-
\??\c:\862800.exec:\862800.exe110⤵PID:292
-
\??\c:\7rlrrlr.exec:\7rlrrlr.exe111⤵PID:2168
-
\??\c:\dvdjv.exec:\dvdjv.exe112⤵PID:2968
-
\??\c:\o404600.exec:\o404600.exe113⤵PID:2852
-
\??\c:\bthhbh.exec:\bthhbh.exe114⤵PID:880
-
\??\c:\lxlrxxf.exec:\lxlrxxf.exe115⤵PID:2484
-
\??\c:\g0846.exec:\g0846.exe116⤵PID:2508
-
\??\c:\26228.exec:\26228.exe117⤵PID:2216
-
\??\c:\bnbbbh.exec:\bnbbbh.exe118⤵PID:2688
-
\??\c:\tnnbtt.exec:\tnnbtt.exe119⤵PID:2540
-
\??\c:\llxxllr.exec:\llxxllr.exe120⤵PID:1536
-
\??\c:\nhnthh.exec:\nhnthh.exe121⤵PID:1544
-
\??\c:\llrxxll.exec:\llrxxll.exe122⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-