Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 00:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe
Resource
win7-20240220-en
windows7-x64
6 signatures
150 seconds
General
-
Target
af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe
-
Size
399KB
-
MD5
4ba311ecc22d4b4c676a78dacfed0358
-
SHA1
36688e564de2d80194b83e74dd1a84efe045f8c6
-
SHA256
af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c
-
SHA512
15dadec6c0241c60e5d57c7b4934d81782674066d4dbe6773f09c18fe1a726508f53e291780471da1040d97619c20e49decbb9ea1e5a894df9961a82d6bb6b65
-
SSDEEP
6144:Acm7ImGddX5WrXF5lpKGYV0aTk/BO0XJm4UEPOshN/xdKnvP48bmmf:m7TcJWjdpKGATTk/jYIOWN/KnnPD
Malware Config
Signatures
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3524-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/3524-5-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2008-10-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2076-12-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4576-23-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/5048-29-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/5048-35-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4844-36-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1220-43-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/220-26-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2008-17-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4576-16-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4512-55-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/448-58-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4112-76-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/388-94-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3244-87-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2828-74-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2828-68-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/5104-64-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3004-123-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1120-135-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4064-130-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1140-144-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1112-154-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2884-146-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1092-173-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1680-177-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1376-188-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3116-187-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3236-193-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1844-205-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1844-208-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4892-214-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2296-221-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4944-222-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4584-231-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2560-234-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/64-237-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4764-242-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4764-245-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3192-248-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