Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe
-
Size
970KB
-
MD5
17e02cad57ce43434505c9bcb94865eb
-
SHA1
5057905f82c30a571c82cc534eaf16d7e0468b1b
-
SHA256
a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9
-
SHA512
95ef4cd6d81404adc047a5f39fcdacb08d3b555ee69bd66424c419298f3501266e1a5bd9afa1c8333a747c72b67aaadea6ee1bd3d2f524e952b759d1aef04e06
-
SSDEEP
12288:n3C9yMo+S0L9xRnoq7H9xqYL04iVypNKvzcMwdBS3b3aoqYveXVadBlHD+CURPOA:SgD4bhoqLDqYLagB6Wj1+CyC
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral1/memory/2916-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2196-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2492-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1980-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1204-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1108-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/636-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1044-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1308-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2504-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2764-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2468-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2732-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2992-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2992-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 20 IoCs
resource yara_rule behavioral1/memory/2916-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2196-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2244-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2760-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2492-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1844-145-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1980-163-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1204-181-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1108-208-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/636-226-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1044-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2676-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1308-127-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2156-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2504-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2764-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2468-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2732-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2992-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2992-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2992 jvvjj.exe 2196 flxffrx.exe 2244 pjvvd.exe 2732 rxrlrrx.exe 2468 bhbbtb.exe 2760 djvjd.exe 2764 hbnnnb.exe 2492 pppdd.exe 2504 xxlxflr.exe 2956 tbnnnn.exe 2156 xflxflf.exe 1308 bttthn.exe 2676 9djjv.exe 1844 ffrlxxr.exe 1848 hthtbh.exe 1980 lrxrxlr.exe 320 pvppj.exe 1204 fxrflxf.exe 2336 vvpvp.exe 1044 bttbhn.exe 1108 bhhnbb.exe 452 jdjpp.exe 636 bnhtnn.exe 2252 nhbhtt.exe 1084 vdddj.exe 1856 lfxrrfx.exe 2880 ddpvp.exe 3008 hthhbt.exe 3020 vvpdp.exe 2280 hhhnbh.exe 1180 ffxxlxl.exe 3024 nbtthn.exe 1612 dddvd.exe 2288 rrrfllx.exe 2564 1jddj.exe 2244 llxlrfx.exe 2732 5hnbnn.exe 2828 jdjdd.exe 2768 lfllxlx.exe 2572 bhtbtb.exe 2628 vvjvd.exe 2164 fxrxxfl.exe 2964 bthnbh.exe 1456 jjvdp.exe 2840 xxrxffl.exe 940 pvppd.exe 2816 xfrxrxx.exe 2680 bhbbnt.exe 1584 ffxlffr.exe 932 3htttt.exe 320 ppvpd.exe 2624 7xrflxr.exe 1204 nhtnbt.exe 2088 7rxfrxf.exe 336 bbbhth.exe 852 pdjjj.exe 1208 ffxllxx.exe 1468 tnhtnt.exe 1992 vppvj.exe 1924 xrlrflf.exe 1272 nbnhbh.exe 1988 nhthtn.exe 1856 ppjdv.exe 1528 lfllrxx.exe -
