Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe
-
Size
267KB
-
MD5
cf8282ff9f3d6cfc8f058e1ae89b4470
-
SHA1
baeb34b5a61e239bb08fdefeda5395b4150217a0
-
SHA256
d39880316c726b22b6fbe996b614626ca9d4b2d516bba73ebe60a147f9da3104
-
SHA512
29d0feaac12319a80cff685dbbb8a895fa10bc0d4cc18c23d19bcd63fbba53ec3f912e49a59398f09a1a54f1437cf1da2eb8ee0a762e860497477fb82c97618e
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmPzTkV2y/QTa9RBZydZbf83pnzgmmIMN:n3C9BRIG0asYFm71mPfkVB8dKwaW9
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral2/memory/4000-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4312-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/532-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/716-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1208-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1868-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2252-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/848-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4068-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2700-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4672-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4952-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3356-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4908-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2228-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4640-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3716-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4312 bhnhbt.exe 532 lxfrlfx.exe 716 ttbnhb.exe 4916 jddvp.exe 1208 xflfxrl.exe 1868 3jjjj.exe 2252 5rxrllx.exe 2940 djpvd.exe 1880 5jpdj.exe 4268 tthbhh.exe 3576 vjjvj.exe 848 lxrlxrl.exe 4564 1xfrffr.exe 4068 hbtnbb.exe 2700 xlrfxlf.exe 4828 3hbtnt.exe 4672 pvvpp.exe 4952 rffxxrl.exe 3560 nhtbhb.exe 3364 jppjj.exe 2464 rllrrll.exe 3356 tbhthh.exe 4908 pjdpj.exe 2228 vjvjv.exe 3492 bhnhtt.exe 4640 jpvpp.exe 3020 dddvj.exe 3716 fxrllff.exe 1004 5ppjd.exe 228 rflfxrr.exe 2340 hnnbtt.exe 3312 djpjv.exe 1152 xxlfxrl.exe 3320 3lxrlfx.exe 2888 pvjvp.exe 4924 1vvjd.exe 4716 lrrfrrf.exe 1664 htbtnh.exe 2560 vpjdj.exe 3064 rffrfxl.exe 2112 fxrfxxr.exe 1956 ttnttb.exe 2460 pdpdv.exe 2044 rrffffr.exe 1444 5rxxrrl.exe 4704 bnhhhb.exe 3308 djvvp.exe 4268 rffxllx.exe 2872 nhhbtb.exe 848 7ntbhh.exe 3512 pdjvv.exe 4580 llfxlff.exe 2596 xrrxlfx.exe 2700 tnttnn.exe 3448 vjdpj.exe 2624 fxflllf.exe 4952 llxxxxr.exe 1228 dvpjp.exe 2104 7rxrlfx.exe 4592 nhhbtn.exe 3548 ttnhtn.exe 64 pppvj.exe 1660 fffffll.exe 2552 1thhbb.exe -
resource yara_rule behavioral2/memory/4000-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4312-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/532-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/716-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1208-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1868-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2252-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1880-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/848-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4068-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2700-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4672-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4952-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3356-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4908-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2228-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4640-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3716-183-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4000 