1524-255-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3628-256-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4852-263-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4100-267-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4100-270-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/5104-277-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/488-283-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2424-314-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4568-324-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2000-328-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/3900-341-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2616-354-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1812-364-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/1436-395-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/556-412-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4368-421-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/680-432-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2912-447-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/2136-464-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4804-477-0x0000000000400000-0x000000000042A000-memory.dmp UPX behavioral2/memory/4804-481-0x0000000000400000-0x000000000042A000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2076 fqb6n.exe 2008 qcwk22.exe 4576 0oqas.exe 220 p4e18v.exe 5048 2v7g331.exe 4844 spn6wt.exe 1220 eickw6.exe 4852 97gwe.exe 4512 f8q3i.exe 448 8x7sp2w.exe 5104 b4q6cf5.exe 2828 1332d1.exe 4112 2i2l16.exe 3100 9rg2k9.exe 3244 b3g383.exe 388 1nr76.exe 868 nn39599.exe 1280 0oa58.exe 4424 l5mwg.exe 1012 18j51.exe 3004 8f14sqh.exe 500 6d4mq.exe 4064 t3x139.exe 1120 4a1ke.exe 1140 swt1911.exe 2884 5m9c17g.exe 1112 1719353.exe 3532 8d7gw.exe 2640 0ieuga8.exe 3316 8wu5oi.exe 1092 2siws.exe 1680 uuax9.exe 4732 753h333.exe 3116 xxeegm.exe 1376 5g877e.exe 3236 w5vls2x.exe 3592 6c11s.exe 2716 bdocs.exe 2660 ieau6.exe 1844 h2oeg.exe 2696 c72dje5.exe 4892 u7x9j8.exe 4324 8v2k38.exe 2296 isue09n.exe 4944 t9ur7g.exe 2380 8153r1.exe 4584 or5bj73.exe 2560 0buuf.exe 64 09g5q.exe 1616 tgku4i.exe 4764 l5ql52.exe 3192 j1ie37.exe 2252 8f37i.exe 1524 wgwu52.exe 3628 0a994.exe 4980 85397.exe 4852 7759kaa.exe 4100 g118l26.exe 1252 m0p2r21.exe 4972 ucr9119.exe 5104 4b645.exe 488 1996661.exe 5068 5t85t.exe 2524 8a5092o.exe -
resource yara_rule behavioral2/memory/3524-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-492-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2076 3524 af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe 84 PID 3524 wrote to memory of 2076 3524 af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe 84 PID 3524 wrote to memory of 2076 3524 af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe 84 PID 2076 wrote to memory of 2008 2076 fqb6n.exe 86 PID 2076 wrote to memory of 2008 2076 fqb6n.exe 86 PID 2076 wrote to memory of 2008 2076 fqb6n.exe 86 PID 2008 wrote to memory of 4576 2008 qcwk22.exe 87 PID 2008 wrote to memory of 4576 2008 qcwk22.exe 87 PID 2008 wrote to memory of 4576 2008 qcwk22.exe 87 PID 4576 wrote to memory of 220 4576 0oqas.exe 88 PID 4576 wrote to memory of 220 4576 0oqas.exe 88 PID 4576 wrote to memory of 220 4576 0oqas.exe 88 PID 220 