Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe
-
Size
128KB
-
MD5
b75064762f929b94deb0b25930dc20bf
-
SHA1
be427a3a4616c116fe1c8f5452ef7509d167b1f7
-
SHA256
9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1
-
SHA512
89efb04f0214392ed2bbd040758c20cb4b842f57d2bc57a9e155108cab2782aaf46c6aaf4e316954f57742a10be1f13303e263b07a0f59cb7a8da5bd914334cd
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX/x6gtN:n3C9BRW0j/uVEZFJvL
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/880-7-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2228-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/880-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2448-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1508-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/808-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-290-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1936-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1984-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2004-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2704-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1656-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2568-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2568-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2784-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 22 IoCs
resource yara_rule behavioral1/memory/2228-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/880-6-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1548-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1548-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2448-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2108-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1508-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/808-219-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1868-290-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1936-272-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1028-254-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1984-209-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2004-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2844-119-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2704-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1656-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2568-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2568-85-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2472-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2784-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2596-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2228 dvppp.exe 1548 fxrfxxl.exe 2672 nthntb.exe 2596 dvpvp.exe 2784 dvpdp.exe 2472 xxrrxlr.exe 2448 fxlxllx.exe 2568 htbhnh.exe 1656 7tbhnb.exe 2704 9jjpv.exe 2844 pjpdv.exe 2108 rrlxlxr.exe 2004 ffrxllx.exe 2040 tntbbn.exe 1508 hbbbtt.exe 2412 vpjvp.exe 348 vpjpp.exe 1696 1dpvv.exe 2296 rrflrxf.exe 2428 9xfflrf.exe 1984 lfxfllr.exe 808 hhtthh.exe 700 tnnhtn.exe 1484 1hbbnh.exe 2132 jdjjp.exe 1028 ppjdj.exe 3020 rlxlrxr.exe 1936 bhhhhb.exe 2992 tnbhtb.exe 1868 vvpvp.exe 1640 vjddj.exe 1816 5frlrrr.exe 2820 rllfflx.exe 2640 nhhnbh.exe 2940 vpvdv.exe 1992 djddp.exe 2604 dpdjv.exe 2456 xrxrrrx.exe 2484 frffrfr.exe 2620 1rrxfll.exe 2460 nhntbh.exe 2920 thtthh.exe 1032 tttthn.exe 2552 pjvdd.exe 2760 vpddj.exe 1128 xxrrxxf.exe 2524 rrrxlxl.exe 3052 nbbhtt.exe 1204 hbnnnn.exe 1236 vpdvj.exe 868 dvvjd.exe 1776 flxlxlx.exe 1600 lfrflrx.exe 2312 7tbthn.exe 2804 btbbtt.exe 2932 vpvdd.exe 600 jpdvd.exe 560 3dppv.exe 784 rflrlrr.exe 1160 fffrrfl.exe 2192 ttnhtb.exe 2132 bthhtb.exe 1108 9vppv.exe 1952 1djjj.exe -
