Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:11
Behavioral task
behavioral1
Sample
9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe
Resource
win7-20240419-en
6 signatures
150 seconds
General
-
Target
9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe
-
Size
379KB
-
MD5
8aad41aef25a2f63a1aabf01d34f130b
-
SHA1
cedc6bd99abe522e55908a3e6006464b32d4079e
-
SHA256
9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8
-
SHA512
25a886db2867fc9610447cc8cfe7d353b4d55993da821c3b6d08700d4fc5264a9a6d51dad5016fa086db1f9f23d3f65a36759802c6c7badc2560b23b3483e915
-
SSDEEP
6144:Ocm4FmowdHoSsm4FIc1/cm4FmowdHoSsiNlcJcmHYC9/jvvfwL+TLPfSRcm4FVo6:w4wFHoSl4h4wFHoS24yTgL+zfu4/FHoy
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2464-27-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1992-33-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2016-35-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2016-42-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4808-47-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3832-82-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1612-96-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/5024-100-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/5024-109-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/516-142-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1732-150-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2096-163-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3104-171-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4672-224-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4072-254-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1804-274-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4488-286-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2592-306-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4740-318-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1732-345-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/768-373-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1280-1206-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1532-1296-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1052-1791-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4804-1635-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4384-380-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1644-377-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3144-369-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1972-365-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2200-360-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2480-356-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2144-352-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1928-349-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1436-338-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2308-333-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4412-330-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1348-326-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2104-322-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4112-313-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2232-310-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/372-302-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/464-298-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4956-293-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1232-289-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1664-282-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1316-278-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4172-269-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2800-266-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3028-262-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4584-258-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4224-249-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2384-246-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/2476-242-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/408-238-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4364-234-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4276-230-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3908-228-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3516-220-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/860-215-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3360-210-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3640-204-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/1644-198-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/3996-191-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon behavioral2/memory/4168-181-0x0000000000400000-0x0000000000472000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000700000002349d-15.dat UPX