wrote to memory of 5048 220 p4e18v.exe 89 PID 220 wrote to memory of 5048 220 p4e18v.exe 89 PID 220 wrote to memory of 5048 220 p4e18v.exe 89 PID 5048 wrote to memory of 4844 5048 2v7g331.exe 90 PID 5048 wrote to memory of 4844 5048 2v7g331.exe 90 PID 5048 wrote to memory of 4844 5048 2v7g331.exe 90 PID 4844 wrote to memory of 1220 4844 spn6wt.exe 91 PID 4844 wrote to memory of 1220 4844 spn6wt.exe 91 PID 4844 wrote to memory of 1220 4844 spn6wt.exe 91 PID 1220 wrote to memory of 4852 1220 eickw6.exe 92 PID 1220 wrote to memory of 4852 1220 eickw6.exe 92 PID 1220 wrote to memory of 4852 1220 eickw6.exe 92 PID 4852 wrote to memory of 4512 4852 97gwe.exe 95 PID 4852 wrote to memory of 4512 4852 97gwe.exe 95 PID 4852 wrote to memory of 4512 4852 97gwe.exe 95 PID 4512 wrote to memory of 448 4512 f8q3i.exe 96 PID 4512 wrote to memory of 448 4512 f8q3i.exe 96 PID 4512 wrote to memory of 448 4512 f8q3i.exe 96 PID 448 wrote to memory of 5104 448 8x7sp2w.exe 97 PID 448 wrote to memory of 5104 448 8x7sp2w.exe 97 PID 448 wrote to memory of 5104 448 8x7sp2w.exe 97 PID 5104 wrote to memory of 2828 5104 b4q6cf5.exe 98 PID 5104 wrote to memory of 2828 5104 b4q6cf5.exe 98 PID 5104 wrote to memory of 2828 5104 b4q6cf5.exe 98 PID 2828 wrote to memory of 4112 2828 1332d1.exe 99 PID 2828 wrote to memory of 4112 2828 1332d1.exe 99 PID 2828 wrote to memory of 4112 2828 1332d1.exe 99 PID 4112 wrote to memory of 3100 4112 2i2l16.exe 100 PID 4112 wrote to memory of 3100 4112 2i2l16.exe 100 PID 4112 wrote to memory of 3100 4112 2i2l16.exe 100 PID 3100 wrote to memory of 3244 3100 9rg2k9.exe 101 PID 3100 wrote to memory of 3244 3100 9rg2k9.exe 101 PID 3100 wrote to memory of 3244 3100 9rg2k9.exe 101 PID 3244 wrote to memory of 388 3244 b3g383.exe 102 PID 3244 wrote to memory of 388 3244 b3g383.exe 102 PID 3244 wrote to memory of 388 3244 b3g383.exe 102 PID 388 wrote to memory of 868 388 1nr76.exe 103 PID 388 wrote to memory of 868 388 1nr76.exe 103 PID 388 wrote to memory of 868 388 1nr76.exe 103 PID 868 wrote to memory of 1280 868 nn39599.exe 104 PID 868 wrote to memory of 1280 868 nn39599.exe 104 PID 868 wrote to memory of 1280 868 nn39599.exe 104 PID 1280 wrote to memory of 4424 1280 0oa58.exe 105 PID 1280 wrote to memory of 4424 1280 0oa58.exe 105 PID 1280 wrote to memory of 4424 1280 0oa58.exe 105 PID 4424 wrote to memory of 1012 4424 l5mwg.exe 106 PID 4424 wrote to memory of 1012 4424 l5mwg.exe 106 PID 4424 wrote to memory of 1012 4424 l5mwg.exe 106 PID 1012 wrote to memory of 3004 1012 18j51.exe 107 PID 1012 wrote to memory of 3004 1012 18j51.exe 107 PID 1012 wrote to memory of 3004 1012 18j51.exe 107 PID 3004 wrote to memory of 500 3004 8f14sqh.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe"C:\Users\Admin\AppData\Local\Temp\af96157e9f4d0fbb059c914c095e1485c51f5e12ca4bc4cc9bd46e14d72f271c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\fqb6n.exec:\fqb6n.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\qcwk22.exec:\qcwk22.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\0oqas.exec:\0oqas.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\p4e18v.exec:\p4e18v.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\2v7g331.exec:\2v7g331.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\spn6wt.exec:\spn6wt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\eickw6.exec:\eickw6.