ca12c13c97efd68810f71d428685b3c594d727042826522db142b803cec864af

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe
Size

486KB
MD5

0b4fec693b311ddcd3252712a64f57bb
SHA1

69146112d4480834b226ffc27b9a01123421e662
SHA256

ca12c13c97efd68810f71d428685b3c594d727042826522db142b803cec864af
SHA512

ed9d8cb4c677d695c96ee0fbe8beee7df0951f106705cfe6e2bec7c0edd096c2b3c68b1cce3f75fe8b223f1c879c6d5b8443a1139248e23fa88b8342a4752813
SSDEEP

12288:/U5rCOTeiDUAW9prtw/tky0wtGmxb/gLZTEfWNZ:/UQOJDUAWX6/tJGmbqmeN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3736	D62C.tmp
3256	D716.tmp
4624	D7B3.tmp
1392	D830.tmp
1920	wmiprvse.exe
2072	D92A.tmp
1388	EE86.tmp
2852	DA04.tmp
3724	DADF.tmp
4608	DB6C.tmp
4640	DBF8.tmp
392	DC75.tmp
4520	DD12.tmp
2168	svchost.exe
2728	DE4A.tmp
1992	DEC7.tmp
448	DF54.tmp
2388	E01F.tmp
3076	E08C.tmp
2200	E109.tmp
2612	F721.tmp
1168	2390.tmp
372	F80C.tmp
3740	BackgroundTransferHost.exe
3512	E38A.tmp
2528	75E.tmp
2136	F9D1.tmp
2108	E58D.tmp
2920	E639.tmp
4032	E6B6.tmp
1368	E724.tmp
3648	E791.tmp
4884	E80E.tmp
3392	E89B.tmp
2224	E927.tmp
3088	E9A4.tmp
3140	EA21.tmp
3884	sihclient.exe
2996	EB5A.tmp
4292	EBB8.tmp
2116	EC44.tmp
1656	ECB2.tmp
2628	ED1F.tmp
1640	ED7D.tmp
916	D97.tmp
1388	EE86.tmp
1776	EF03.tmp
2940	EF80.tmp
1128	2853.tmp
2724	F0B9.tmp
1720	F145.tmp
2824	F1B3.tmp
3600	F24F.tmp
2340	1EF.tmp
424	F349.tmp
2280	308.tmp
2752	F443.tmp
2124	F4D0.tmp
1880	F56C.tmp
5064	F5D9.tmp
212	F6B4.tmp
2612	F721.tmp
1168	2390.tmp
372	F80C.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3736	3356	2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe	90
PID 3356 wrote to memory of 3736	3356	2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe	90
PID 3356 wrote to memory of 3736	3356	2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe	90
PID 3736 wrote to memory of 3256	3736	D62C.tmp	92
PID 3736 wrote to memory of 3256	3736	D62C.tmp	92
PID 3736 wrote to memory of 3256	3736	D62C.tmp	92
PID 3256 wrote to memory of 4624	3256	D716.tmp	144
PID 3256 wrote to memory of 4624	3256	D716.tmp	144
PID 3256 wrote to memory of 4624	3256	D716.tmp	144
PID 4624 wrote to memory of 1392	4624	D7B3.tmp	141
PID 4624 wrote to memory of 1392	4624	D7B3.tmp	141
PID 4624 wrote to memory of 1392	4624	D7B3.tmp	141
PID 1392 wrote to memory of 1920	1392	D830.tmp	171
PID 1392 wrote to memory of 1920	1392	D830.tmp	171
PID 1392 wrote to memory of 1920	1392	D830.tmp	171
PID 1920 wrote to memory of 2072	1920	wmiprvse.exe	140
PID 1920 wrote to memory of 2072	1920	wmiprvse.exe	140
PID 1920 wrote to memory of 2072	1920	wmiprvse.exe	140
PID 2072 wrote to memory of 1388	2072	D92A.tmp	127
PID 2072 wrote to memory of 1388	2072	D92A.tmp	127
PID 2072 wrote to memory of 1388	2072	D92A.tmp	127
PID 1388 wrote to memory of 2852	1388	EE86.tmp	138
PID 1388 wrote to memory of 2852	1388	EE86.tmp	138
PID 1388 wrote to memory of 2852	1388	EE86.tmp	138
PID 2852 wrote to memory of 3724	2852	DA04.tmp	95
PID 2852 wrote to memory of 3724	2852	DA04.tmp	95
PID 2852 wrote to memory of 3724	2852	DA04.tmp	95
PID 3724 wrote to memory of 4608	3724	DADF.tmp	136
PID 3724 wrote to memory of 4608	3724	DADF.tmp	136
