Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 12:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe
-
Size
123KB
-
MD5
a416cb69bb0f66fa7280dc7dc6c63010
-
SHA1
5842a369d8426843b895b3381710dd5874cbfe11
-
SHA256
858abb320501f986406a26f18f49d5b01596378e3d5de8229465ec8849b28dc3
-
SHA512
f13990bd50ab41c9d236f899f5a79678ae26e45fc4947ce2a4346cdfd8f3b3c383e11483eb4b89d5ee26a32110f4bd1b4073941c536a73a9a6ec4cf444008e57
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX90If9y1:n3C9BRW0j/uVEZFmI+
Malware Config
Signatures
-
Detect Blackmoon payload 18 IoCs
resource yara_rule behavioral1/memory/1632-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2632-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2604-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2708-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2476-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-82-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1368-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2116-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1648-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1196-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/664-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1312-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/848-244-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1752-262-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2632 1xrxlrr.exe 2592 bbtbth.exe 2604 1rrfrxl.exe 2708 nnbnht.exe 2476 djjdj.exe 2712 xrxlxxl.exe 2528 tnbbhh.exe 2032 tnbhbb.exe 1484 vpdvj.exe 1368 5fxxlxf.exe 2740 hhbhtb.exe 2116 bthbht.exe 1648 vvjvd.exe 2108 ffrlflx.exe 2756 5bbhbn.exe 2868 nhtnth.exe 1280 vdpvd.exe 2864 3xrflxl.exe 2184 fxrxlrf.exe 1196 7btnhb.exe 664 ppppd.exe 1544 flrrrll.exe 1784 bbbhnn.exe 1312 tnbnth.exe 848 9vppj.exe 1300 xrflflx.exe 1752 lfrllrf.exe 644 nnbhtb.exe 1948 jvvdd.exe 980 jjjvj.exe 3056 llfrxfx.exe 2940 tnbnbh.exe 1932 nhbbhn.exe 1508 jdvvd.exe 2668 7jvpv.exe 3028 9xflfxr.exe 2672 3rflxxx.exe 2576 nnbnhn.exe 1944 nhtbnt.exe 2648 ppjpj.exe 2444 pppvd.exe 2480 xrllrrx.exe 2896 rlxrlrf.exe 1964 nnhhtt.exe 1884 hththb.exe 1488 3vpvj.exe 2512 1vvjv.exe 2748 rlfllxl.exe 2104 xrflxff.exe 316 tntbtt.exe 800 nhbhnn.exe 2120 hbntht.exe 2332 ppjjv.exe 2084 5vppp.exe 1132 7lxxrxf.exe 2884 rlfrxfl.exe 2548 tnbnbh.exe 2212 pjpvj.exe 2284 vpjpv.exe 1196 vpvjp.exe 1668 xrffrxl.exe 1656 7btbht.exe 1468 btnttt.exe 1108 pppvj.exe -
resource yara_rule behavioral1/memory/1632-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2632-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2476-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1368-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2116-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1648-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1196-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/664-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1312-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/848-244-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1752-262-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2632 1632 a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe 28 PID 2632 wrote to memory of 2592 2632 1xrxlrr.exe 29 PID 2632 wrote to memory of 2592 2632 1xrxlrr.exe 29 PID 2632 wrote to memory of 2592 2632 1xrxlrr.exe 29 PID 2632 wrote to memory of 2592 2632 1xrxlrr.exe 29 PID 