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\97gwe.exec:\97gwe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\f8q3i.exec:\f8q3i.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\8x7sp2w.exec:\8x7sp2w.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\b4q6cf5.exec:\b4q6cf5.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\1332d1.exec:\1332d1.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\2i2l16.exec:\2i2l16.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\9rg2k9.exec:\9rg2k9.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\b3g383.exec:\b3g383.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\1nr76.exec:\1nr76.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\nn39599.exec:\nn39599.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\0oa58.exec:\0oa58.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\l5mwg.exec:\l5mwg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\18j51.exec:\18j51.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\8f14sqh.exec:\8f14sqh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\6d4mq.exec:\6d4mq.exe23⤵
- Executes dropped EXE
PID:500 -
\??\c:\t3x139.exec:\t3x139.exe24⤵
- Executes dropped EXE
PID:4064 -
\??\c:\4a1ke.exec:\4a1ke.exe25⤵
- Executes dropped EXE
PID:1120 -
\??\c:\swt1911.exec:\swt1911.exe26⤵
- Executes dropped EXE
PID:1140 -
\??\c:\5m9c17g.exec:\5m9c17g.exe27⤵
- Executes dropped EXE
PID:2884 -
\??\c:\1719353.exec:\1719353.exe28⤵
- Executes dropped EXE
PID:1112 -
\??\c:\8d7gw.exec:\8d7gw.exe29⤵
- Executes dropped EXE
PID:3532 -
\??\c:\0ieuga8.exec:\0ieuga8.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\8wu5oi.exec:\8wu5oi.exe31⤵
- Executes dropped EXE
PID:3316 -
\??\c:\2siws.exec:\2siws.exe32⤵
- Executes dropped EXE
PID:1092 -
\??\c:\uuax9.exec:\uuax9.exe33⤵
- Executes dropped EXE
PID:1680 -
\??\c:\753h333.exec:\753h333.exe34⤵
- Executes dropped EXE
PID:4732 -
\??\c:\xxeegm.exec:\xxeegm.exe35⤵
- Executes dropped EXE
PID:3116 -
\??\c:\5g877e.exec:\5g877e.exe36⤵
- Executes dropped EXE
PID:1376 -
\??\c:\w5vls2x.exec:\w5vls2x.exe37⤵
- Executes dropped EXE
PID:3236 -
\??\c:\6c11s.exec:\6c11s.exe38⤵
- Executes dropped EXE
PID:3592 -
\??\c:\bdocs.exec:\bdocs.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ieau6.exec:\ieau6.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\h2oeg.exec:\h2oeg.exe41⤵
- Executes dropped EXE
PID:1844 -
\??\c:\c72dje5.exec:\c72dje5.exe42⤵
- Executes dropped EXE
PID:2696 -
\??\c:\u7x9j8.exec:\u7x9j8.exe43⤵
- Executes dropped EXE
PID:4892 -
\??\c:\8v2k38.exec:\8v2k38.exe44⤵
- Executes dropped EXE
PID:4324 -
\??\c:\isue09n.exec:\isue09n.exe45⤵
- Executes dropped EXE
PID:2296 -
\??\c:\t9ur7g.exec:\t9ur7g.exe46⤵
- Executes dropped EXE
PID:4944 -
\??\c:\8153r1.exec:\8153r1.exe47⤵
- Executes dropped EXE
PID:2380 -
\??\c:\or5bj73.exec:\or5bj73.exe48⤵
- Executes dropped EXE
PID:4584 -
\??\c:\0buuf.exec:\0buuf.exe49⤵
- Executes dropped EXE
PID:2560 -
\??\c:\09g5q.exec:\09g5q.exe50⤵
- Executes dropped EXE
PID:64 -
\??\c:\tgku4i.exec:\tgku4i.exe51⤵
- Executes dropped EXE
PID:1616 -
\??\c:\l5ql52.exec:\l5ql52.exe52⤵
- Executes dropped EXE
PID:4764 -
\??\c:\j1ie37.exec:\j1ie37.exe53⤵
- Executes dropped EXE
PID:3192 -
\??\c:\8f37i.exec:\8f37i.exe54⤵