behavioral2/memory/2464-27-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1992-33-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2016-35-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2016-42-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4808-40-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4808-47-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/files/0x00070000000234a2-48.dat UPX behavioral2/files/0x00070000000234a4-60.dat UPX behavioral2/files/0x00070000000234a7-79.dat UPX behavioral2/memory/940-83-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/3832-82-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1612-90-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1612-96-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/5024-100-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/3652-110-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/5024-109-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/files/0x00070000000234ac-117.dat UPX behavioral2/files/0x00070000000234ae-129.dat UPX behavioral2/files/0x00070000000234af-133.dat UPX behavioral2/memory/516-142-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1732-150-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/files/0x00070000000234b2-156.dat UPX behavioral2/memory/2096-163-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/files/0x00070000000234b4-167.dat UPX behavioral2/memory/3104-171-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/files/0x00070000000234b5-173.dat UPX behavioral2/files/0x00070000000234b6-183.dat UPX behavioral2/files/0x0009000000023410-200.dat UPX behavioral2/memory/4672-224-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4072-254-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1804-274-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4488-286-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2592-306-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4740-318-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1732-345-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/768-373-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1280-1206-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1532-1296-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4584-1350-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1052-1791-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4804-1635-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/3872-1353-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4384-380-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1644-377-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/3144-369-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1972-365-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2200-360-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2480-356-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2144-352-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1928-349-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1436-338-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2308-333-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4412-330-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1348-326-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2104-322-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4112-313-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/2232-310-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/372-302-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/464-298-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/4956-293-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1232-289-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1664-282-0x0000000000400000-0x0000000000472000-memory.dmp UPX behavioral2/memory/1316-278-0x0000000000400000-0x0000000000472000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 3868 0886404.exe 3880 60402.exe 2464 4602006.exe 1992 vpjjj.exe 2016 6886042.exe 4808 fllfxrl.exe 4420 864668.exe 1204 u660482.exe 1988 dpdpj.exe 2868 xflxrxl.exe 3832 8622604.exe 940 thhbbh.exe 1612 42828.exe 992 pjddp.exe 5024 86420.exe 3652 002228.exe 2248 844826.exe 3056 8420848.exe 2712 88620.exe 516 vjppv.exe 2984 84482.exe 1732 62482.exe 2096 bbttnh.exe 3104 6828288.exe 3152 02866.exe 4168 028222.exe 3996 4808228.exe 1644 llxrxrf.exe 3640 hhhbtt.exe 3360 bbhhnn.exe 860 vppvj.exe 3516 pjdpv.exe 4672 dpdvv.exe 3908 btbbtt.exe 4276 8284404.exe 4364 ddvvj.exe 2476 vpjjd.exe 2384 9llfxrl.exe 4224 flfffff.exe 4072 fxfrllf.exe 4584 6086040.exe 3028 bbntbt.exe 2800 608026.exe 4172 fffrrlf.exe 1804 o426044.exe 1316 62260.exe 1664 a4642.exe 4488 4620426.exe 1232 jppjd.exe 4956 5hbbtn.exe 464 44008.exe 372 8020882.exe 2592 btbnhb.exe 2232 btbntn.exe 4112 6660886.exe 4740 u686482.exe 2104 6486064.exe 1348 28048.exe 4412 48204.exe 2308 02024.exe 1436 844826.exe 3048 s4026.exe 1732 2882682.exe 1928 jdvvj.exe -