2592 wrote to memory of 2604 2592 bbtbth.exe 30 PID 2592 wrote to memory of 2604 2592 bbtbth.exe 30 PID 2592 wrote to memory of 2604 2592 bbtbth.exe 30 PID 2592 wrote to memory of 2604 2592 bbtbth.exe 30 PID 2604 wrote to memory of 2708 2604 1rrfrxl.exe 31 PID 2604 wrote to memory of 2708 2604 1rrfrxl.exe 31 PID 2604 wrote to memory of 2708 2604 1rrfrxl.exe 31 PID 2604 wrote to memory of 2708 2604 1rrfrxl.exe 31 PID 2708 wrote to memory of 2476 2708 nnbnht.exe 32 PID 2708 wrote to memory of 2476 2708 nnbnht.exe 32 PID 2708 wrote to memory of 2476 2708 nnbnht.exe 32 PID 2708 wrote to memory of 2476 2708 nnbnht.exe 32 PID 2476 wrote to memory of 2712 2476 djjdj.exe 33 PID 2476 wrote to memory of 2712 2476 djjdj.exe 33 PID 2476 wrote to memory of 2712 2476 djjdj.exe 33 PID 2476 wrote to memory of 2712 2476 djjdj.exe 33 PID 2712 wrote to memory of 2528 2712 xrxlxxl.exe 34 PID 2712 wrote to memory of 2528 2712 xrxlxxl.exe 34 PID 2712 wrote to memory of 2528 2712 xrxlxxl.exe 34 PID 2712 wrote to memory of 2528 2712 xrxlxxl.exe 34 PID 2528 wrote to memory of 2032 2528 tnbbhh.exe 35 PID 2528 wrote to memory of 2032 2528 tnbbhh.exe 35 PID 2528 wrote to memory of 2032 2528 tnbbhh.exe 35 PID 2528 wrote to memory of 2032 2528 tnbbhh.exe 35 PID 2032 wrote to memory of 1484 2032 tnbhbb.exe 36 PID 2032 wrote to memory of 1484 2032 tnbhbb.exe 36 PID 2032 wrote to memory of 1484 2032 tnbhbb.exe 36 PID 2032 wrote to memory of 1484 2032 tnbhbb.exe 36 PID 1484 wrote to memory of 1368 1484 vpdvj.exe 37 PID 1484 wrote to memory of 1368 1484 vpdvj.exe 37 PID 1484 wrote to memory of 1368 1484 vpdvj.exe 37 PID 1484 wrote to memory of 1368 1484 vpdvj.exe 37 PID 1368 wrote to memory of 2740 1368 5fxxlxf.exe 38 PID 1368 wrote to memory of 2740 1368 5fxxlxf.exe 38 PID 1368 wrote to memory of 2740 1368 5fxxlxf.exe 38 PID 1368 wrote to memory of 2740 1368 5fxxlxf.exe 38 PID 2740 wrote to memory of 2116 2740 hhbhtb.exe 39 PID 2740 wrote to memory of 2116 2740 hhbhtb.exe 39 PID 2740 wrote to memory of 2116 2740 hhbhtb.exe 39 PID 2740 wrote to memory of 2116 2740 hhbhtb.exe 39 PID 2116 wrote to memory of 1648 2116 bthbht.exe 40 PID 2116 wrote to memory of 1648 2116 bthbht.exe 40 PID 2116 wrote to memory of 1648 2116 bthbht.exe 40 PID 2116 wrote to memory of 1648 2116 bthbht.exe 40 PID 1648 wrote to memory of 2108 1648 vvjvd.exe 41 PID 1648 wrote to memory of 2108 1648 vvjvd.exe 41 PID 1648 wrote to memory of 2108 1648 vvjvd.exe 41 PID 1648 wrote to memory of 2108 1648 vvjvd.exe 41 PID 2108 wrote to memory of 2756 2108 ffrlflx.exe 42 PID 2108 wrote to memory of 2756 2108 ffrlflx.exe 42 PID 2108 wrote to memory of 2756 2108 ffrlflx.exe 42 PID 2108 wrote to memory of 2756 2108 ffrlflx.exe 42 PID 2756 wrote to memory of 2868 2756 5bbhbn.exe 43 PID 2756 wrote to memory of 2868 2756 5bbhbn.exe 43 PID 2756 wrote to memory of 2868 2756 5bbhbn.exe 43 PID 2756 wrote to memory of 2868 2756 5bbhbn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a416cb69bb0f66fa7280dc7dc6c63010_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\1xrxlrr.exec:\1xrxlrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\bbtbth.exec:\bbtbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\1rrfrxl.exec:\1rrfrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nnbnht.exec:\nnbnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\djjdj.exec:\djjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\xrxlxxl.exec