Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe
-
Size
128KB
-
MD5
9122feaedba57c7374bab20e0f5a4eb3
-
SHA1
1c077095107165ac97517056681b64d36a72ff69
-
SHA256
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f
-
SHA512
b206620684196fc2ec951d6f1a23d076f3ad1700131a18dc2b031bba73276df4bbc971cea3a1df6f09e1e750cd8b28db06f7ba190fc09c346993b1ca3aa67de5
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX/x6gt6:n3C9BRW0j/uVEZFJvM
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/2848-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2880-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2644-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2400-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1664-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1664-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2180-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1612-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2668-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1920-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/820-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1740-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1580-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1456-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1284-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2224-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2944-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2936-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 24 IoCs
resource yara_rule behavioral1/memory/2848-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2848-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2880-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2600-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2396-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2644-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2400-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1664-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1664-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1664-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2180-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1612-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2668-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1920-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/820-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1740-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1580-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1456-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1284-173-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2260-200-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2224-254-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2944-263-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2936-291-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2880 dvdpd.exe 2600 lxxflxr.exe 2396 bttbnh.exe 2636 dvjjp.exe 2644 djpjj.exe 2400 rlxffrr.exe 1664 dvjpv.exe 2180 lfflxlr.exe 1612 httnnh.exe 2668 jvpvd.exe 1920 xrlxfrx.exe 820 bbhnth.exe 2300 jdddp.exe 1740 vjpdp.exe 1580 llflxrl.exe 1456 nnthnh.exe 1284 btbhtn.exe 1056 9vjpp.exe 1996 rrlfxfr.exe 2260 7bnbbn.exe 556 3vpdp.exe 1080 1fxfllf.exe 1796 llflfrr.exe 2156 btthhh.exe 2712 vdddp.exe 2224 lrrflfx.exe 2944 9nhhnt.exe 1900 vdjjv.exe 1552 9xlflfl.exe 2936 tbbbbn.exe 2264 ddpdp.exe 2728 jpppd.exe 2500 lfrxfrr.exe 2784 5ntbtt.exe 2736 5bbbnb.exe 2536 1jvdv.exe 2496 ffxlllr.exe 2544 xxrxxff.exe 2452 nnhnbh.exe 2528 pvvdj.exe 2388 jpppd.exe 2860 5lrxxfl.exe 1592 nnhnbn.exe 2816 jdpdv.exe 276 dpvjp.exe 2684 fxrrffl.exe 1748 3rlllfl.exe 1788 hnbbnh.exe 1736 5vddd.exe 320 pjppp.exe 2280 5lxxlrf.exe 2140 btbbhh.exe 1624 9htttt.exe 1380 pjddd.exe 2088 xrxlffr.exe 2488 fxffrrr.exe 2372 bnhbhb.exe 2004 1pjjv.exe 592 vjpjj.exe 576 rlxxffr.exe 1036 fxxfllr.exe 1584 btbnbt.exe 1796 nbhnnn.exe 2660 vvpdj.exe -
