Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 14:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe
Resource
win7-20240220-en
5 signatures
150 seconds
General
-
Target
d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe
-
Size
141KB
-
MD5
d32c0c17965f4607f7247ccf8d34e8a0
-
SHA1
18519d41522ae88a64a51268b7377f57380b45ea
-
SHA256
46a6ac7d363788caeb1b577528e101fae47f3a0fb30c97135f3021fff57a8367
-
SHA512
e230d002fc7829655ef6717ad0482ab71ae90b54060132a4e6f6f2bc1a0bcbd585a4e4208089d08e16b99452508f289a4aa51167bbb389a8d0ae200ccbb21ded
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmm8mzuFli55p15AV:n3C9BRIG0asYFm71mm8fliGV
Malware Config
Signatures
-
Detect Blackmoon payload 29 IoCs
resource yara_rule behavioral2/memory/1616-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/396-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/696-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/804-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/832-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4124-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2136-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4076-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4076-62-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2696-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1980-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2476-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4856-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/652-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2392-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4524-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4044-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/808-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3772-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3376-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4832-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3736-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3108-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2320-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1696-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 396 lflxxlr.exe 832 nnhhbh.exe 696 3vvvj.exe 804 vjjvp.exe 4124 lffxrlf.exe 2136 djjdj.exe 4212 djddp.exe 4076 fxxlrlf.exe 2696 flrlxfr.exe 1980 pjjdd.exe 2476 pdddv.exe 4856 lxxxrfx.exe 3344 thhbtn.exe 4804 pjjjd.exe 652 rrlrlll.exe 2392 thbttn.exe 4524 pdpjp.exe 4044 1flfrrl.exe 4880 tnhbtn.exe 808 vvppj.exe 4036 1ddvp.exe 3772 rllfxxx.exe 3408 7bbtnn.exe 3376 htbtnh.exe 868 jpjdv.exe 3952 lfrrxxl.exe 3736 9xfxrrl.exe 4832 tnntnt.exe 3108 pjvvp.exe 2320 vjjdv.exe 1696 rllffff.exe 3760 hbbtnh.exe 1196 fxfxfxx.exe 4704 rrxxffl.exe 4820 btttnn.exe 760 bhhbbt.exe 2356 vjdpp.exe 2124 1pvvp.exe 844 7rrlfxl.exe 4720 1lxrlfx.exe 2708 thnhhh.exe 2596 pvjdv.exe 3372 ffrrlff.exe 3440 9lxfxff.exe 4652 dpjjd.exe 2516 pjjdp.exe 1496 rxxrlll.exe 4076 5hhbtt.exe 4212 hbnhnn.exe 1744 vpvpj.exe 2696 ppvpv.exe 4560 rlrrlfx.exe 1904 9bhbtn.exe 1428 jjjdv.exe 4716 7jppj.exe 1892 llxfxrl.exe 4912 tthbtt.exe 652 bnhhbt.exe 3316 jdjdv.exe 4836 jdvjd.exe 1760 9rlxfxf.exe 1552 lfrlrxx.exe 964 thnhbt.exe 432 vpdvp.exe -
resource yara_rule behavioral2/memory/1616-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/396-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/696-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/804-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/832-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2136-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4076-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4212-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2696-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2696-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1980-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