:\xrxlxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\tnbbhh.exec:\tnbbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\tnbhbb.exec:\tnbhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\vpdvj.exec:\vpdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\5fxxlxf.exec:\5fxxlxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\hhbhtb.exec:\hhbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\bthbht.exec:\bthbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\vvjvd.exec:\vvjvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\ffrlflx.exec:\ffrlflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\5bbhbn.exec:\5bbhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\nhtnth.exec:\nhtnth.exe17⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vdpvd.exec:\vdpvd.exe18⤵
- Executes dropped EXE
PID:1280 -
\??\c:\3xrflxl.exec:\3xrflxl.exe19⤵
- Executes dropped EXE
PID:2864 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe20⤵
- Executes dropped EXE
PID:2184 -
\??\c:\7btnhb.exec:\7btnhb.exe21⤵
- Executes dropped EXE
PID:1196 -
\??\c:\ppppd.exec:\ppppd.exe22⤵
- Executes dropped EXE
PID:664 -
\??\c:\flrrrll.exec:\flrrrll.exe23⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bbbhnn.exec:\bbbhnn.exe24⤵
- Executes dropped EXE
PID:1784 -
\??\c:\tnbnth.exec:\tnbnth.exe25⤵
- Executes dropped EXE
PID:1312 -
\??\c:\9vppj.exec:\9vppj.exe26⤵
- Executes dropped EXE
PID:848 -
\??\c:\xrflflx.exec:\xrflflx.exe27⤵
- Executes dropped EXE
PID:1300 -
\??\c:\lfrllrf.exec:\lfrllrf.exe28⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nnbhtb.exec:\nnbhtb.exe29⤵
- Executes dropped EXE
PID:644 -
\??\c:\jvvdd.exec:\jvvdd.exe30⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jjjvj.exec:\jjjvj.exe31⤵
- Executes dropped EXE
PID:980 -
\??\c:\llfrxfx.exec:\llfrxfx.exe32⤵
- Executes dropped EXE
PID:3056 -
\??\c:\tnbnbh.exec:\tnbnbh.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhbbhn.exec:\nhbbhn.exe34⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jdvvd.exec:\jdvvd.exe35⤵
- Executes dropped EXE
PID:1508 -
\??\c:\7jvpv.exec:\7jvpv.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\9xflfxr.exec:\9xflfxr.exe37⤵
- Executes dropped EXE
PID:3028 -
\??\c:\3rflxxx.exec:\3rflxxx.exe38⤵
- Executes dropped EXE
PID:2672 -
\??\c:\nnbnhn.exec:\nnbnhn.exe39⤵
- Executes dropped EXE
PID:2576 -
\??\c:\nhtbnt.exec:\nhtbnt.exe40⤵
- Executes dropped EXE
PID:1944 -
\??\c:\ppjpj.exec:\ppjpj.exe41⤵
- Executes dropped EXE
PID:2648 -
\??\c:\pppvd.exec:\pppvd.exe42⤵
- Executes dropped EXE
PID:2444 -
\??\c:\xrllrrx.exec:\xrllrrx.exe43⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rlxrlrf.exec:\rlxrlrf.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nnhhtt.exec:\nnhhtt.exe45⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hththb.exec:\hththb.exe46⤵
- Executes dropped EXE
PID:1884 -
\??\c:\3vpvj.exec:\3vpvj.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\1vvjv.exec:\1vvjv.exe48⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rlfllxl.exec:\rlfllxl.exe49⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrflxff.exec:\xrflxff.exe50⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tntbtt.exec:\tntbtt.exe51⤵
- Executes dropped EXE
PID:316 -
\??\c:\nhbhnn.exec:\nhbhnn.exe52⤵
- Executes dropped EXE
PID:800 -
\??\c:\hbntht.exec:\hbntht.exe53⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ppjjv.exec:\ppjjv.exe54⤵