resource yara_rule behavioral1/memory/2848-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2848-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2644-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2400-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1664-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1664-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1664-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2180-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/820-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1740-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1580-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1456-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1284-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2224-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2944-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2936-291-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2880 2848 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 28 PID 2848 wrote to memory of 2880 2848 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 28 PID 2848 wrote to memory of 2880 2848 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 28 PID 2848 wrote to memory of 2880 2848 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 28 PID 2880 wrote to memory of 2600 2880 dvdpd.exe 29 PID 2880 wrote to memory of 2600 2880 dvdpd.exe 29 PID 2880 wrote to memory of 2600 2880 dvdpd.exe 29 PID 2880 wrote to memory of 2600 2880 dvdpd.exe 29 PID 2600 wrote to memory of 2396 2600 lxxflxr.exe 30 PID 2600 wrote to memory of 2396 2600 lxxflxr.exe 30 PID 2600 wrote to memory of 2396 2600 lxxflxr.exe 30 PID 2600 wrote to memory of 2396 2600 lxxflxr.exe 30 PID 2396 wrote to memory of 2636 2396 bttbnh.exe 31 PID 2396 wrote to memory of 2636 2396 bttbnh.exe 31 PID 2396 wrote to memory of 2636 2396 bttbnh.exe 31 PID 2396 wrote to memory of 2636 2396 bttbnh.exe 31 PID 2636 wrote to memory of 2644 2636 dvjjp.exe 32 PID 2636 wrote to memory of 2644 2636 dvjjp.exe 32 PID 2636 wrote to memory of 2644 2636 dvjjp.exe 32 PID 2636 wrote to memory of 2644 2636 dvjjp.exe 32 PID 2644 wrote to memory of 2400 2644 djpjj.exe 33 PID 2644 wrote to memory of 2400 2644 djpjj.exe 33 PID 2644 wrote to memory of 2400 2644 djpjj.exe 33 PID 2644 wrote to memory of 2400 2644 djpjj.exe 33 PID 2400 wrote to memory of 1664 2400 rlxffrr.exe 34 PID 2400 wrote to memory of 1664 2400 rlxffrr.exe 34 PID 2400 wrote to memory of 1664 2400 rlxffrr.exe 34 PID 2400 wrote to memory of 1664 2400 rlxffrr.exe 34 PID 1664 wrote to memory of 2180 1664 dvjpv.exe 35 PID 1664 wrote to memory of 2180 1664 dvjpv.exe 35 PID 1664 wrote to memory of 2180 1664 dvjpv.exe 35 PID 1664 wrote to memory of 2180 1664 dvjpv.exe 35 PID 2180 wrote to memory of 1612 2180 lfflxlr.exe 36 PID 2180 wrote to memory of 1612 2180 lfflxlr.exe 36 PID 2180 wrote to memory of 1612 2180 lfflxlr.exe 36 PID 2180 wrote to memory of 1612 2180 lfflxlr.exe 36 PID 1612 wrote to memory of 2668 1612 httnnh.exe 37 PID 1612 wrote to memory of 2668 1612 httnnh.exe 37 PID 1612 wrote to memory of 2668 1612 httnnh.exe 37 PID 1612 wrote to memory of 2668 1612 httnnh.exe 37 PID 2668 wrote to memory of 1920 2668 jvpvd.exe 38 PID 2668 wrote to memory of 1920 2668 jvpvd.exe 38 PID 2668 wrote to memory of 1920 2668 jvpvd.exe 38 PID 2668 wrote to memory of 1920 2668 jvpvd.exe 38 PID 1920 wrote to memory of 820 1920 xrlxfrx.exe 39 PID 1920 wrote to memory of 820 1920 xrlxfrx.exe 39 PID 1920 wrote to memory of 820 1920 xrlxfrx.exe 39 PID 1920 wrote to memory of 820 1920 xrlxfrx.exe 39 PID 820 wrote to memory of 2300 820 bbhnth.exe 40 PID 820 wrote to memory of 2300 820 bbhnth.exe 40 PID 820 wrote to memory of 2300 820 bbhnth.exe 40 PID 820 wrote to memory of 2300 820 bbhnth.exe 40 PID 2300 wrote to memory of 1740 2300 jdddp.exe 41 PID 2300 wrote to memory of 1740 2300 jdddp.exe 41 