wrote to memory of 4312 4000 cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe 83 PID 4000 wrote to memory of 4312 4000 cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe 83 PID 4000 wrote to memory of 4312 4000 cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe 83 PID 4312 wrote to memory of 532 4312 bhnhbt.exe 84 PID 4312 wrote to memory of 532 4312 bhnhbt.exe 84 PID 4312 wrote to memory of 532 4312 bhnhbt.exe 84 PID 532 wrote to memory of 716 532 lxfrlfx.exe 85 PID 532 wrote to memory of 716 532 lxfrlfx.exe 85 PID 532 wrote to memory of 716 532 lxfrlfx.exe 85 PID 716 wrote to memory of 4916 716 ttbnhb.exe 86 PID 716 wrote to memory of 4916 716 ttbnhb.exe 86 PID 716 wrote to memory of 4916 716 ttbnhb.exe 86 PID 4916 wrote to memory of 1208 4916 jddvp.exe 87 PID 4916 wrote to memory of 1208 4916 jddvp.exe 87 PID 4916 wrote to memory of 1208 4916 jddvp.exe 87 PID 1208 wrote to memory of 1868 1208 xflfxrl.exe 88 PID 1208 wrote to memory of 1868 1208 xflfxrl.exe 88 PID 1208 wrote to memory of 1868 1208 xflfxrl.exe 88 PID 1868 wrote to memory of 2252 1868 3jjjj.exe 89 PID 1868 wrote to memory of 2252 1868 3jjjj.exe 89 PID 1868 wrote to memory of 2252 1868 3jjjj.exe 89 PID 2252 wrote to memory of 2940 2252 5rxrllx.exe 91 PID 2252 wrote to memory of 2940 2252 5rxrllx.exe 91 PID 2252 wrote to memory of 2940 2252 5rxrllx.exe 91 PID 2940 wrote to memory of 1880 2940 djpvd.exe 92 PID 2940 wrote to memory of 1880 2940 djpvd.exe 92 PID 2940 wrote to memory of 1880 2940 djpvd.exe 92 PID 1880 wrote to memory of 4268 1880 5jpdj.exe 93 PID 1880 wrote to memory of 4268 1880 5jpdj.exe 93 PID 1880 wrote to memory of 4268 1880 5jpdj.exe 93 PID 4268 wrote to memory of 3576 4268 tthbhh.exe 94 PID 4268 wrote to memory of 3576 4268 tthbhh.exe 94 PID 4268 wrote to memory of 3576 4268 tthbhh.exe 94 PID 3576 wrote to memory of 848 3576 vjjvj.exe 95 PID 3576 wrote to memory of 848 3576 vjjvj.exe 95 PID 3576 wrote to memory of 848 3576 vjjvj.exe 95 PID 848 wrote to memory of 4564 848 lxrlxrl.exe 96 PID 848 wrote to memory of 4564 848 lxrlxrl.exe 96 PID 848 wrote to memory of 4564 848 lxrlxrl.exe 96 PID 4564 wrote to memory of 4068 4564 1xfrffr.exe 97 PID 4564 wrote to memory of 4068 4564 1xfrffr.exe 97 PID 4564 wrote to memory of 4068 4564 1xfrffr.exe 97 PID 4068 wrote to memory of 2700 4068 hbtnbb.exe 98 PID 4068 wrote to memory of 2700 4068 hbtnbb.exe 98 PID 4068 wrote to memory of 2700 4068 hbtnbb.exe 98 PID 2700 wrote to memory of 4828 2700 xlrfxlf.exe 100 PID 2700 wrote to memory of 4828 2700 xlrfxlf.exe 100 PID 2700 wrote to memory of 4828 2700 xlrfxlf.exe 100 PID 4828 wrote to memory of 4672 4828 3hbtnt.exe 101 PID 4828 wrote to memory of 4672 4828 3hbtnt.exe 101 PID 4828 wrote to memory of 4672 4828 3hbtnt.exe 101 PID 4672 wrote to memory of 4952 4672 pvvpp.exe 102 PID 4672 wrote to memory of 4952 4672 pvvpp.exe 102 PID 4672 wrote to memory of 4952 4672 pvvpp.exe 102 PID 4952 wrote to memory of 3560 4952 rffxxrl.exe 103 PID 4952 wrote to memory of 3560 4952 rffxxrl.exe 103 PID 4952 wrote to memory of 3560 4952 rffxxrl.exe 103 PID 3560 wrote to memory of 3364 3560 nhtbhb.exe 104 PID 3560 wrote to memory of 3364 3560 nhtbhb.exe 104 PID 3560 wrote to memory of 3364 3560 nhtbhb.exe 104 PID 3364 wrote to memory of 2464 3364 jppjj.exe 105 PID 3364 wrote to memory of 2464 3364 jppjj.exe 105 PID 3364 wrote to memory of 2464 3364 jppjj.exe 105 PID 2464 wrote to memory of 3356 2464 rllrrll.