resource yara_rule behavioral1/memory/2916-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2196-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2492-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1844-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1980-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1204-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1108-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/636-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1044-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1308-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2504-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2764-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2468-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-13-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2992 2916 a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe 242 PID 2916 wrote to memory of 2992 2916 a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe 242 PID 2916 wrote to memory of 2992 2916 a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe 242 PID 2916 wrote to memory of 2992 2916 a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe 242 PID 2992 wrote to memory of 2196 2992 jvvjj.exe 29 PID 2992 wrote to memory of 2196 2992 jvvjj.exe 29 PID 2992 wrote to memory of 2196 2992 jvvjj.exe 29 PID 2992 wrote to memory of 2196 2992 jvvjj.exe 29 PID 2196 wrote to memory of 2244 2196 flxffrx.exe 30 PID 2196 wrote to memory of 2244 2196 flxffrx.exe 30 PID 2196 wrote to memory of 2244 2196 flxffrx.exe 30 PID 2196 wrote to memory of 2244 2196 flxffrx.exe 30 PID 2244 wrote to memory of 2732 2244 pjvvd.exe 31 PID 2244 wrote to memory of 2732 2244 pjvvd.exe 31 PID 2244 wrote to memory of 2732 2244 pjvvd.exe 31 PID 2244 wrote to memory of 2732 2244 pjvvd.exe 31 PID 2732 wrote to memory of 2468 2732 rxrlrrx.exe 32 PID 2732 wrote to memory of 2468 2732 rxrlrrx.exe 32 PID 2732 wrote to memory of 2468 2732 rxrlrrx.exe 32 PID 2732 wrote to memory of 2468 2732 rxrlrrx.exe 32 PID 2468 wrote to memory of 2760 2468 bhbbtb.exe 33 PID 2468 wrote to memory of 2760 2468 bhbbtb.exe 33 PID 2468 wrote to memory of 2760 2468 bhbbtb.exe 33 PID 2468 wrote to memory of 2760 2468 bhbbtb.exe 33 PID 2760 wrote to memory of 2764 2760 djvjd.exe 34 PID 2760 wrote to memory of 2764 2760 djvjd.exe 34 PID 2760 wrote to memory of 2764 2760 djvjd.exe 34 PID 2760 wrote to memory of 2764 2760 djvjd.exe 34 PID 2764 wrote to memory of 2492 2764 hbnnnb.exe 35 PID 2764 wrote to memory of 2492 2764 hbnnnb.exe 35 PID 2764 wrote to memory of 2492 2764 hbnnnb.exe 35 PID 2764 wrote to memory of 2492 2764 hbnnnb.exe 35 PID 2492 wrote to memory of 2504 2492 pppdd.exe 36 PID 2492 wrote to memory of 2504 2492 pppdd.exe 36 PID 2492 wrote to memory of 2504 2492 pppdd.exe 36 PID 2492 wrote to memory of 2504 2492 pppdd.exe 36 PID 2504 wrote to memory of 2956 2504 xxlxflr.exe 37 PID 2504 wrote to memory of 2956 2504 xxlxflr.exe 37 PID 2504 wrote to memory of 2956 2504 xxlxflr.exe 37 PID 2504 wrote to memory of 2956 2504 xxlxflr.exe 37 PID 2956 wrote to memory of 2156 2956 tbnnnn.exe 38 PID 2956 wrote to memory of 2156 2956 tbnnnn.exe 38 PID 2956 wrote to memory of 2156 2956 tbnnnn.exe 38 PID 2956 wrote to memory of 2156 2956 tbnnnn.exe 38 PID 2156 wrote to memory of 1308 2156 xflxflf.exe 39 PID 2156 wrote to memory of 1308 2156 xflxflf.exe 39 PID 2156 wrote to memory of 1308 2156 xflxflf.exe 39 PID 2156 wrote to memory of 1308 2156 xflxflf.exe 39 PID 1308 wrote to memory of 2676 1308 bttthn.exe 40 PID 1308 wrote to memory of 2676 1308 bttthn.exe 40 PID 1308 wrote to memory of 2676 1308 bttthn.exe 40 PID 1308 wrote to memory of 2676 1308 bttthn.exe 40 PID 2676 wrote to memory of 1844 2676 9djjv.exe 41 PID 2676 wrote to memory of 1844 2676 9djjv.exe 41 PID 2676 wrote to memory of 1844 2676 9djjv.exe 41 PID 2676 wrote to memory of 1844 2676 9djjv.exe 41 PID 1844 wrote to memory of 1848 1844 ffrlxxr.exe 154 PID 1844 wrote to memory