1980-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1980-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1980-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2476-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4856-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/652-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2392-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4524-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4044-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/808-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3772-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3376-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4832-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3736-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3108-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2320-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1696-206-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 396 1616 d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe 83 PID 1616 wrote to memory of 396 1616 d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe 83 PID 1616 wrote to memory of 396 1616 d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe 83 PID 396 wrote to memory of 832 396 lflxxlr.exe 84 PID 396 wrote to memory of 832 396 lflxxlr.exe 84 PID 396 wrote to memory of 832 396 lflxxlr.exe 84 PID 832 wrote to memory of 696 832 nnhhbh.exe 85 PID 832 wrote to memory of 696 832 nnhhbh.exe 85 PID 832 wrote to memory of 696 832 nnhhbh.exe 85 PID 696 wrote to memory of 804 696 3vvvj.exe 86 PID 696 wrote to memory of 804 696 3vvvj.exe 86 PID 696 wrote to memory of 804 696 3vvvj.exe 86 PID 804 wrote to memory of 4124 804 vjjvp.exe 87 PID 804 wrote to memory of 4124 804 vjjvp.exe 87 PID 804 wrote to memory of 4124 804 vjjvp.exe 87 PID 4124 wrote to memory of 2136 4124 lffxrlf.exe 88 PID 4124 wrote to memory of 2136 4124 lffxrlf.exe 88 PID 4124 wrote to memory of 2136 4124 lffxrlf.exe 88 PID 2136 wrote to memory of 4212 2136 djjdj.exe 89 PID 2136 wrote to memory of 4212 2136 djjdj.exe 89 PID 2136 wrote to memory of 4212 2136 djjdj.exe 89 PID 4212 wrote to memory of 4076 4212 djddp.exe 90 PID 4212 wrote to memory of 4076 4212 djddp.exe 90 PID 4212 wrote to memory of 4076 4212 djddp.exe 90 PID 4076 wrote to memory of 2696 4076 fxxlrlf.exe 91 PID 4076 wrote to memory of 2696 4076 fxxlrlf.exe 91 PID 4076 wrote to memory of 2696 4076 fxxlrlf.exe 91 PID 2696 wrote to memory of 1980 2696 flrlxfr.exe 92 PID 2696 wrote to memory of 1980 2696 flrlxfr.exe 92 PID 2696 wrote to memory of 1980 2696 flrlxfr.exe 92 PID 1980 wrote to memory of 2476 1980 pjjdd.exe 93 PID 1980 wrote to memory of 2476 1980 pjjdd.exe 93 PID 1980 wrote to memory of 2476 1980 pjjdd.exe 93 PID 2476 wrote to memory of 4856 2476 pdddv.exe 94 PID 2476 wrote to memory of 4856 2476 pdddv.exe 94 PID 2476 wrote to memory of 4856 2476 pdddv.exe 94 PID 4856 wrote to memory of 3344 4856 lxxxrfx.exe 95 PID 4856 wrote to memory of 3344 4856 lxxxrfx.exe 95 PID 4856 wrote to memory of 3344 4856 lxxxrfx.exe 95 PID 3344 wrote to memory of 4804 3344 thhbtn.exe 96 PID 3344 wrote to memory of 4804 3344 thhbtn.exe 96 PID 3344 wrote to memory of 4804 3344 thhbtn.exe 96 PID 4804 wrote to memory of 652 4804 pjjjd.exe 97 PID 4804 wrote to memory of 652 4804 pjjjd.exe 97 PID 4804 wrote to memory of 652 4804 pjjjd.exe 97 PID 652 wrote to memory of 2392 652 rrlrlll.exe 98 PID 652 wrote to memory of 2392 652 rrlrlll.exe 98 PID 652 wrote to memory of 2392 652 rrlrlll.exe 98 PID 2392 wrote to memory of 4524 2392 thbttn.exe 99 PID 2392 wrote to memory of 4524 2392 thbttn.exe 99 PID 2392 wrote to memory of 4524 2392 thbttn.exe 99 PID 4524 wrote to memory of 4044 4524 pdpjp.exe 100 PID 4524 wrote to memory of 4044 4524 pdpjp.exe 100 PID 4524 wrote to memory of 4044 4524 pdpjp.exe 100 PID 4044 