PID 2300 wrote to memory of 1740 2300 jdddp.exe 41 PID 2300 wrote to memory of 1740 2300 jdddp.exe 41 PID 1740 wrote to memory of 1580 1740 vjpdp.exe 42 PID 1740 wrote to memory of 1580 1740 vjpdp.exe 42 PID 1740 wrote to memory of 1580 1740 vjpdp.exe 42 PID 1740 wrote to memory of 1580 1740 vjpdp.exe 42 PID 1580 wrote to memory of 1456 1580 llflxrl.exe 43 PID 1580 wrote to memory of 1456 1580 llflxrl.exe 43 PID 1580 wrote to memory of 1456 1580 llflxrl.exe 43 PID 1580 wrote to memory of 1456 1580 llflxrl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe"C:\Users\Admin\AppData\Local\Temp\a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\dvdpd.exec:\dvdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\lxxflxr.exec:\lxxflxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\bttbnh.exec:\bttbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\dvjjp.exec:\dvjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\djpjj.exec:\djpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\rlxffrr.exec:\rlxffrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\dvjpv.exec:\dvjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lfflxlr.exec:\lfflxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\httnnh.exec:\httnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\jvpvd.exec:\jvpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrlxfrx.exec:\xrlxfrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\bbhnth.exec:\bbhnth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\jdddp.exec:\jdddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\vjpdp.exec:\vjpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\llflxrl.exec:\llflxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\nnthnh.exec:\nnthnh.exe17⤵
- Executes dropped EXE
PID:1456 -
\??\c:\btbhtn.exec:\btbhtn.exe18⤵
- Executes dropped EXE
PID:1284 -
\??\c:\9vjpp.exec:\9vjpp.exe19⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rrlfxfr.exec:\rrlfxfr.exe20⤵
- Executes dropped EXE
PID:1996 -
\??\c:\7bnbbn.exec:\7bnbbn.exe21⤵
- Executes dropped EXE
PID:2260 -
\??\c:\3vpdp.exec:\3vpdp.exe22⤵
- Executes dropped EXE
PID:556 -
\??\c:\1fxfllf.exec:\1fxfllf.exe23⤵
- Executes dropped EXE
PID:1080 -
\??\c:\llflfrr.exec:\llflfrr.exe24⤵
- Executes dropped EXE
PID:1796 -
\??\c:\btthhh.exec:\btthhh.exe25⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vdddp.exec:\vdddp.exe26⤵
- Executes dropped EXE
PID:2712 -
\??\c:\lrrflfx.exec:\lrrflfx.exe27⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9nhhnt.exec:\9nhhnt.exe28⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vdjjv.exec:\vdjjv.exe29⤵
- Executes dropped EXE
PID:1900 -
\??\c:\9xlflfl.exec:\9xlflfl.exe30⤵
- Executes dropped EXE
PID:1552 -
\??\c:\tbbbbn.exec:\tbbbbn.exe31⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ddpdp.exec:\ddpdp.exe32⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jpppd.exec:\jpppd.exe33⤵
- Executes dropped EXE
PID:2728 -
\??\c:\lfrxfrr.exec:\lfrxfrr.exe34⤵
- Executes dropped EXE
PID:2500 -
\??\c:\5ntbtt.exec:\5ntbtt.exe35⤵
- Executes dropped EXE
PID:2784 -
\??\c:\5bbbnb.exec:\5bbbnb.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\1jvdv.exec:\1jvdv.exe37⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ffxlllr.exec:\ffxlllr.exe38⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xxrxxff.exec:\xxrxxff.exe39⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nnhnbh.exec:\nnhnbh.exe40⤵
- Executes dropped EXE
PID:2452 -
\??\c:\pvvdj.exec:\pvvdj.exe41⤵
- Executes dropped EXE
PID:2528 -
\??\c:\jpppd.exec:\jpppd.exe42⤵
- Executes dropped EXE
PID:2388 -
\??\c:\5lrxxfl.exec:\5lrxxfl.exe43⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nnhnbn.exec:\nnhnbn.exe44⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jdpdv.exec:\jdpdv.exe45⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dpvjp.exec:\dpvjp.exe46⤵
- Executes dropped EXE
PID:276 -