resource yara_rule behavioral2/memory/264-0-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x000700000002349d-15.dat upx behavioral2/memory/2464-21-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2464-27-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1992-33-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2016-35-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2016-42-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4808-40-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4808-47-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234a2-48.dat upx behavioral2/files/0x00070000000234a4-60.dat upx behavioral2/files/0x00070000000234a7-79.dat upx behavioral2/memory/940-83-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/3832-82-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1612-90-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1612-96-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/5024-100-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/3652-110-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/5024-109-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234ac-117.dat upx behavioral2/files/0x00070000000234ae-129.dat upx behavioral2/files/0x00070000000234af-133.dat upx behavioral2/memory/516-142-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1732-150-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234b2-156.dat upx behavioral2/memory/2096-163-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234b4-167.dat upx behavioral2/memory/3104-171-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234b5-173.dat upx behavioral2/memory/3996-185-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/files/0x00070000000234b6-183.dat upx behavioral2/files/0x0009000000023410-200.dat upx behavioral2/memory/4672-224-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4072-254-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1804-274-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4488-286-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2592-306-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4740-318-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1732-345-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/768-373-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1280-1206-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1532-1296-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4584-1350-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1052-1791-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4804-1635-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/3872-1353-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4384-380-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1644-377-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/3144-369-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1972-365-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2200-360-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2480-356-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2144-352-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1928-349-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1436-338-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2308-333-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4412-330-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1348-326-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2104-322-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4112-313-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2232-310-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/372-302-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/464-298-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/4956-293-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 264 wrote to memory of 3868 264 9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe 83 PID 264 wrote to memory of 3868 264 9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe 83 PID 264 wrote to memory of 3868 264 9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe 83 PID 3868 wrote to memory of 3880 3868 0886404.exe 281 PID 3868 wrote to memory of 3880 3868 0886404.exe 281 PID 3868 wrote to memory of 3880 3868 0886404.exe 281 PID 3880 wrote to memory of 2464 3880 60402.exe 85 PID 3880 wrote to memory of 2464 3880 60402.exe 85 PID 3880 wrote to memory of 2464 3880 60402.exe 85 PID 2464 wrote to memory of 1992 2464 4602006.exe 86 PID 2464 wrote to memory of 1992 2464 4602006.exe 86 PID 2464 wrote to memory of 1992 2464 4602006.exe 86 PID 1992 wrote to memory of 2016 1992 vpjjj.exe 87 PID 1992 wrote to memory of 2016 1992 vpjjj.exe 87 PID 1992 wrote to memory of 2016 1992 vpjjj.exe 87 PID 2016 wrote to memory of 4808 2016 6886042.exe 88 PID 2016 wrote to memory of 4808 2016 6886042.exe 88 PID 2016 wrote to memory of 4808 2016 6886042.exe 88 PID 4808 wrote to memory of 4420 4808 fllfxrl.exe 89 