wrote to memory of 4880 4044 1flfrrl.exe 101 PID 4044 wrote to memory of 4880 4044 1flfrrl.exe 101 PID 4044 wrote to memory of 4880 4044 1flfrrl.exe 101 PID 4880 wrote to memory of 808 4880 tnhbtn.exe 102 PID 4880 wrote to memory of 808 4880 tnhbtn.exe 102 PID 4880 wrote to memory of 808 4880 tnhbtn.exe 102 PID 808 wrote to memory of 4036 808 vvppj.exe 103 PID 808 wrote to memory of 4036 808 vvppj.exe 103 PID 808 wrote to memory of 4036 808 vvppj.exe 103 PID 4036 wrote to memory of 3772 4036 1ddvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d32c0c17965f4607f7247ccf8d34e8a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\lflxxlr.exec:\lflxxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\nnhhbh.exec:\nnhhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\3vvvj.exec:\3vvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\vjjvp.exec:\vjjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\lffxrlf.exec:\lffxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\djjdj.exec:\djjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\djddp.exec:\djddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\fxxlrlf.exec:\fxxlrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\flrlxfr.exec:\flrlxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pjjdd.exec:\pjjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\pdddv.exec:\pdddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\lxxxrfx.exec:\lxxxrfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\thhbtn.exec:\thhbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\pjjjd.exec:\pjjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\rrlrlll.exec:\rrlrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\thbttn.exec:\thbttn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\pdpjp.exec:\pdpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\1flfrrl.exec:\1flfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\tnhbtn.exec:\tnhbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\vvppj.exec:\vvppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\1ddvp.exec:\1ddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\rllfxxx.exec:\rllfxxx.exe23⤵
- Executes dropped EXE
PID:3772 -
\??\c:\7bbtnn.exec:\7bbtnn.exe24⤵
- Executes dropped EXE
PID:3408 -
\??\c:\htbtnh.exec:\htbtnh.exe25⤵
- Executes dropped EXE
PID:3376 -
\??\c:\jpjdv.exec:\jpjdv.exe26⤵
- Executes dropped EXE
PID:868 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe27⤵
- Executes dropped EXE
PID:3952 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe28⤵
- Executes dropped EXE
PID:3736 -
\??\c:\tnntnt.exec:\tnntnt.exe29⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pjvvp.exec:\pjvvp.exe30⤵
- Executes dropped EXE
PID:3108 -
\??\c:\vjjdv.exec:\vjjdv.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rllffff.exec:\rllffff.exe32⤵
- Executes dropped EXE
PID:1696 -
\??\c:\hbbtnh.exec:\hbbtnh.exe33⤵
- Executes dropped EXE
PID:3760 -
\??\c:\fxfxfxx.exec:\fxfxfxx.exe34⤵
- Executes dropped EXE
PID:1196 -
\??\c:\rrxxffl.exec:\rrxxffl.exe35⤵
- Executes dropped EXE
PID:4704 -
\??\c:\btttnn.exec:\btttnn.exe36⤵
- Executes dropped EXE
PID:4820 -
\??\c:\bhhbbt.exec:\bhhbbt.exe37⤵
- Executes dropped EXE
PID:760 -
\??\c:\vjdpp.exec:\vjdpp.exe38⤵
- Executes dropped EXE
PID:2356 -
\??\c:\1pvvp.exec:\1pvvp.exe39⤵
- Executes dropped EXE
PID:2124 -
\??\c:\7rrlfxl.exec:\7rrlfxl.exe40⤵
- Executes dropped EXE
PID:844 -
\??\c:\1lxrlfx.exec:\1lxrlfx.exe41⤵
- Executes dropped EXE
PID:4720 -
\??\c:\thnhhh.exec:\thnhhh.exe42⤵
- Executes dropped EXE
PID:2708 -
\??\c:\pvjdv.exec:\pvjdv.exe43⤵
- Executes dropped EXE
PID:2596 -
\??\c:\ffrrlff.exec:\ffrrlff.exe44⤵
- Executes dropped EXE
PID:3372 -
\??\c:\9lxfxff.exec:\9lxfxff.exe45⤵
- Executes dropped EXE
PID:3440 -
\??\c:\dpjjd.exec:\dpjjd.exe46⤵
- Executes dropped EXE
PID:4652 -
\??\c:\pjjdp.exec:\pjjdp.exe47⤵
- Executes dropped EXE
PID:2516 -