of 1848 1844 ffrlxxr.exe 154 PID 1844 wrote to memory of 1848 1844 ffrlxxr.exe 154 PID 1844 wrote to memory of 1848 1844 ffrlxxr.exe 154 PID 1848 wrote to memory of 1980 1848 hthtbh.exe 43 PID 1848 wrote to memory of 1980 1848 hthtbh.exe 43 PID 1848 wrote to memory of 1980 1848 hthtbh.exe 43 PID 1848 wrote to memory of 1980 1848 hthtbh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe"C:\Users\Admin\AppData\Local\Temp\a16d9be3f88a124001e2f936164cc0f0a7ff1107c3905a11c6081c7a8f079fc9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\jvvjj.exec:\jvvjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\flxffrx.exec:\flxffrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\pjvvd.exec:\pjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\rxrlrrx.exec:\rxrlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\bhbbtb.exec:\bhbbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\djvjd.exec:\djvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\hbnnnb.exec:\hbnnnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\pppdd.exec:\pppdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\xxlxflr.exec:\xxlxflr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\tbnnnn.exec:\tbnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\xflxflf.exec:\xflxflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\bttthn.exec:\bttthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\9djjv.exec:\9djjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\hthtbh.exec:\hthtbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\lrxrxlr.exec:\lrxrxlr.exe17⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pvppj.exec:\pvppj.exe18⤵
- Executes dropped EXE
PID:320 -
\??\c:\fxrflxf.exec:\fxrflxf.exe19⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vvpvp.exec:\vvpvp.exe20⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bttbhn.exec:\bttbhn.exe21⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bhhnbb.exec:\bhhnbb.exe22⤵
- Executes dropped EXE
PID:1108 -
\??\c:\jdjpp.exec:\jdjpp.exe23⤵
- Executes dropped EXE
PID:452 -
\??\c:\bnhtnn.exec:\bnhtnn.exe24⤵
- Executes dropped EXE
PID:636 -
\??\c:\nhbhtt.exec:\nhbhtt.exe25⤵
- Executes dropped EXE
PID:2252 -
\??\c:\vdddj.exec:\vdddj.exe26⤵
- Executes dropped EXE
PID:1084 -
\??\c:\lfxrrfx.exec:\lfxrrfx.exe27⤵
- Executes dropped EXE
PID:1856 -
\??\c:\ddpvp.exec:\ddpvp.exe28⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hthhbt.exec:\hthhbt.exe29⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vvpdp.exec:\vvpdp.exe30⤵
- Executes dropped EXE
PID:3020 -
\??\c:\hhhnbh.exec:\hhhnbh.exe31⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ffxxlxl.exec:\ffxxlxl.exe32⤵
- Executes dropped EXE
PID:1180 -
\??\c:\nbtthn.exec:\nbtthn.exe33⤵
- Executes dropped EXE
PID:3024 -
\??\c:\dddvd.exec:\dddvd.exe34⤵
- Executes dropped EXE
PID:1612 -
\??\c:\rrrfllx.exec:\rrrfllx.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\1jddj.exec:\1jddj.exe36⤵
- Executes dropped EXE
PID:2564 -
\??\c:\llxlrfx.exec:\llxlrfx.exe37⤵
- Executes dropped EXE
PID:2244 -
\??\c:\5hnbnn.exec:\5hnbnn.exe38⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jdjdd.exec:\jdjdd.exe39⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfllxlx.exec:\lfllxlx.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\bhtbtb.exec:\bhtbtb.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vvjvd.exec:\vvjvd.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\fxrxxfl.exec:\fxrxxfl.exe43⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bthnbh.exec:\bthnbh.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jjvdp.exec:\jjvdp.exe45⤵
- Executes dropped EXE
PID:1456 -
\??\c:\xxrxffl.exec:\xxrxffl.exe46⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pvppd.exec:\pvppd.exe47⤵
- Executes dropped EXE
PID:940 -
