Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe
-
Size
62KB
-
MD5
16a4e1d8555b3ac9e82b143235df4805
-
SHA1
7edc99943c989105ca2c32357e082549d6b8ae2d
-
SHA256
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3
-
SHA512
ca41b53ea4bdd0fa9d026fdf119ca95b5e5f21a52080e7e9fc1583865f0f0209730ec37e955f2179d1947e514b0a882f40387860474dae141c55e731b7b81de8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214aK:ymb3NkkiQ3mdBjFIFdJmdaK
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral2/memory/3296-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4480-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3780-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/64-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1588-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2404-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/428-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5092-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/392-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4512-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3752-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3464-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/844-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4200-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3284-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2596-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1012-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/740-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4180-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2468-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1568-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 24 IoCs
resource yara_rule behavioral2/memory/4480-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3296-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4480-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3780-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1796-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1796-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/64-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1588-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2404-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/428-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5092-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/392-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4512-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3752-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3464-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/844-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4200-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3284-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2596-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1012-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/740-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4180-178-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2468-191-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1568-203-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 3296 dvvpp.exe 3780 vjpvj.exe 1796 9rfffff.exe 64 thhbtt.exe 1588 7dvpv.exe 4004 xlxfrlx.exe 2404 flfrrxl.exe 428 9bhnnn.exe 5092 bbbtbb.exe 392 djdpd.exe 4512 fllffrl.exe 3752 bnhbnh.exe 3464 jjdvj.exe 844 jpvpp.exe 3396 5rfxllx.exe 1336 bhhbnn.exe 4356 vjjvp.exe 4200 9ddpd.exe 3284 lxxrlfx.exe 2400 nhhhtb.exe 2596 dpjdd.exe 1012 vppdp.exe 740 xflxllx.exe 3496 9lrllfl.exe 3516 btthtn.exe 2616 dvdvv.exe 4180 frfrlfx.exe 3504 lxlxxxx.exe 2468 bthbnn.exe 756 dpdvd.exe 1568 dvdjd.exe 3456 9llfrlx.exe 3856 lxxrllx.exe 4800 nhnhbn.exe 5104 tnnbtn.exe 5060 pjvpv.exe 3868 rfxrlfx.exe 4896 hnhtnh.exe 4332 5djvp.exe 2928 dppjp.exe 4480 rlfllfx.exe 1456 xfxfllr.exe 3948 bhbbnt.exe 2668 jvdpd.exe 1132 jdddp.exe 1164 frxllrr.exe 3104 hbttth.exe 228 bbbtbh.exe 732 jjjjp.exe 4680 5jjdp.exe 4708 xllfrxl.exe 5080 9nhtnh.exe 1020 nbnnnh.exe 2388 jdjvd.exe 1964 lfxlffx.exe 2020 bhbnbt.exe 2568 7hbtnn.exe 3332 vjdvj.exe 3396 rxxxrll.exe 2348 1xxlrfl.exe 1972 bbnnbn.exe 4932 ddvpj.exe 3284 jvpjd.exe 1960 rllfffl.exe -