PID 4808 wrote to memory of 4420 4808 fllfxrl.exe 89 PID 4808 wrote to memory of 4420 4808 fllfxrl.exe 89 PID 4420 wrote to memory of 1204 4420 864668.exe 90 PID 4420 wrote to memory of 1204 4420 864668.exe 90 PID 4420 wrote to memory of 1204 4420 864668.exe 90 PID 1204 wrote to memory of 1988 1204 u660482.exe 91 PID 1204 wrote to memory of 1988 1204 u660482.exe 91 PID 1204 wrote to memory of 1988 1204 u660482.exe 91 PID 1988 wrote to memory of 2868 1988 dpdpj.exe 92 PID 1988 wrote to memory of 2868 1988 dpdpj.exe 92 PID 1988 wrote to memory of 2868 1988 dpdpj.exe 92 PID 2868 wrote to memory of 3832 2868 xflxrxl.exe 766 PID 2868 wrote to memory of 3832 2868 xflxrxl.exe 766 PID 2868 wrote to memory of 3832 2868 xflxrxl.exe 766 PID 3832 wrote to memory of 940 3832 8622604.exe 95 PID 3832 wrote to memory of 940 3832 8622604.exe 95 PID 3832 wrote to memory of 940 3832 8622604.exe 95 PID 940 wrote to memory of 1612 940 thhbbh.exe 456 PID 940 wrote to memory of 1612 940 thhbbh.exe 456 PID 940 wrote to memory of 1612 940 thhbbh.exe 456 PID 1612 wrote to memory of 992 1612 42828.exe 98 PID 1612 wrote to memory of 992 1612 42828.exe 98 PID 1612 wrote to memory of 992 1612 42828.exe 98 PID 992 wrote to memory of 5024 992 pjddp.exe 99 PID 992 wrote to memory of 5024 992 pjddp.exe 99 PID 992 wrote to memory of 5024 992 pjddp.exe 99 PID 5024 wrote to memory of 3652 5024 86420.exe 101 PID 5024 wrote to memory of 3652 5024 86420.exe 101 PID 5024 wrote to memory of 3652 5024 86420.exe 101 PID 3652 wrote to memory of 2248 3652 002228.exe 295 PID 3652 wrote to memory of 2248 3652 002228.exe 295 PID 3652 wrote to memory of 2248 3652 002228.exe 295 PID 2248 wrote to memory of 3056 2248 844826.exe 103 PID 2248 wrote to memory of 3056 2248 844826.exe 103 PID 2248 wrote to memory of 3056 2248 844826.exe 103 PID 3056 wrote to memory of 2712 3056 8420848.exe 676 PID 3056 wrote to memory of 2712 3056 8420848.exe 676 PID 3056 wrote to memory of 2712 3056 8420848.exe 676 PID 2712 wrote to memory of 516 2712 88620.exe 684 PID 2712 wrote to memory of 516 2712 88620.exe 684 PID 2712 wrote to memory of 516 2712 88620.exe 684 PID 516 wrote to memory of 2984 516 vjppv.exe 106 PID 516 wrote to memory of 2984 516 vjppv.exe 106 PID 516 wrote to memory of 2984 516 vjppv.exe 106 PID 2984 wrote to memory of 1732 2984 84482.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\688769440\zmstage.exeC:\Users\Admin\AppData\Local\Temp\688769440\zmstage.exe1⤵PID:4364
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe"C:\Users\Admin\AppData\Local\Temp\9ef8e1bd065c95a7c24bbd7b2e31a326bf61e325b5b1a24c51c7b1bca07bc0e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\0886404.exec:\0886404.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\60402.exec:\60402.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\4602006.exec:\4602006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\vpjjj.exec:\vpjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\6886042.exec:\6886042.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\fllfxrl.exec:\fllfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\864668.exec:\864668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\u660482.exec:\u660482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\dpdpj.exec:\dpdpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\xflxrxl.exec:\xflxrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\8622604.exec:\8622604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\thhbbh.exec:\thhbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\42828.exec:\42828.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\pjddp.exec:\pjddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\86420.exec:\86420.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\002228.exec:\002228.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\844826.exec:\844826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\8420848.exec:\8420848.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\88620.exec:\88620.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\vjppv.exec:\vjppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\84482.exec:\84482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\62482.exec:\62482.exe23⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bbttnh.exec:\bbttnh.exe24⤵
- Executes dropped EXE
PID:2096 -
\??\c:\6828288.exec:\6828288.exe25⤵
- Executes dropped EXE
PID:3104 -
\??\c:\02866.exec:\02866.exe26⤵
- Executes dropped EXE
PID:3152 -
\??\c:\028222.exec:\028222.exe27⤵
- Executes dropped EXE
PID:4168 -
\??\c:\4808228.exec:\4808228.exe28⤵
- Executes dropped EXE
PID:3996 -
\??\c:\llxrxrf.exec:\llxrxrf.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hhhbtt.exec:\hhhbtt.exe30⤵
- Executes dropped EXE
PID:3640 -
\??\c:\bbhhnn.exec:\bbhhnn.exe31⤵
- Executes dropped EXE
PID:3360 -
\??\c:\vppvj.exec:\vppvj.exe32⤵
- Executes dropped EXE