- Executes dropped EXE
PID:2332 -
\??\c:\5vppp.exec:\5vppp.exe55⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7lxxrxf.exec:\7lxxrxf.exe56⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rlfrxfl.exec:\rlfrxfl.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tnbnbh.exec:\tnbnbh.exe58⤵
- Executes dropped EXE
PID:2548 -
\??\c:\pjpvj.exec:\pjpvj.exe59⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vpjpv.exec:\vpjpv.exe60⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vpvjp.exec:\vpvjp.exe61⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xrffrxl.exec:\xrffrxl.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7btbht.exec:\7btbht.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\btnttt.exec:\btnttt.exe64⤵
- Executes dropped EXE
PID:1468 -
\??\c:\pppvj.exec:\pppvj.exe65⤵
- Executes dropped EXE
PID:1108 -
\??\c:\vpdjj.exec:\vpdjj.exe66⤵PID:2068
-
\??\c:\rrllfxr.exec:\rrllfxr.exe67⤵PID:1796
-
\??\c:\xxlrfrx.exec:\xxlrfrx.exe68⤵PID:948
-
\??\c:\tnthbb.exec:\tnthbb.exe69⤵PID:688
-
\??\c:\1thtbh.exec:\1thtbh.exe70⤵PID:680
-
\??\c:\pjppd.exec:\pjppd.exe71⤵PID:2976
-
\??\c:\7dpdp.exec:\7dpdp.exe72⤵PID:1948
-
\??\c:\lxxlrlx.exec:\lxxlrlx.exe73⤵PID:308
-
\??\c:\7frxxxr.exec:\7frxxxr.exe74⤵PID:876
-
\??\c:\1nhbnb.exec:\1nhbnb.exe75⤵PID:2948
-
\??\c:\btnnbh.exec:\btnnbh.exe76⤵PID:1632
-
\??\c:\9vjjv.exec:\9vjjv.exe77⤵PID:1612
-
\??\c:\3jpdj.exec:\3jpdj.exe78⤵PID:2632
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe79⤵PID:2676
-
\??\c:\7rrfffr.exec:\7rrfffr.exe80⤵PID:2596
-
\??\c:\bbttnb.exec:\bbttnb.exe81⤵PID:3004
-
\??\c:\jdpjp.exec:\jdpjp.exe82⤵PID:2612
-
\??\c:\dvjpv.exec:\dvjpv.exe83⤵PID:2708
-
\??\c:\5xrxxxl.exec:\5xrxxxl.exe84⤵PID:2564
-
\??\c:\xxllxxl.exec:\xxllxxl.exe85⤵PID:2516
-
\??\c:\tnhbht.exec:\tnhbht.exe86⤵PID:2572
-
\??\c:\bnbhnh.exec:\bnbhnh.exe87⤵PID:108
-
\??\c:\dvjpd.exec:\dvjpd.exe88⤵PID:1584
-
\??\c:\1vvvv.exec:\1vvvv.exe89⤵PID:1524
-
\??\c:\fxrxfxf.exec:\fxrxfxf.exe90⤵PID:1876
-
\??\c:\3xrlllx.exec:\3xrlllx.exe91⤵PID:2520
-
\??\c:\bnbhbb.exec:\bnbhbb.exe92⤵PID:348
-
\??\c:\bthnhn.exec:\bthnhn.exe93⤵PID:1836
-
\??\c:\jjdjd.exec:\jjdjd.exe94⤵PID:1532
-
\??\c:\vpdjv.exec:\vpdjv.exe95⤵PID:796
-
\??\c:\ffxfrfr.exec:\ffxfrfr.exe96⤵PID:2092
-
\??\c:\bbthtt.exec:\bbthtt.exe97⤵PID:1424
-
\??\c:\9btthn.exec:\9btthn.exe98⤵PID:2920
-
\??\c:\jjvdd.exec:\jjvdd.exe99⤵PID:2912
-
\??\c:\pjvjv.exec:\pjvjv.exe100⤵PID:2204
-
\??\c:\9rfrxxl.exec:\9rfrxxl.exe101⤵PID:1896
-
\??\c:\xfxrffl.exec:\xfxrffl.exe102⤵PID:2064
-
\??\c:\7bnnnt.exec:\7bnnnt.exe103⤵PID:1104
-
\??\c:\hhtnnb.exec:\hhtnnb.exe104⤵PID:584
-
\??\c:\vvjjj.exec:\vvjjj.exe105⤵PID:836
-
\??\c:\1vjpd.exec:\1vjpd.exe106⤵PID:1656
-
\??\c:\5lflrrf.exec:\5lflrrf.exe107⤵PID:1440
-
\??\c:\thbbbn.exec:\thbbbn.exe108⤵PID:2072
-
\??\c:\7bnthn.exec:\7bnthn.exe109⤵PID:1956
-
\??\c:\jdpdj.exec:\jdpdj.exe110⤵PID:1192
-
\??\c:\ddddd.exec:\ddddd.exe111⤵PID:1752
-
\??\c:\pjdjd.exec:\pjdjd.exe112⤵PID:2840
-
\??\c:\xrxfxfl.exec:\xrxfxfl.exe113⤵PID:1928
-
\??\c:\7bttbh.exec:\7bttbh.exe114⤵PID:2976
-
\??\c:\bbtbhn.exec:\bbtbhn.exe115⤵PID:980
-
\??\c:\jdpdp.exec:\jdpdp.exe116⤵PID:1904
-
\??\c:\vpdpj.exec:\vpdpj.exe117⤵PID:1744
-
\??\c:\frrxrxf.exec:\frrxrxf.exe118⤵PID:1940
-
\??\c:\hbthtt.exec:\hbthtt.exe119⤵PID:2984
-
\??\c:\5vpdj.exec:\5vpdj.exe120⤵PID:2560
-
\??\c:\dpddj.exec:\dpddj.exe121⤵PID:2996
-
\??\c:\5rfxrlr.exec:\5rfxrlr.exe122⤵PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-