resource yara_rule behavioral2/memory/4480-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3296-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4480-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3780-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/64-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1588-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2404-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/428-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5092-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/392-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4512-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3752-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3464-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/844-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3284-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2596-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1012-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/740-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4180-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1568-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 3296 4480 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 82 PID 4480 wrote to memory of 3296 4480 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 82 PID 4480 wrote to memory of 3296 4480 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 82 PID 3296 wrote to memory of 3780 3296 dvvpp.exe 83 PID 3296 wrote to memory of 3780 3296 dvvpp.exe 83 PID 3296 wrote to memory of 3780 3296 dvvpp.exe 83 PID 3780 wrote to memory of 1796 3780 vjpvj.exe 84 PID 3780 wrote to memory of 1796 3780 vjpvj.exe 84 PID 3780 wrote to memory of 1796 3780 vjpvj.exe 84 PID 1796 wrote to memory of 64 1796 9rfffff.exe 85 PID 1796 wrote to memory of 64 1796 9rfffff.exe 85 PID 1796 wrote to memory of 64 1796 9rfffff.exe 85 PID 64 wrote to memory of 1588 64 thhbtt.exe 86 PID 64 wrote to memory of 1588 64 thhbtt.exe 86 PID 64 wrote to memory of 1588 64 thhbtt.exe 86 PID 1588 wrote to memory of 4004 1588 7dvpv.exe 87 PID 1588 wrote to memory of 4004 1588 7dvpv.exe 87 PID 1588 wrote to memory of 4004 1588 7dvpv.exe 87 PID 4004 wrote to memory of 2404 4004 xlxfrlx.exe 88 PID 4004 wrote to memory of 2404 4004 xlxfrlx.exe 88 PID 4004 wrote to memory of 2404 4004 xlxfrlx.exe 88 PID 2404 wrote to memory of 428 2404 flfrrxl.exe 89 PID 2404 wrote to memory of 428 2404 flfrrxl.exe 89 PID 2404 wrote to memory of 428 2404 flfrrxl.exe 89 PID 428 wrote to memory of 5092 428 9bhnnn.exe 90 PID 428 wrote to memory of 5092 428 9bhnnn.exe 90 PID 428 wrote to memory of 5092 428 9bhnnn.exe 90 PID 5092 wrote to memory of 392 5092 bbbtbb.exe 91 PID 5092 wrote to memory of 392 5092 bbbtbb.exe 91 PID 5092 wrote to memory of 392 5092 bbbtbb.exe 91 PID 392 wrote to memory of 4512 392 djdpd.exe 92 PID 392 wrote to memory of 4512 392 djdpd.exe 92 PID 392 wrote to memory of 4512 392 djdpd.exe 92 PID 4512 wrote to memory of 3752 4512 fllffrl.exe 93 PID 4512 wrote to memory of 3752 4512 fllffrl.exe 93 PID 4512 wrote to memory of 3752 4512 fllffrl.exe 93 PID 3752 wrote to memory of 3464 3752 bnhbnh.exe 94 PID 3752 wrote to memory of 3464 3752 bnhbnh.exe 94 PID 3752 wrote to memory of 3464 3752 bnhbnh.exe 94 PID 3464 wrote to memory of 844 3464 jjdvj.exe 95 PID 3464 wrote to memory of 844 3464 jjdvj.exe 95 PID 3464 wrote to memory of 844 3464 jjdvj.exe 95 PID 844 wrote to memory of 3396 844 jpvpp.exe 96 PID 844 wrote to memory of 3396 844 jpvpp.exe 96 PID 844 wrote to memory of 3396 844 jpvpp.exe 96 PID 3396 wrote to memory of 1336 3396 5rfxllx.exe 97 PID 3396 wrote to memory of 1336 3396 5rfxllx.exe 97 PID 3396 wrote to memory of 1336 3396 5rfxllx.exe 97 PID 1336 wrote to memory of 4356 1336 bhhbnn.exe 