PID:860 -
\??\c:\pjdpv.exec:\pjdpv.exe33⤵
- Executes dropped EXE
PID:3516 -
\??\c:\dpdvv.exec:\dpdvv.exe34⤵
- Executes dropped EXE
PID:4672 -
\??\c:\btbbtt.exec:\btbbtt.exe35⤵
- Executes dropped EXE
PID:3908 -
\??\c:\8284404.exec:\8284404.exe36⤵
- Executes dropped EXE
PID:4276 -
\??\c:\ddvvj.exec:\ddvvj.exe37⤵
- Executes dropped EXE
PID:4364 -
\??\c:\08442.exec:\08442.exe38⤵PID:408
-
\??\c:\vpjjd.exec:\vpjjd.exe39⤵
- Executes dropped EXE
PID:2476 -
\??\c:\9llfxrl.exec:\9llfxrl.exe40⤵
- Executes dropped EXE
PID:2384 -
\??\c:\flfffff.exec:\flfffff.exe41⤵
- Executes dropped EXE
PID:4224 -
\??\c:\fxfrllf.exec:\fxfrllf.exe42⤵
- Executes dropped EXE
PID:4072 -
\??\c:\6086040.exec:\6086040.exe43⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bbntbt.exec:\bbntbt.exe44⤵
- Executes dropped EXE
PID:3028 -
\??\c:\608026.exec:\608026.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\fffrrlf.exec:\fffrrlf.exe46⤵
- Executes dropped EXE
PID:4172 -
\??\c:\o426044.exec:\o426044.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\62260.exec:\62260.exe48⤵
- Executes dropped EXE
PID:1316 -
\??\c:\a4642.exec:\a4642.exe49⤵
- Executes dropped EXE
PID:1664 -
\??\c:\4620426.exec:\4620426.exe50⤵
- Executes dropped EXE
PID:4488 -
\??\c:\jppjd.exec:\jppjd.exe51⤵
- Executes dropped EXE
PID:1232 -
\??\c:\5hbbtn.exec:\5hbbtn.exe52⤵
- Executes dropped EXE
PID:4956 -
\??\c:\44008.exec:\44008.exe53⤵
- Executes dropped EXE
PID:464 -
\??\c:\8020882.exec:\8020882.exe54⤵
- Executes dropped EXE
PID:372 -
\??\c:\btbnhb.exec:\btbnhb.exe55⤵
- Executes dropped EXE
PID:2592 -
\??\c:\btbntn.exec:\btbntn.exe56⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6660886.exec:\6660886.exe57⤵
- Executes dropped EXE
PID:4112 -
\??\c:\u686482.exec:\u686482.exe58⤵
- Executes dropped EXE
PID:4740 -
\??\c:\6486064.exec:\6486064.exe59⤵
- Executes dropped EXE
PID:2104 -
\??\c:\28048.exec:\28048.exe60⤵
- Executes dropped EXE
PID:1348 -
\??\c:\48204.exec:\48204.exe61⤵
- Executes dropped EXE
PID:4412 -
\??\c:\02024.exec:\02024.exe62⤵
- Executes dropped EXE
PID:2308 -
\??\c:\844826.exec:\844826.exe63⤵
- Executes dropped EXE
PID:1436 -
\??\c:\s4026.exec:\s4026.exe64⤵
- Executes dropped EXE
PID:3048 -
\??\c:\2882682.exec:\2882682.exe65⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jdvvj.exec:\jdvvj.exe66⤵
- Executes dropped EXE
PID:1928 -
\??\c:\26882.exec:\26882.exe67⤵PID:2144
-
\??\c:\4004826.exec:\4004826.exe68⤵PID:2480
-
\??\c:\08644.exec:\08644.exe69⤵PID:2200
-
\??\c:\602248.exec:\602248.exe70⤵PID:1972
-
\??\c:\lxxxrlf.exec:\lxxxrlf.exe71⤵PID:3144
-
\??\c:\844820.exec:\844820.exe72⤵PID:768
-
\??\c:\frfffxx.exec:\frfffxx.exe73⤵PID:1644
-
\??\c:\640424.exec:\640424.exe74⤵PID:4384
-
\??\c:\bntnnt.exec:\bntnnt.exe75⤵PID:3360
-
\??\c:\2820266.exec:\2820266.exe76⤵PID:4316
-
\??\c:\ntbbnb.exec:\ntbbnb.exe77⤵PID:764
-
\??\c:\vjjjd.exec:\vjjjd.exe78⤵PID:4856
-
\??\c:\68604.exec:\68604.exe79⤵PID:3036
-
\??\c:\vdvdd.exec:\vdvdd.exe80⤵PID:1044
-
\??\c:\04482.exec:\04482.exe81⤵PID:4436
-
\??\c:\8660482.exec:\8660482.exe82⤵PID:3128
-
\??\c:\xlfflxx.exec:\xlfflxx.exe83⤵PID:3508
-
\??\c:\u664260.exec:\u664260.exe84⤵PID:4300
-
\??\c:\djjjv.exec:\djjjv.exe85⤵PID:4192
-
\??\c:\dpvdp.exec:\dpvdp.exe86⤵PID:3808
-
\??\c:\k84080.exec:\k84080.exe87⤵PID:5008
-
\??\c:\6022082.exec:\6022082.exe88⤵PID:2800
-
\??\c:\40602.exec:\40602.exe89⤵PID:2364
-
\??\c:\2060444.exec:\2060444.exe90⤵PID:2896
-
\??\c:\nnbbhh.exec:\nnbbhh.exe91⤵PID:4524
-
\??\c:\0400028.exec:\0400028.exe92⤵PID:1868
-
\??\c:\vjpjj.exec:\vjpjj.exe93⤵PID:1544
-
\??\c:\o626482.exec:\o626482.exe94⤵PID:4796
-
\??\c:\0426048.exec:\0426048.exe95⤵PID:3244
-
\??\c:\8664860.exec:\8664860.exe96⤵PID:4472
-
\??\c:\04684.exec:\04684.exe97⤵PID:1188
-
\??\c:\8446486.exec:\8446486.exe98⤵PID:3584
-
\??\c:\tnthnb.exec:\tnthnb.exe99⤵PID:4112
-
\??\c:\dvvpd.exec:\dvvpd.exe100⤵PID:512
-
\??\c:\rxxrllf.exec:\rxxrllf.exe101⤵PID:1348
-
\??\c:\llrrfxx.exec:\llrrfxx.exe102⤵PID:516
-
\??\c:\e24266.exec:\e24266.exe103⤵PID:1468
-
\??\c:\pjvjp.exec:\pjvjp.exe104⤵PID:2336
-
\??\c:\02880.exec:\02880.exe105⤵PID:4248
-
\??\c:\jvjjj.exec:\jvjjj.exe106⤵PID:1708
-
\??\c:\xxxlrxl.exec:\xxxlrxl.exe107⤵PID:1800
-
\??\c:\1jjdv.exec:\1jjdv.exe108⤵PID:2552
-
\??\c:\6008000.exec:\6008000.exe109⤵PID:1244
-
\??\c:\jpvpj.exec:\jpvpj.exe110⤵PID:2140
-
\??\c:\1xfxlfl.exec:\1xfxlfl.exe111⤵PID:4168
-
\??\c:\82480.exec:\82480.exe112⤵PID:1496
-
\??\c:\006002.exec:\006002.exe113⤵PID:4764
-
\??\c:\jpjpv.exec:\jpjpv.exe114⤵PID:3360
-
\??\c:\rffxxrr.exec:\rffxxrr.exe115⤵PID:632
-
\??\c:\jjjvd.exec:\jjjvd.exe116⤵PID:4856
-
\??\c:\dpvvj.exec:\dpvvj.exe117⤵PID:4660
-
\??\c:\ntbbnn.exec:\ntbbnn.exe118⤵PID:3632
-
\??\c:\i060488.exec:\i060488.exe119⤵PID:4364
-
\??\c:\jvvpj.exec:\jvvpj.exe120⤵PID:2160
-
\??\c:\0804244.exec:\0804244.exe121⤵PID:3760
-
\??\c:\28822.exec:\28822.exe122⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-