\??\c:\fxrrffl.exec:\fxrrffl.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3rlllfl.exec:\3rlllfl.exe48⤵
- Executes dropped EXE
PID:1748 -
\??\c:\hnbbnh.exec:\hnbbnh.exe49⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5vddd.exec:\5vddd.exe50⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pjppp.exec:\pjppp.exe51⤵
- Executes dropped EXE
PID:320 -
\??\c:\5lxxlrf.exec:\5lxxlrf.exe52⤵
- Executes dropped EXE
PID:2280 -
\??\c:\btbbhh.exec:\btbbhh.exe53⤵
- Executes dropped EXE
PID:2140 -
\??\c:\9htttt.exec:\9htttt.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\pjddd.exec:\pjddd.exe55⤵
- Executes dropped EXE
PID:1380 -
\??\c:\xrxlffr.exec:\xrxlffr.exe56⤵
- Executes dropped EXE
PID:2088 -
\??\c:\fxffrrr.exec:\fxffrrr.exe57⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bnhbhb.exec:\bnhbhb.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\1pjjv.exec:\1pjjv.exe59⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vjpjj.exec:\vjpjj.exe60⤵
- Executes dropped EXE
PID:592 -
\??\c:\rlxxffr.exec:\rlxxffr.exe61⤵
- Executes dropped EXE
PID:576 -
\??\c:\fxxfllr.exec:\fxxfllr.exe62⤵
- Executes dropped EXE
PID:1036 -
\??\c:\btbnbt.exec:\btbnbt.exe63⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nbhnnn.exec:\nbhnnn.exe64⤵
- Executes dropped EXE
PID:1796 -
\??\c:\vvpdj.exec:\vvpdj.exe65⤵
- Executes dropped EXE
PID:2660 -
\??\c:\djjpd.exec:\djjpd.exe66⤵PID:1296
-
\??\c:\rfxfxll.exec:\rfxfxll.exe67⤵PID:1012
-
\??\c:\rlflffr.exec:\rlflffr.exe68⤵PID:2224
-
\??\c:\hbnbhn.exec:\hbnbhn.exe69⤵PID:704
-
\??\c:\thtbhn.exec:\thtbhn.exe70⤵PID:2160
-
\??\c:\jppjd.exec:\jppjd.exe71⤵PID:2656
-
\??\c:\lfxflrx.exec:\lfxflrx.exe72⤵PID:1912
-
\??\c:\5flfflx.exec:\5flfflx.exe73⤵PID:2796
-
\??\c:\5tntbn.exec:\5tntbn.exe74⤵PID:2216
-
\??\c:\tnbhtt.exec:\tnbhtt.exe75⤵PID:2964
-
\??\c:\vvpdv.exec:\vvpdv.exe76⤵PID:2576
-
\??\c:\rfxxrrr.exec:\rfxxrrr.exe77⤵PID:2744
-
\??\c:\llxfrrr.exec:\llxfrrr.exe78⤵PID:2596
-
\??\c:\3nhhnt.exec:\3nhhnt.exe79⤵PID:2632
-
\??\c:\dpvvd.exec:\dpvvd.exe80⤵PID:2480
-
\??\c:\5pdjd.exec:\5pdjd.exe81⤵PID:2636
-
\??\c:\pjvvv.exec:\pjvvv.exe82⤵PID:2384
-
\??\c:\lrrxrfr.exec:\lrrxrfr.exe83⤵PID:2444
-
\??\c:\nttnnt.exec:\nttnnt.exe84⤵PID:2400
-
\??\c:\bthntn.exec:\bthntn.exe85⤵PID:2184
-
\??\c:\dvjjp.exec:\dvjjp.exe86⤵PID:816
-
\??\c:\rllxxrf.exec:\rllxxrf.exe87⤵PID:1620
-
\??\c:\1llrrrx.exec:\1llrrrx.exe88⤵PID:1860
-
\??\c:\7ntbnb.exec:\7ntbnb.exe89⤵PID:2000
-
\??\c:\pjjvj.exec:\pjjvj.exe90⤵PID:548
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe91⤵PID:1976
-
\??\c:\lfxxffl.exec:\lfxxffl.exe92⤵PID:2144
-
\??\c:\hbthhn.exec:\hbthhn.exe93⤵PID:1724
-
\??\c:\ntntbh.exec:\ntntbh.exe94⤵PID:2828
-
\??\c:\vdppd.exec:\vdppd.exe95⤵PID:2920
-
\??\c:\frfrrrx.exec:\frfrrrx.exe96⤵PID:1376
-
\??\c:\fffrlxx.exec:\fffrlxx.exe97⤵PID:2016
-
\??\c:\bnbhbb.exec:\bnbhbb.exe98⤵PID:2104
-
\??\c:\nbnhhh.exec:\nbnhhh.exe99⤵PID:1056
-
\??\c:\5jddj.exec:\5jddj.exe100⤵PID:2080
-
\??\c:\jjpvj.exec:\jjpvj.exe101⤵PID:600
-
\??\c:\xflxxfl.exec:\xflxxfl.exe102⤵PID:708
-
\??\c:\rfrfflr.exec:\rfrfflr.exe103⤵PID:556
-
\??\c:\hbbthn.exec:\hbbthn.exe104⤵PID:1416
-
\??\c:\1htbtt.exec:\1htbtt.exe105⤵PID:2940
-
\??\c:\vvppd.exec:\vvppd.exe106⤵PID:2044
-
\??\c:\xrfrfrl.exec:\xrfrfrl.exe107⤵PID:2900
-
\??\c:\xlxrlfr.exec:\xlxrlfr.exe108⤵PID:960
-
\??\c:\bnbhnn.exec:\bnbhnn.exe109⤵PID:888
-
\??\c:\dvdjp.exec:\dvdjp.exe110⤵PID:1708
-
\??\c:\pppvp.exec:\pppvp.exe111⤵PID:2268
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe112⤵PID:1680
-
\??\c:\xllrxfl.exec:\xllrxfl.exe113⤵PID:572
-
\??\c:\hbtbnn.exec:\hbtbnn.exe114⤵PID:892
-
\??\c:\7hbntt.exec:\7hbntt.exe115⤵PID:908
-
\??\c:\djvpj.exec:\djvpj.exe116⤵PID:2164
-
\??\c:\1rrfrrf.exec:\1rrfrrf.exe117⤵PID:1644
-
\??\c:\3xrrrxf.exec:\3xrrrxf.exe118⤵PID:2592
-
\??\c:\hbbbnh.exec:\hbbbnh.exe119⤵PID:2604
-
\??\c:\hbntbb.exec:\hbntbb.exe120⤵PID:2540
-
\??\c:\1jjpj.exec:\1jjpj.exe121⤵PID:2416
-
\??\c:\1ppjj.exec:\1ppjj.exe122⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-