98 PID 1336 wrote to memory of 4356 1336 bhhbnn.exe 98 PID 1336 wrote to memory of 4356 1336 bhhbnn.exe 98 PID 4356 wrote to memory of 4200 4356 vjjvp.exe 99 PID 4356 wrote to memory of 4200 4356 vjjvp.exe 99 PID 4356 wrote to memory of 4200 4356 vjjvp.exe 99 PID 4200 wrote to memory of 3284 4200 9ddpd.exe 100 PID 4200 wrote to memory of 3284 4200 9ddpd.exe 100 PID 4200 wrote to memory of 3284 4200 9ddpd.exe 100 PID 3284 wrote to memory of 2400 3284 lxxrlfx.exe 101 PID 3284 wrote to memory of 2400 3284 lxxrlfx.exe 101 PID 3284 wrote to memory of 2400 3284 lxxrlfx.exe 101 PID 2400 wrote to memory of 2596 2400 nhhhtb.exe 102 PID 2400 wrote to memory of 2596 2400 nhhhtb.exe 102 PID 2400 wrote to memory of 2596 2400 nhhhtb.exe 102 PID 2596 wrote to memory of 1012 2596 dpjdd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe"C:\Users\Admin\AppData\Local\Temp\a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\dvvpp.exec:\dvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\vjpvj.exec:\vjpvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\9rfffff.exec:\9rfffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\thhbtt.exec:\thhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\7dvpv.exec:\7dvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\xlxfrlx.exec:\xlxfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\flfrrxl.exec:\flfrrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\9bhnnn.exec:\9bhnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\bbbtbb.exec:\bbbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\djdpd.exec:\djdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\fllffrl.exec:\fllffrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\bnhbnh.exec:\bnhbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\jjdvj.exec:\jjdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\jpvpp.exec:\jpvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\5rfxllx.exec:\5rfxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\bhhbnn.exec:\bhhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\vjjvp.exec:\vjjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\9ddpd.exec:\9ddpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\nhhhtb.exec:\nhhhtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\dpjdd.exec:\dpjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vppdp.exec:\vppdp.exe23⤵
- Executes dropped EXE
PID:1012 -
\??\c:\xflxllx.exec:\xflxllx.exe24⤵
- Executes dropped EXE
PID:740 -
\??\c:\9lrllfl.exec:\9lrllfl.exe25⤵
- Executes dropped EXE
PID:3496 -
\??\c:\btthtn.exec:\btthtn.exe26⤵
- Executes dropped EXE
PID:3516 -
\??\c:\dvdvv.exec:\dvdvv.exe27⤵
- Executes dropped EXE
PID:2616 -
\??\c:\frfrlfx.exec:\frfrlfx.exe28⤵
- Executes dropped EXE
PID:4180 -
\??\c:\lxlxxxx.exec:\lxlxxxx.exe29⤵
- Executes dropped EXE
PID:3504 -
\??\c:\bthbnn.exec:\bthbnn.exe30⤵
- Executes dropped EXE
PID:2468 -
\??\c:\dpdvd.exec:\dpdvd.exe31⤵
- Executes dropped EXE
PID:756 -
\??\c:\dvdjd.exec:\dvdjd.exe32⤵
- Executes dropped EXE
PID:1568 -
\??\c:\9llfrlx.exec:\9llfrlx.exe33⤵
- Executes dropped EXE
PID:3456 -
\??\c:\lxxrllx.exec:\lxxrllx.exe34⤵
- Executes dropped EXE
PID:3856 -
\??\c:\nhnhbn.exec:\nhnhbn.exe35⤵
- Executes dropped EXE
PID:4800 -
\??\c:\tnnbtn.exec:\tnnbtn.exe36⤵
- Executes dropped EXE
PID:5104 -
\??\c:\pjvpv.exec:\pjvpv.exe37⤵
- Executes dropped EXE
PID:5060 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe38⤵
- Executes dropped EXE
PID:3868 -
\??\c:\hnhtnh.exec:\hnhtnh.exe39⤵
- Executes dropped EXE
PID:4896 -
\??\c:\5djvp.exec:\5djvp.exe40⤵
- Executes dropped EXE
PID:4332 -
\??\c:\dppjp.exec:\dppjp.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rlfllfx.exec:\rlfllfx.exe42⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xfxfllr.exec:\xfxfllr.exe43⤵
- Executes dropped EXE
PID:1456 -
\??\c:\bhbbnt.exec:\bhbbnt.exe44⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jvdpd.exec:\jvdpd.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jdddp.exec:\jdddp.exe46⤵
- Executes dropped EXE