resource yara_rule behavioral1/memory/2228-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/880-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1548-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1548-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2448-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1508-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/808-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-290-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2004-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2704-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1656-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2784-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-46-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 2228 880 9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe 28 PID 880 wrote to memory of 2228 880 9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe 28 PID 880 wrote to memory of 2228 880 9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe 28 PID 880 wrote to memory of 2228 880 9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe 28 PID 2228 wrote to memory of 1548 2228 dvppp.exe 29 PID 2228 wrote to memory of 1548 2228 dvppp.exe 29 PID 2228 wrote to memory of 1548 2228 dvppp.exe 29 PID 2228 wrote to memory of 1548 2228 dvppp.exe 29 PID 1548 wrote to memory of 2672 1548 fxrfxxl.exe 30 PID 1548 wrote to memory of 2672 1548 fxrfxxl.exe 30 PID 1548 wrote to memory of 2672 1548 fxrfxxl.exe 30 PID 1548 wrote to memory of 2672 1548 fxrfxxl.exe 30 PID 2672 wrote to memory of 2596 2672 nthntb.exe 31 PID 2672 wrote to memory of 2596 2672 nthntb.exe 31 PID 2672 wrote to memory of 2596 2672 nthntb.exe 31 PID 2672 wrote to memory of 2596 2672 nthntb.exe 31 PID 2596 wrote to memory of 2784 2596 dvpvp.exe 32 PID 2596 wrote to memory of 2784 2596 dvpvp.exe 32 PID 2596 wrote to memory of 2784 2596 dvpvp.exe 32 PID 2596 wrote to memory of 2784 2596 dvpvp.exe 32 PID 2784 wrote to memory of 2472 2784 dvpdp.exe 33 PID 2784 wrote to memory of 2472 2784 dvpdp.exe 33 PID 2784 wrote to memory of 2472 2784 dvpdp.exe 33 PID 2784 wrote to memory of 2472 2784 dvpdp.exe 33 PID 2472 wrote to memory of 2448 2472 xxrrxlr.exe 34 PID 2472 wrote to memory of 2448 2472 xxrrxlr.exe 34 PID 2472 wrote to memory of 2448 2472 xxrrxlr.exe 34 PID 2472 wrote to memory of 2448 2472 xxrrxlr.exe 34 PID 2448 wrote to memory of 2568 2448 fxlxllx.exe 35 PID 2448 wrote to memory of 2568 2448 fxlxllx.exe 35 PID 2448 wrote to memory of 2568 2448 fxlxllx.exe 35 PID 2448 wrote to memory of 2568 2448 fxlxllx.exe 35 PID 2568 wrote to memory of 1656 2568 htbhnh.exe 36 PID 2568 wrote to memory of 1656 2568 htbhnh.exe 36 PID 2568 wrote to memory of 1656 2568 htbhnh.exe 36 PID 2568 wrote to memory of 1656 2568 htbhnh.exe 36 PID 1656 wrote to memory of 2704 1656 7tbhnb.exe 37 PID 1656 wrote to memory of 2704 1656 7tbhnb.exe 37 PID 1656 wrote to memory of 2704 1656 7tbhnb.exe 37 PID 1656 wrote to memory of 2704 1656 7tbhnb.exe 37 PID 2704 wrote to memory of 2844 2704 9jjpv.exe 38 PID 2704 wrote to memory of 2844 2704 9jjpv.exe 38 PID 2704 wrote to memory of 2844 2704 9jjpv.exe 38 PID 2704 wrote to memory of 2844 2704 9jjpv.exe 38 PID 2844 wrote to memory of 2108 2844 pjpdv.exe 39 PID 2844 wrote to memory of 2108 2844 pjpdv.exe 39 PID 2844 wrote to memory of 2108 2844 pjpdv.exe 39 PID 2844 wrote to memory of 2108 2844 pjpdv.exe 39 PID 2108 wrote to memory of 2004 2108 rrlxlxr.exe 40 PID 2108 wrote to memory of 2004 2108 rrlxlxr.exe 40 PID 2108 wrote to memory of 2004 2108 rrlxlxr.exe 40 PID 2108 wrote to memory of 2004 2108 rrlxlxr.exe 40 PID 2004 wrote to memory of 2040 2004 ffrxllx.exe 41 PID 2004 wrote to memory of 2040 2004 ffrxllx.exe 41 PID 2004 wrote to memory of 2040 2004 ffrxllx.exe 41 PID 2004 wrote to memory of 2040 2004 ffrxllx.exe 41 PID 2040 wrote to memory of 1508 2040 tntbbn.exe 42 PID 2040 wrote to memory of 1508 2040 tntbbn.exe 42 PID 2040 wrote to memory of 1508 2040 tntbbn.exe 42 PID 2040 wrote to memory of 1508 2040 tntbbn.exe 42 PID 1508 wrote to memory of 2412 1508 hbbbtt.exe 43 PID 1508 wrote to memory of 2412 1508 hbbbtt.exe 43 PID 1508 wrote to memory of 2412 1508 hbbbtt.exe 43 PID 1508 wrote to memory of 2412 1508 hbbbtt.