- Executes dropped EXE
PID:2252 -
\??\c:\wgwu52.exec:\wgwu52.exe55⤵
- Executes dropped EXE
PID:1524 -
\??\c:\0a994.exec:\0a994.exe56⤵
- Executes dropped EXE
PID:3628 -
\??\c:\85397.exec:\85397.exe57⤵
- Executes dropped EXE
PID:4980 -
\??\c:\7759kaa.exec:\7759kaa.exe58⤵
- Executes dropped EXE
PID:4852 -
\??\c:\g118l26.exec:\g118l26.exe59⤵
- Executes dropped EXE
PID:4100 -
\??\c:\m0p2r21.exec:\m0p2r21.exe60⤵
- Executes dropped EXE
PID:1252 -
\??\c:\ucr9119.exec:\ucr9119.exe61⤵
- Executes dropped EXE
PID:4972 -
\??\c:\4b645.exec:\4b645.exe62⤵
- Executes dropped EXE
PID:5104 -
\??\c:\1996661.exec:\1996661.exe63⤵
- Executes dropped EXE
PID:488 -
\??\c:\5t85t.exec:\5t85t.exe64⤵
- Executes dropped EXE
PID:5068 -
\??\c:\8a5092o.exec:\8a5092o.exe65⤵
- Executes dropped EXE
PID:2524 -
\??\c:\4wd357.exec:\4wd357.exe66⤵PID:4344
-
\??\c:\8q77hh.exec:\8q77hh.exe67⤵PID:4988
-
\??\c:\f6k7kx.exec:\f6k7kx.exe68⤵PID:4536
-
\??\c:\uer96.exec:\uer96.exe69⤵PID:704
-
\??\c:\157fma.exec:\157fma.exe70⤵PID:868
-
\??\c:\t63l90.exec:\t63l90.exe71⤵PID:4820
-
\??\c:\w6w34ej.exec:\w6w34ej.exe72⤵PID:2228
-
\??\c:\b2919.exec:\b2919.exe73⤵PID:2424
-
\??\c:\q5p6d.exec:\q5p6d.exe74⤵PID:3000
-
\??\c:\b84k4e7.exec:\b84k4e7.exe75⤵PID:4568
-
\??\c:\1f4sss.exec:\1f4sss.exe76⤵PID:4208
-
\??\c:\joco629.exec:\joco629.exe77⤵PID:2000
-
\??\c:\2i577.exec:\2i577.exe78⤵PID:4956
-
\??\c:\dwwmk.exec:\dwwmk.exe79⤵PID:1988
-
\??\c:\nj7t33.exec:\nj7t33.exe80⤵PID:3216
-
\??\c:\ce89k.exec:\ce89k.exe81⤵PID:1096
-
\??\c:\8up6ed.exec:\8up6ed.exe82⤵PID:3900
-
\??\c:\uugn578.exec:\uugn578.exe83⤵PID:4780
-
\??\c:\wej2h.exec:\wej2h.exe84⤵PID:2304
-
\??\c:\n754w.exec:\n754w.exe85⤵PID:2616
-
\??\c:\9t98e.exec:\9t98e.exe86⤵PID:2308
-
\??\c:\k314qx1.exec:\k314qx1.exe87⤵PID:4072
-
\??\c:\8h5pb4.exec:\8h5pb4.exe88⤵PID:1092
-
\??\c:\86hs8t1.exec:\86hs8t1.exe89⤵PID:1812
-
\??\c:\44h25.exec:\44h25.exe90⤵PID:3568
-
\??\c:\2007pc.exec:\2007pc.exe91⤵PID:1788
-
\??\c:\95r294o.exec:\95r294o.exe92⤵PID:2144
-
\??\c:\o8406.exec:\o8406.exe93⤵PID:1896
-
\??\c:\o351td7.exec:\o351td7.exe94⤵PID:2812
-
\??\c:\009i20.exec:\009i20.exe95⤵PID:1324
-
\??\c:\qc9i9kb.exec:\qc9i9kb.exe96⤵PID:2692
-
\??\c:\1a3u1.exec:\1a3u1.exe97⤵PID:2332
-
\??\c:\xhb2f1.exec:\xhb2f1.exe98⤵PID:1436
-
\??\c:\n13593.exec:\n13593.exe99⤵PID:2672
-
\??\c:\a715q.exec:\a715q.exe100⤵PID:568
-
\??\c:\u10a5v.exec:\u10a5v.exe101⤵PID:3616
-
\??\c:\r6wr7.exec:\r6wr7.exe102⤵PID:60
-
\??\c:\671iw.exec:\671iw.exe103⤵PID:2312
-
\??\c:\kueo213.exec:\kueo213.exe104⤵PID:556
-
\??\c:\b3sqck9.exec:\b3sqck9.exe105⤵PID:812
-
\??\c:\vqoc75.exec:\vqoc75.exe106⤵PID:4368
-
\??\c:\n9151v.exec:\n9151v.exe107⤵PID:2800
-
\??\c:\1925e.exec:\1925e.exe108⤵PID:1488
-
\??\c:\51i31w.exec:\51i31w.exe109⤵PID:1272
-
\??\c:\2jtqn.exec:\2jtqn.exe110⤵PID:680
-
\??\c:\1x10k.exec:\1x10k.exe111⤵PID:1524
-
\??\c:\0a93cx5.exec:\0a93cx5.exe112⤵PID:5056
-
\??\c:\55hhs5u.exec:\55hhs5u.exe113⤵PID:5012
-
\??\c:\wmk74.exec:\wmk74.exe114⤵PID:1748
-
\??\c:\3lt0b5.exec:\3lt0b5.exe115⤵PID:2912
-
\??\c:\7b5u9ef.exec:\7b5u9ef.exe116⤵PID:4640
-
\??\c:\41213bq.exec:\41213bq.exe117⤵PID:2204
-
\??\c:\fa16w1.exec:\fa16w1.exe118⤵PID:4024
-
\??\c:\xe96m.exec:\xe96m.exe119⤵PID:2156
-
\??\c:\4b351.exec:\4b351.exe120⤵PID:2136
-
\??\c:\2k98g.exec:\2k98g.exe121⤵PID:832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-