\??\c:\rxxrlll.exec:\rxxrlll.exe48⤵
- Executes dropped EXE
PID:1496 -
\??\c:\5hhbtt.exec:\5hhbtt.exe49⤵
- Executes dropped EXE
PID:4076 -
\??\c:\hbnhnn.exec:\hbnhnn.exe50⤵
- Executes dropped EXE
PID:4212 -
\??\c:\vpvpj.exec:\vpvpj.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ppvpv.exec:\ppvpv.exe52⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rlrrlfx.exec:\rlrrlfx.exe53⤵
- Executes dropped EXE
PID:4560 -
\??\c:\9bhbtn.exec:\9bhbtn.exe54⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jjjdv.exec:\jjjdv.exe55⤵
- Executes dropped EXE
PID:1428 -
\??\c:\7jppj.exec:\7jppj.exe56⤵
- Executes dropped EXE
PID:4716 -
\??\c:\llxfxrl.exec:\llxfxrl.exe57⤵
- Executes dropped EXE
PID:1892 -
\??\c:\tthbtt.exec:\tthbtt.exe58⤵
- Executes dropped EXE
PID:4912 -
\??\c:\bnhhbt.exec:\bnhhbt.exe59⤵
- Executes dropped EXE
PID:652 -
\??\c:\jdjdv.exec:\jdjdv.exe60⤵
- Executes dropped EXE
PID:3316 -
\??\c:\jdvjd.exec:\jdvjd.exe61⤵
- Executes dropped EXE
PID:4836 -
\??\c:\9rlxfxf.exec:\9rlxfxf.exe62⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lfrlrxx.exec:\lfrlrxx.exe63⤵
- Executes dropped EXE
PID:1552 -
\??\c:\thnhbt.exec:\thnhbt.exe64⤵
- Executes dropped EXE
PID:964 -
\??\c:\vpdvp.exec:\vpdvp.exe65⤵
- Executes dropped EXE
PID:432 -
\??\c:\vvvpp.exec:\vvvpp.exe66⤵PID:640
-
\??\c:\9rxrlff.exec:\9rxrlff.exe67⤵PID:3712
-
\??\c:\rrrrlll.exec:\rrrrlll.exe68⤵PID:1120
-
\??\c:\1nnnhh.exec:\1nnnhh.exe69⤵PID:4984
-
\??\c:\nbhbtt.exec:\nbhbtt.exe70⤵PID:2736
-
\??\c:\ppjdv.exec:\ppjdv.exe71⤵PID:868
-
\??\c:\dvpjd.exec:\dvpjd.exe72⤵PID:2120
-
\??\c:\rfffrrr.exec:\rfffrrr.exe73⤵PID:2676
-
\??\c:\xlrrlll.exec:\xlrrlll.exe74⤵PID:3736
-
\??\c:\bttnhh.exec:\bttnhh.exe75⤵PID:1212
-
\??\c:\bbbbbh.exec:\bbbbbh.exe76⤵PID:3540
-
\??\c:\nbbtnn.exec:\nbbtnn.exe77⤵PID:3496
-
\??\c:\pdpdp.exec:\pdpdp.exe78⤵PID:936
-
\??\c:\ffffxrx.exec:\ffffxrx.exe79⤵PID:1828
-
\??\c:\7xffffl.exec:\7xffffl.exe80⤵PID:3904
-
\??\c:\nhnnnn.exec:\nhnnnn.exe81⤵PID:3284
-
\??\c:\btttnn.exec:\btttnn.exe82⤵PID:4580
-
\??\c:\frffffr.exec:\frffffr.exe83⤵PID:4908
-
\??\c:\tnnnhh.exec:\tnnnhh.exe84⤵PID:3228
-
\??\c:\5hbtnn.exec:\5hbtnn.exe85⤵PID:1268
-
\??\c:\3ffxrxr.exec:\3ffxrxr.exe86⤵PID:5032
-
\??\c:\ffxxxlf.exec:\ffxxxlf.exe87⤵PID:4960
-
\??\c:\ttnnht.exec:\ttnnht.exe88⤵PID:4696
-
\??\c:\tnttnn.exec:\tnttnn.exe89⤵PID:3372
-
\??\c:\jjpjd.exec:\jjpjd.exe90⤵PID:2092
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:616
-
\??\c:\lxlfxrr.exec:\lxlfxrr.exe92⤵PID:2628
-
\??\c:\llffxxx.exec:\llffxxx.exe93⤵PID:3784
-
\??\c:\7hnhht.exec:\7hnhht.exe94⤵PID:4168
-
\??\c:\7bbtnn.exec:\7bbtnn.exe95⤵PID:3628
-
\??\c:\tntnhb.exec:\tntnhb.exe96⤵PID:4556
-
\??\c:\pjpjv.exec:\pjpjv.exe97⤵PID:1744
-
\??\c:\lxxrrrx.exec:\lxxrrrx.exe98⤵PID:1280
-
\??\c:\rlrlffx.exec:\rlrlffx.exe99⤵PID:5048
-
\??\c:\thnhbb.exec:\thnhbb.exe100⤵PID:1680
-
\??\c:\1nnnhb.exec:\1nnnhb.exe101⤵PID:1668
-
\??\c:\jvddd.exec:\jvddd.exe102⤵PID:4480
-
\??\c:\dvddv.exec:\dvddv.exe103⤵PID:3724
-
\??\c:\rflxrrl.exec:\rflxrrl.exe104⤵PID:4632
-
\??\c:\xllfxxr.exec:\xllfxxr.exe105⤵PID:1944
-
\??\c:\xrrlflf.exec:\xrrlflf.exe106⤵PID:652
-
\??\c:\bthhtt.exec:\bthhtt.exe107⤵PID:3328
-
\??\c:\hbbtnn.exec:\hbbtnn.exe108⤵PID:4008
-
\??\c:\1vdvp.exec:\1vdvp.exe109⤵PID:3104
-
\??\c:\vpvvv.exec:\vpvvv.exe110⤵PID:2040
-
\??\c:\9xrrlll.exec:\9xrrlll.exe111⤵PID:964
-
\??\c:\lflffrr.exec:\lflffrr.exe112⤵PID:2488
-
\??\c:\tnnnhn.exec:\tnnnhn.exe113⤵PID:1576
-
\??\c:\bnnnhh.exec:\bnnnhh.exe114⤵PID:4316
-
\??\c:\jdddv.exec:\jdddv.exe115⤵PID:1896
-
\??\c:\jdvpj.exec:\jdvpj.exe116⤵PID:4732
-
\??\c:\flrlffl.exec:\flrlffl.exe117⤵PID:3952
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe118⤵PID:4364
-
\??\c:\hbttnn.exec:\hbttnn.exe119⤵PID:628
-
\??\c:\nhhbtn.exec:\nhhbtn.exe120⤵PID:3720
-
\??\c:\ntttnn.exec:\ntttnn.exe121⤵PID:3788
-
\??\c:\1jjdv.exec:\1jjdv.exe122⤵PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-