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe"C:\Users\Admin\AppData\Local\Temp\9a48c999223e73edafd6389e1fb42329e2d91fa6b47fd3549c31630d2ebf0cb1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\dvppp.exec:\dvppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\fxrfxxl.exec:\fxrfxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\nthntb.exec:\nthntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\dvpvp.exec:\dvpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dvpdp.exec:\dvpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\xxrrxlr.exec:\xxrrxlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\fxlxllx.exec:\fxlxllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\htbhnh.exec:\htbhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\7tbhnb.exec:\7tbhnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\9jjpv.exec:\9jjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\pjpdv.exec:\pjpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\rrlxlxr.exec:\rrlxlxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\ffrxllx.exec:\ffrxllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\tntbbn.exec:\tntbbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\hbbbtt.exec:\hbbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\vpjvp.exec:\vpjvp.exe17⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vpjpp.exec:\vpjpp.exe18⤵
- Executes dropped EXE
PID:348 -
\??\c:\1dpvv.exec:\1dpvv.exe19⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rrflrxf.exec:\rrflrxf.exe20⤵
- Executes dropped EXE
PID:2296 -
\??\c:\9xfflrf.exec:\9xfflrf.exe21⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lfxfllr.exec:\lfxfllr.exe22⤵
- Executes dropped EXE
PID:1984 -
\??\c:\hhtthh.exec:\hhtthh.exe23⤵
- Executes dropped EXE
PID:808 -
\??\c:\tnnhtn.exec:\tnnhtn.exe24⤵
- Executes dropped EXE
PID:700 -
\??\c:\1hbbnh.exec:\1hbbnh.exe25⤵
- Executes dropped EXE
PID:1484 -
\??\c:\jdjjp.exec:\jdjjp.exe26⤵
- Executes dropped EXE
PID:2132 -
\??\c:\ppjdj.exec:\ppjdj.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rlxlrxr.exec:\rlxlrxr.exe28⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bhhhhb.exec:\bhhhhb.exe29⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tnbhtb.exec:\tnbhtb.exe30⤵
- Executes dropped EXE
PID:2992 -
\??\c:\vvpvp.exec:\vvpvp.exe31⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vjddj.exec:\vjddj.exe32⤵
- Executes dropped EXE
PID:1640 -
\??\c:\5frlrrr.exec:\5frlrrr.exe33⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rllfflx.exec:\rllfflx.exe34⤵
- Executes dropped EXE
PID:2820 -
\??\c:\btnnbb.exec:\btnnbb.exe35⤵PID:2028
-
\??\c:\nhhnbh.exec:\nhhnbh.exe36⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vpvdv.exec:\vpvdv.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\djddp.exec:\djddp.exe38⤵
- Executes dropped EXE
PID:1992 -
\??\c:\dpdjv.exec:\dpdjv.exe39⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe40⤵
- Executes dropped EXE
PID:2456 -
\??\c:\frffrfr.exec:\frffrfr.exe41⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1rrxfll.exec:\1rrxfll.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhntbh.exec:\nhntbh.exe43⤵
- Executes dropped EXE
PID:2460 -
\??\c:\thtthh.exec:\thtthh.exe44⤵
- Executes dropped EXE
PID:2920 -
\??\c:\tttthn.exec:\tttthn.exe45⤵
- Executes dropped EXE
PID:1032 -
\??\c:\pjvdd.exec:\pjvdd.exe46⤵
- Executes dropped EXE
PID:2552 -
\??\c:\vpddj.exec:\vpddj.exe47⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xxrrxxf.exec:\xxrrxxf.exe48⤵
- Executes dropped EXE