PID:1132 -
\??\c:\frxllrr.exec:\frxllrr.exe47⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hbttth.exec:\hbttth.exe48⤵
- Executes dropped EXE
PID:3104 -
\??\c:\bbbtbh.exec:\bbbtbh.exe49⤵
- Executes dropped EXE
PID:228 -
\??\c:\jjjjp.exec:\jjjjp.exe50⤵
- Executes dropped EXE
PID:732 -
\??\c:\5jjdp.exec:\5jjdp.exe51⤵
- Executes dropped EXE
PID:4680 -
\??\c:\xllfrxl.exec:\xllfrxl.exe52⤵
- Executes dropped EXE
PID:4708 -
\??\c:\9nhtnh.exec:\9nhtnh.exe53⤵
- Executes dropped EXE
PID:5080 -
\??\c:\nbnnnh.exec:\nbnnnh.exe54⤵
- Executes dropped EXE
PID:1020 -
\??\c:\jdjvd.exec:\jdjvd.exe55⤵
- Executes dropped EXE
PID:2388 -
\??\c:\lfxlffx.exec:\lfxlffx.exe56⤵
- Executes dropped EXE
PID:1964 -
\??\c:\bhbnbt.exec:\bhbnbt.exe57⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7hbtnn.exec:\7hbtnn.exe58⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vjdvj.exec:\vjdvj.exe59⤵
- Executes dropped EXE
PID:3332 -
\??\c:\rxxxrll.exec:\rxxxrll.exe60⤵
- Executes dropped EXE
PID:3396 -
\??\c:\1xxlrfl.exec:\1xxlrfl.exe61⤵
- Executes dropped EXE
PID:2348 -
\??\c:\bbnnbn.exec:\bbnnbn.exe62⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ddvpj.exec:\ddvpj.exe63⤵
- Executes dropped EXE
PID:4932 -
\??\c:\jvpjd.exec:\jvpjd.exe64⤵
- Executes dropped EXE
PID:3284 -
\??\c:\rllfffl.exec:\rllfffl.exe65⤵
- Executes dropped EXE
PID:1960 -
\??\c:\7nhnbt.exec:\7nhnbt.exe66⤵PID:2432
-
\??\c:\nntntb.exec:\nntntb.exe67⤵PID:3912
-
\??\c:\pjjdv.exec:\pjjdv.exe68⤵PID:1804
-
\??\c:\jvdvd.exec:\jvdvd.exe69⤵PID:2284
-
\??\c:\fxxfxfx.exec:\fxxfxfx.exe70⤵PID:4272
-
\??\c:\xxrrfff.exec:\xxrrfff.exe71⤵PID:3944
-
\??\c:\hbnnhn.exec:\hbnnhn.exe72⤵PID:3748
-
\??\c:\tttbtb.exec:\tttbtb.exe73⤵PID:4420
-
\??\c:\vppvp.exec:\vppvp.exe74⤵PID:1208
-
\??\c:\xrrflll.exec:\xrrflll.exe75⤵PID:2468
-
\??\c:\llxrlrl.exec:\llxrlrl.exe76⤵PID:4080
-
\??\c:\bthbbb.exec:\bthbbb.exe77⤵PID:1420
-
\??\c:\hbbtnn.exec:\hbbtnn.exe78⤵PID:2060
-
\??\c:\dppjj.exec:\dppjj.exe79⤵PID:2024
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe80⤵PID:3856
-
\??\c:\flrrlrr.exec:\flrrlrr.exe81⤵PID:1276
-
\??\c:\bttnhh.exec:\bttnhh.exe82⤵PID:1376
-
\??\c:\htbhht.exec:\htbhht.exe83⤵PID:2488
-
\??\c:\djddv.exec:\djddv.exe84⤵PID:720
-
\??\c:\lxxxxff.exec:\lxxxxff.exe85⤵PID:4896
-
\??\c:\rrxlffl.exec:\rrxlffl.exe86⤵PID:4400
-
\??\c:\bbhbht.exec:\bbhbht.exe87⤵PID:2572
-
\??\c:\vpjjv.exec:\vpjjv.exe88⤵PID:1184
-
\??\c:\dvjdv.exec:\dvjdv.exe89⤵PID:1456
-
\??\c:\xfflllx.exec:\xfflllx.exe90⤵PID:4412
-
\??\c:\rllllll.exec:\rllllll.exe91⤵PID:1936
-
\??\c:\hnhhbb.exec:\hnhhbb.exe92⤵PID:3340
-
\??\c:\jddvd.exec:\jddvd.exe93⤵PID:4004
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe94⤵PID:2496
-
\??\c:\rlfxrrf.exec:\rlfxrrf.exe95⤵PID:4956
-
\??\c:\hbhhbb.exec:\hbhhbb.exe96⤵PID:5028
-
\??\c:\djdvj.exec:\djdvj.exe97⤵PID:3168
-
\??\c:\djjdv.exec:\djjdv.exe98⤵PID:392
-
\??\c:\5xfxrfl.exec:\5xfxrfl.exe99⤵PID:3820
-
\??\c:\bnttnh.exec:\bnttnh.exe100⤵PID:380
-
\??\c:\hbbnbb.exec:\hbbnbb.exe101⤵PID:4512
-
\??\c:\ppjpd.exec:\ppjpd.exe102⤵PID:4644
-
\??\c:\lllxlfx.exec:\lllxlfx.exe103⤵PID:1964
-
\??\c:\frlfrfr.exec:\frlfrfr.exe104⤵PID:2020
-
\??\c:\tbbnbt.exec:\tbbnbt.exe105⤵PID:3076
-
\??\c:\btthht.exec:\btthht.exe106⤵PID:3332
-
\??\c:\5ffxrlf.exec:\5ffxrlf.exe107⤵PID:2316
-
\??\c:\rlrflfl.exec:\rlrflfl.exe108⤵PID:4964
-
\??\c:\5bhtnh.exec:\5bhtnh.exe109⤵PID:4360
-
\??\c:\hnnhnh.exec:\hnnhnh.exe110⤵PID:4932
-
\??\c:\9jdpv.exec:\9jdpv.exe111⤵PID:852
-
\??\c:\xffxlfx.exec:\xffxlfx.exe112⤵PID:1484
-
\??\c:\fxfxrlr.exec:\fxfxrlr.exe113⤵PID:876
-
\??\c:\tnnnhb.exec:\tnnnhb.exe114⤵PID:2536
-
\??\c:\hhthtt.exec:\hhthtt.exe115⤵PID:4892
-
\??\c:\3dpjv.exec:\3dpjv.exe116⤵PID:1532
-
\??\c:\jvpjv.exec:\jvpjv.exe117⤵PID:1536
-
\??\c:\lrlxrrl.exec:\lrlxrrl.exe118⤵PID:4588
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe119⤵PID:724
-
\??\c:\9ffxlfx.exec:\9ffxlfx.exe120⤵PID:2696
-
\??\c:\hnnhbt.exec:\hnnhbt.exe121⤵PID:4056
-
\??\c:\5vpdp.exec:\5vpdp.exe122⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-