\??\c:\xfrxrxx.exec:\xfrxrxx.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bhbbnt.exec:\bhbbnt.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\ffxlffr.exec:\ffxlffr.exe50⤵
- Executes dropped EXE
PID:1584 -
\??\c:\3htttt.exec:\3htttt.exe51⤵
- Executes dropped EXE
PID:932 -
\??\c:\ppvpd.exec:\ppvpd.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\7xrflxr.exec:\7xrflxr.exe53⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nhtnbt.exec:\nhtnbt.exe54⤵
- Executes dropped EXE
PID:1204 -
\??\c:\7rxfrxf.exec:\7rxfrxf.exe55⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bbbhth.exec:\bbbhth.exe56⤵
- Executes dropped EXE
PID:336 -
\??\c:\pdjjj.exec:\pdjjj.exe57⤵
- Executes dropped EXE
PID:852 -
\??\c:\ffxllxx.exec:\ffxllxx.exe58⤵
- Executes dropped EXE
PID:1208 -
\??\c:\tnhtnt.exec:\tnhtnt.exe59⤵
- Executes dropped EXE
PID:1468 -
\??\c:\vppvj.exec:\vppvj.exe60⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xrlrflf.exec:\xrlrflf.exe61⤵
- Executes dropped EXE
PID:1924 -
\??\c:\nbnhbh.exec:\nbnhbh.exe62⤵
- Executes dropped EXE
PID:1272 -
\??\c:\nhthtn.exec:\nhthtn.exe63⤵
- Executes dropped EXE
PID:1988 -
\??\c:\ppjdv.exec:\ppjdv.exe64⤵
- Executes dropped EXE
PID:1856 -
\??\c:\lfllrxx.exec:\lfllrxx.exe65⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nbnntt.exec:\nbnntt.exe66⤵PID:2312
-
\??\c:\jdjjv.exec:\jdjjv.exe67⤵PID:1452
-
\??\c:\nntbbn.exec:\nntbbn.exe68⤵PID:3020
-
\??\c:\ddjpd.exec:\ddjpd.exe69⤵PID:2280
-
\??\c:\3rrfxlx.exec:\3rrfxlx.exe70⤵PID:2376
-
\??\c:\btthnt.exec:\btthnt.exe71⤵PID:3024
-
\??\c:\jvpjv.exec:\jvpjv.exe72⤵PID:1612
-
\??\c:\rrlfxlx.exec:\rrlfxlx.exe73⤵PID:2588
-
\??\c:\nttnth.exec:\nttnth.exe74⤵PID:2824
-
\??\c:\ppdpv.exec:\ppdpv.exe75⤵PID:2736
-
\??\c:\1rlrlfr.exec:\1rlrlfr.exe76⤵PID:1748
-
\??\c:\1lfrxfl.exec:\1lfrxfl.exe77⤵PID:2484
-
\??\c:\5nbnbn.exec:\5nbnbn.exe78⤵PID:2516
-
\??\c:\7dvjd.exec:\7dvjd.exe79⤵PID:2532
-
\??\c:\9xllxxf.exec:\9xllxxf.exe80⤵PID:2836
-
\??\c:\ntbhtb.exec:\ntbhtb.exe81⤵PID:2756
-
\??\c:\nhhtht.exec:\nhhtht.exe82⤵PID:1828
-
\??\c:\3ppdj.exec:\3ppdj.exe83⤵PID:1900
-
\??\c:\lfxxlxl.exec:\lfxxlxl.exe84⤵PID:2848
-
\??\c:\bbhtth.exec:\bbhtth.exe85⤵PID:2008
-
\??\c:\pdvpd.exec:\pdvpd.exe86⤵PID:2800
-
\??\c:\lfrrfrx.exec:\lfrrfrx.exe87⤵PID:952
-
\??\c:\hbtbtb.exec:\hbtbtb.exe88⤵PID:2976
-
\??\c:\ttnbhh.exec:\ttnbhh.exe89⤵PID:768
-
\??\c:\djjdv.exec:\djjdv.exe90⤵PID:1684
-
\??\c:\rrlxrfr.exec:\rrlxrfr.exe91⤵PID:2296
-
\??\c:\nnthht.exec:\nnthht.exe92⤵PID:1256
-
\??\c:\vpjpp.exec:\vpjpp.exe93⤵PID:2688
-
\??\c:\fxrxfxf.exec:\fxrxfxf.exe94⤵PID:1592
-
\??\c:\nnhtnb.exec:\nnhtnb.exe95⤵PID:324
-
\??\c:\hhbbbh.exec:\hhbbbh.exe96⤵PID:1716
-
\??\c:\vpdpj.exec:\vpdpj.exe97⤵PID:2584
-
\??\c:\rrlfrfl.exec:\rrlfrfl.exe98⤵PID:1908
-
\??\c:\bbnntn.exec:\bbnntn.exe99⤵PID:1728
-
\??\c:\jppdd.exec:\jppdd.exe100⤵PID:1468
-
\??\c:\rrrxlrx.exec:\rrrxlrx.exe101⤵PID:384
-
\??\c:\rlrfrxl.exec:\rlrfrxl.exe102⤵PID:1588
-
\??\c:\nhtthh.exec:\nhtthh.exe103⤵PID:1272
-
\??\c:\jjvdv.exec:\jjvdv.exe104⤵PID:1060
-
\??\c:\lfrfxxf.exec:\lfrfxxf.exe105⤵PID:2880
-
\??\c:\5bnntt.exec:\5bnntt.exe106⤵PID:1528
-
\??\c:\pvpvd.exec:\pvpvd.exe107⤵PID:272
-
\??\c:\5xflrrx.exec:\5xflrrx.exe108⤵PID:2256
-
\??\c:\ntbntb.exec:\ntbntb.exe109⤵PID:2200
-
\??\c:\ppjvv.exec:\ppjvv.exe110⤵PID:2984
-
\??\c:\lrrlfrx.exec:\lrrlfrx.exe111⤵PID:1180
-
\??\c:\nnnbhh.exec:\nnnbhh.exe112⤵PID:2372
-
\??\c:\pdppp.exec:\pdppp.exe113⤵PID:2152
-
\??\c:\llrrfff.exec:\llrrfff.exe114⤵PID:2900
-
\??\c:\xrxffrr.exec:\xrxffrr.exe115⤵PID:2620
-
\??\c:\nbhbbh.exec:\nbhbbh.exe116⤵PID:2864
-
\??\c:\3vjpp.exec:\3vjpp.exe117⤵PID:2716
-
\??\c:\frfxllr.exec:\frfxllr.exe118⤵PID:2292
-
\??\c:\dpjdp.exec:\dpjdp.exe119⤵PID:2536
-
\??\c:\7flxlrf.exec:\7flxlrf.exe120⤵PID:2512
-
\??\c:\ntthnh.exec:\ntthnh.exe121⤵PID:2948
-
\??\c:\3vppv.exec:\3vppv.exe122⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-