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf8282ff9f3d6cfc8f058e1ae89b4470_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\bhnhbt.exec:\bhnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\ttbnhb.exec:\ttbnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\xflfxrl.exec:\xflfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\3jjjj.exec:\3jjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\5rxrllx.exec:\5rxrllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\djpvd.exec:\djpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\5jpdj.exec:\5jpdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\tthbhh.exec:\tthbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\vjjvj.exec:\vjjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\1xfrffr.exec:\1xfrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\hbtnbb.exec:\hbtnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\xlrfxlf.exec:\xlrfxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\3hbtnt.exec:\3hbtnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\pvvpp.exec:\pvvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\rffxxrl.exec:\rffxxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\nhtbhb.exec:\nhtbhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\jppjj.exec:\jppjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\rllrrll.exec:\rllrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\tbhthh.exec:\tbhthh.exe23⤵
- Executes dropped EXE
PID:3356 -
\??\c:\pjdpj.exec:\pjdpj.exe24⤵
- Executes dropped EXE
PID:4908 -
\??\c:\vjvjv.exec:\vjvjv.exe25⤵
- Executes dropped EXE
PID:2228 -
\??\c:\bhnhtt.exec:\bhnhtt.exe26⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jpvpp.exec:\jpvpp.exe27⤵
- Executes dropped EXE
PID:4640 -
\??\c:\dddvj.exec:\dddvj.exe28⤵
- Executes dropped EXE
PID:3020 -
\??\c:\fxrllff.exec:\fxrllff.exe29⤵
- Executes dropped EXE
PID:3716 -
\??\c:\5ppjd.exec:\5ppjd.exe30⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rflfxrr.exec:\rflfxrr.exe31⤵
- Executes dropped EXE
PID:228 -
\??\c:\hnnbtt.exec:\hnnbtt.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\djpjv.exec:\djpjv.exe33⤵
- Executes dropped EXE
PID:3312 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe34⤵
- Executes dropped EXE
PID:1152 -
\??\c:\3lxrlfx.exec:\3lxrlfx.exe35⤵
- Executes dropped EXE
PID:3320 -
\??\c:\pvjvp.exec:\pvjvp.exe36⤵
- Executes dropped EXE
PID:2888 -
\??\c:\1vvjd.exec:\1vvjd.exe37⤵
- Executes dropped EXE
PID:4924 -
\??\c:\lrrfrrf.exec:\lrrfrrf.exe38⤵
- Executes dropped EXE
PID:4716 -
\??\c:\htbtnh.exec:\htbtnh.exe39⤵
- Executes dropped EXE
PID:1664 -
\??\c:\vpjdj.exec:\vpjdj.exe40⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rffrfxl.exec:\rffrfxl.exe41⤵
- Executes dropped EXE
PID:3064 -
\??\c:\fxrfxxr.exec:\fxrfxxr.exe42⤵
- Executes dropped EXE
PID:2112 -
\??\c:\ttnttb.exec:\ttnttb.exe43⤵
- Executes dropped EXE
PID:1956 -
\??\c:\pdpdv.exec:\pdpdv.exe44⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rrffffr.exec:\rrffffr.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe46⤵
- Executes dropped EXE
PID:1444 -
\??\c:\bnhhhb.exec:\bnhhhb.exe47⤵
- Executes dropped EXE
PID:4704 -
\??\c:\djvvp.exec:\djvvp.exe48⤵
- Executes dropped EXE
PID:3308 -
\??\c:\rffxllx.exec:\rffxllx.exe49⤵
- Executes dropped EXE
PID:4268 -
\??\c:\nhhbtb.exec:\nhhbtb.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\7ntbhh.exec:\7ntbhh.exe51⤵
- Executes dropped EXE
PID:848 -
\??\c:\pdjvv.exec:\pdjvv.exe52⤵
- Executes dropped EXE
PID:3512 -