PID:1128 -
\??\c:\rrrxlxl.exec:\rrrxlxl.exe49⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nbbhtt.exec:\nbbhtt.exe50⤵
- Executes dropped EXE
PID:3052 -
\??\c:\hbnnnn.exec:\hbnnnn.exe51⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vpdvj.exec:\vpdvj.exe52⤵
- Executes dropped EXE
PID:1236 -
\??\c:\dvvjd.exec:\dvvjd.exe53⤵
- Executes dropped EXE
PID:868 -
\??\c:\flxlxlx.exec:\flxlxlx.exe54⤵
- Executes dropped EXE
PID:1776 -
\??\c:\lfrflrx.exec:\lfrflrx.exe55⤵
- Executes dropped EXE
PID:1600 -
\??\c:\7tbthn.exec:\7tbthn.exe56⤵
- Executes dropped EXE
PID:2312 -
\??\c:\btbbtt.exec:\btbbtt.exe57⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vpvdd.exec:\vpvdd.exe58⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jpdvd.exec:\jpdvd.exe59⤵
- Executes dropped EXE
PID:600 -
\??\c:\3dppv.exec:\3dppv.exe60⤵
- Executes dropped EXE
PID:560 -
\??\c:\rflrlrr.exec:\rflrlrr.exe61⤵
- Executes dropped EXE
PID:784 -
\??\c:\fffrrfl.exec:\fffrrfl.exe62⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ttnhtb.exec:\ttnhtb.exe63⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bthhtb.exec:\bthhtb.exe64⤵
- Executes dropped EXE
PID:2132 -
\??\c:\9vppv.exec:\9vppv.exe65⤵
- Executes dropped EXE
PID:1108 -
\??\c:\1djjj.exec:\1djjj.exe66⤵
- Executes dropped EXE
PID:1952 -
\??\c:\frxxxrr.exec:\frxxxrr.exe67⤵PID:1964
-
\??\c:\7fxxffl.exec:\7fxxffl.exe68⤵PID:536
-
\??\c:\5hnnth.exec:\5hnnth.exe69⤵PID:2416
-
\??\c:\tthhhh.exec:\tthhhh.exe70⤵PID:3004
-
\??\c:\nbhbtt.exec:\nbhbtt.exe71⤵PID:2160
-
\??\c:\jdddd.exec:\jdddd.exe72⤵PID:2972
-
\??\c:\5vjjd.exec:\5vjjd.exe73⤵PID:1208
-
\??\c:\flrffxr.exec:\flrffxr.exe74⤵PID:2800
-
\??\c:\xlxfllr.exec:\xlxfllr.exe75⤵PID:2052
-
\??\c:\9fxxffl.exec:\9fxxffl.exe76⤵PID:2028
-
\??\c:\1ntthh.exec:\1ntthh.exe77⤵PID:2716
-
\??\c:\btttnb.exec:\btttnb.exe78⤵PID:2940
-
\??\c:\dvvpp.exec:\dvvpp.exe79⤵PID:1852
-
\??\c:\3jddj.exec:\3jddj.exe80⤵PID:2696
-
\??\c:\fxffllx.exec:\fxffllx.exe81⤵PID:2572
-
\??\c:\1frrxrx.exec:\1frrxrx.exe82⤵PID:2764
-
\??\c:\hbhhnh.exec:\hbhhnh.exe83⤵PID:2784
-
\??\c:\thhttn.exec:\thhttn.exe84⤵PID:2492
-
\??\c:\5htntb.exec:\5htntb.exe85⤵PID:2448
-
\??\c:\vpvvv.exec:\vpvvv.exe86⤵PID:1632
-
\??\c:\dvjjj.exec:\dvjjj.exe87⤵PID:2508
-
\??\c:\1lxxrlr.exec:\1lxxrlr.exe88⤵PID:2536
-
\??\c:\5xlfffl.exec:\5xlfffl.exe89⤵PID:2676
-
\??\c:\bntttb.exec:\bntttb.exe90⤵PID:1968
-
\??\c:\btnhnn.exec:\btnhnn.exe91⤵PID:656
-
\??\c:\3nhtbn.exec:\3nhtbn.exe92⤵PID:340
-
\??\c:\7dvpp.exec:\7dvpp.exe93⤵PID:1096
-
\??\c:\jjjpj.exec:\jjjpj.exe94⤵PID:2636
-
\??\c:\rrxlfxr.exec:\rrxlfxr.exe95⤵PID:780
-
\??\c:\flrxlrf.exec:\flrxlrf.exe96⤵PID:344
-
\??\c:\rlllllr.exec:\rlllllr.exe97⤵PID:2320
-
\??\c:\btnntt.exec:\btnntt.exe98⤵PID:2316
-
\??\c:\nhtthh.exec:\nhtthh.exe99⤵PID:2180
-
\??\c:\vvdpp.exec:\vvdpp.exe100⤵PID:1996
-
\??\c:\ppdjd.exec:\ppdjd.exe101⤵PID:2148
-
\??\c:\rlllrrx.exec:\rlllrrx.exe102⤵PID:1296
-
\??\c:\rrxxfrr.exec:\rrxxfrr.exe103⤵PID:580
-
\??\c:\jjjvp.exec:\jjjvp.exe104⤵PID:588
-
\??\c:\3jdjv.exec:\3jdjv.exe105⤵PID:1836
-
\??\c:\1xfflll.exec:\1xfflll.exe106⤵PID:796
-
\??\c:\flrllrr.exec:\flrllrr.exe107⤵PID:1636
-
\??\c:\lxrrrrx.exec:\lxrrrrx.exe108⤵PID:1028
-
\??\c:\9htbnt.exec:\9htbnt.exe109⤵PID:2808
-
\??\c:\hbnnnn.exec:\hbnnnn.exe110⤵PID:2980
-
\??\c:\btnthn.exec:\btnthn.exe111⤵PID:1936
-
\??\c:\9vppv.exec:\9vppv.exe112⤵PID:1768
-
\??\c:\jddjp.exec:\jddjp.exe113⤵PID:2204
-
\??\c:\xxlllxx.exec:\xxlllxx.exe114⤵PID:900
-
\??\c:\tthbnt.exec:\tthbnt.exe115⤵PID:2628
-
\??\c:\1lrrxxf.exec:\1lrrxxf.exe116⤵PID:1692
-
\??\c:\pddjd.exec:\pddjd.exe117⤵PID:1440
-
\??\c:\xxrrrff.exec:\xxrrrff.exe118⤵PID:1628
-
\??\c:\rxllrrr.exec:\rxllrrr.exe119⤵PID:2680
-
\??\c:\nnhhtt.exec:\nnhhtt.exe120⤵PID:2592
-
\??\c:\dvjpv.exec:\dvjpv.exe121⤵PID:2788
-
\??\c:\ddvvd.exec:\ddvvd.exe122⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-