\??\c:\llfxlff.exec:\llfxlff.exe53⤵
- Executes dropped EXE
PID:4580 -
\??\c:\xrrxlfx.exec:\xrrxlfx.exe54⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tnttnn.exec:\tnttnn.exe55⤵
- Executes dropped EXE
PID:2700 -
\??\c:\vjdpj.exec:\vjdpj.exe56⤵
- Executes dropped EXE
PID:3448 -
\??\c:\fxflllf.exec:\fxflllf.exe57⤵
- Executes dropped EXE
PID:2624 -
\??\c:\llxxxxr.exec:\llxxxxr.exe58⤵
- Executes dropped EXE
PID:4952 -
\??\c:\dvpjp.exec:\dvpjp.exe59⤵
- Executes dropped EXE
PID:1228 -
\??\c:\7rxrlfx.exec:\7rxrlfx.exe60⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nhhbtn.exec:\nhhbtn.exe61⤵
- Executes dropped EXE
PID:4592 -
\??\c:\ttnhtn.exec:\ttnhtn.exe62⤵
- Executes dropped EXE
PID:3548 -
\??\c:\pppvj.exec:\pppvj.exe63⤵
- Executes dropped EXE
PID:64 -
\??\c:\fffffll.exec:\fffffll.exe64⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1thhbb.exec:\1thhbb.exe65⤵
- Executes dropped EXE
PID:2552 -
\??\c:\hhtnhh.exec:\hhtnhh.exe66⤵PID:4320
-
\??\c:\dvddv.exec:\dvddv.exe67⤵PID:1772
-
\??\c:\frfxrrl.exec:\frfxrrl.exe68⤵PID:2792
-
\??\c:\tnbbtt.exec:\tnbbtt.exe69⤵PID:4024
-
\??\c:\dddvd.exec:\dddvd.exe70⤵PID:4656
-
\??\c:\fffrrll.exec:\fffrrll.exe71⤵PID:3284
-
\??\c:\lffxlll.exec:\lffxlll.exe72⤵PID:1496
-
\??\c:\bhtnbb.exec:\bhtnbb.exe73⤵PID:1004
-
\??\c:\pdvjp.exec:\pdvjp.exe74⤵PID:4172
-
\??\c:\dpvpp.exec:\dpvpp.exe75⤵PID:1728
-
\??\c:\ffxlffx.exec:\ffxlffx.exe76⤵PID:4436
-
\??\c:\pdjdd.exec:\pdjdd.exe77⤵PID:4840
-
\??\c:\jdjdd.exec:\jdjdd.exe78⤵PID:3268
-
\??\c:\xrxrllr.exec:\xrxrllr.exe79⤵PID:4088
-
\??\c:\tthtth.exec:\tthtth.exe80⤵PID:2416
-
\??\c:\dvvpv.exec:\dvvpv.exe81⤵PID:4916
-
\??\c:\pvdpp.exec:\pvdpp.exe82⤵PID:1304
-
\??\c:\flrlffx.exec:\flrlffx.exe83⤵PID:3700
-
\??\c:\5tbtnh.exec:\5tbtnh.exe84⤵PID:1868
-
\??\c:\9dvvv.exec:\9dvvv.exe85⤵PID:2796
-
\??\c:\flrrrxx.exec:\flrrrxx.exe86⤵PID:3680
-
\??\c:\flffrrl.exec:\flffrrl.exe87⤵PID:1600
-
\??\c:\bhbhnh.exec:\bhbhnh.exe88⤵PID:1784
-
\??\c:\jpdjj.exec:\jpdjj.exe89⤵PID:4704
-
\??\c:\9frlffx.exec:\9frlffx.exe90⤵PID:4816
-
\??\c:\flrlfff.exec:\flrlfff.exe91⤵PID:2844
-
\??\c:\bbnntb.exec:\bbnntb.exe92⤵PID:2420
-
\??\c:\ddjpj.exec:\ddjpj.exe93⤵PID:4500
-
\??\c:\vpppp.exec:\vpppp.exe94⤵PID:3952
-
\??\c:\rxrxlfx.exec:\rxrxlfx.exe95⤵PID:4580
-
\??\c:\hhtbht.exec:\hhtbht.exe96⤵PID:1644
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe97⤵PID:2588
-
\??\c:\hbhbtt.exec:\hbhbtt.exe98⤵PID:1776
-
\??\c:\dpddv.exec:\dpddv.exe99⤵PID:4964
-
\??\c:\xrllxrl.exec:\xrllxrl.exe100⤵PID:5108
-
\??\c:\xlfrffr.exec:\xlfrffr.exe101⤵PID:1248
-
\??\c:\bhthtb.exec:\bhthtb.exe102⤵PID:3364
-
\??\c:\jdpdv.exec:\jdpdv.exe103⤵PID:2992
-
\??\c:\pjdvp.exec:\pjdvp.exe104⤵PID:3336
-
\??\c:\rrrffxl.exec:\rrrffxl.exe105⤵PID:2352
-
\??\c:\5lflfff.exec:\5lflfff.exe106⤵PID:2056
-
\??\c:\nhhhbn.exec:\nhhhbn.exe107⤵PID:4736
-
\??\c:\nttnhh.exec:\nttnhh.exe108⤵PID:1772
-
\??\c:\vdddv.exec:\vdddv.exe109⤵PID:2556
-
\??\c:\9vjvd.exec:\9vjvd.exe110⤵PID:3168
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe111⤵PID:4664
-
\??\c:\httnhb.exec:\httnhb.exe112⤵PID:232
-
\??\c:\9ttnbb.exec:\9ttnbb.exe113⤵PID:2340
-
\??\c:\dvvvj.exec:\dvvvj.exe114⤵PID:744
-
\??\c:\lllfrlf.exec:\lllfrlf.exe115⤵PID:3256
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe116⤵PID:4756
-
\??\c:\7nnbtt.exec:\7nnbtt.exe117⤵PID:4892
-
\??\c:\7vvpd.exec:\7vvpd.exe118⤵PID:1920
-
\??\c:\jjvpj.exec:\jjvpj.exe119⤵PID:3264
-
\??\c:\rlxxffr.exec:\rlxxffr.exe120⤵PID:2112
-
\??\c:\ntnhbt.exec:\ntnhbt.exe121⤵PID:1868
-
\??\c:\nhhhbt.exec:\nhhhbt.exe122⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-