PID 3724 wrote to memory of 4608	3724	DADF.tmp	136
PID 4608 wrote to memory of 4640	4608	DB6C.tmp	134
PID 4608 wrote to memory of 4640	4608	DB6C.tmp	134
PID 4608 wrote to memory of 4640	4608	DB6C.tmp	134
PID 4640 wrote to memory of 392	4640	DBF8.tmp	96
PID 4640 wrote to memory of 392	4640	DBF8.tmp	96
PID 4640 wrote to memory of 392	4640	DBF8.tmp	96
PID 392 wrote to memory of 4520	392	DC75.tmp	131
PID 392 wrote to memory of 4520	392	DC75.tmp	131
PID 392 wrote to memory of 4520	392	DC75.tmp	131
PID 4520 wrote to memory of 2168	4520	DD12.tmp	208
PID 4520 wrote to memory of 2168	4520	DD12.tmp	208
PID 4520 wrote to memory of 2168	4520	DD12.tmp	208
PID 2168 wrote to memory of 2728	2168	svchost.exe	98
PID 2168 wrote to memory of 2728	2168	svchost.exe	98
PID 2168 wrote to memory of 2728	2168	svchost.exe	98
PID 2728 wrote to memory of 1992	2728	DE4A.tmp	99
PID 2728 wrote to memory of 1992	2728	DE4A.tmp	99
PID 2728 wrote to memory of 1992	2728	DE4A.tmp	99
PID 1992 wrote to memory of 448	1992	DEC7.tmp	130
PID 1992 wrote to memory of 448	1992	DEC7.tmp	130
PID 1992 wrote to memory of 448	1992	DEC7.tmp	130
PID 448 wrote to memory of 2388	448	DF54.tmp	129
PID 448 wrote to memory of 2388	448	DF54.tmp	129
PID 448 wrote to memory of 2388	448	DF54.tmp	129
PID 2388 wrote to memory of 3076	2388	E01F.tmp	126
PID 2388 wrote to memory of 3076	2388	E01F.tmp	126
PID 2388 wrote to memory of 3076	2388	E01F.tmp	126
PID 3076 wrote to memory of 2200	3076	E08C.tmp	124
PID 3076 wrote to memory of 2200	3076	E08C.tmp	124
PID 3076 wrote to memory of 2200	3076	E08C.tmp	124
PID 2200 wrote to memory of 2612	2200	E109.tmp	152
PID 2200 wrote to memory of 2612	2200	E109.tmp	152
PID 2200 wrote to memory of 2612	2200	E109.tmp	152
PID 2612 wrote to memory of 1168	2612	F721.tmp	217

C:\Users\Admin\AppData\Local\Temp\2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_0b4fec693b311ddcd3252712a64f57bb_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\D62C.tmp
  "C:\Users\Admin\AppData\Local\Temp\D62C.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\D716.tmp
    "C:\Users\Admin\AppData\Local\Temp\D716.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\D7B3.tmp
      "C:\Users\Admin\AppData\Local\Temp\D7B3.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4624

C:\Users\Admin\AppData\Local\Temp\D8AD.tmp
"C:\Users\Admin\AppData\Local\Temp\D8AD.tmp"
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\D92A.tmp
  "C:\Users\Admin\AppData\Local\Temp\D92A.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2072

C:\Users\Admin\AppData\Local\Temp\D997.tmp
"C:\Users\Admin\AppData\Local\Temp\D997.tmp"
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\DADF.tmp
"C:\Users\Admin\AppData\Local\Temp\DADF.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\DB6C.tmp
  "C:\Users\Admin\AppData\Local\Temp\DB6C.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4608

C:\Users\Admin\AppData\Local\Temp\DC75.tmp
"C:\Users\Admin\AppData\Local\Temp\DC75.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\DD12.tmp
  "C:\Users\Admin\AppData\Local\Temp\DD12.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4520

C:\Users\Admin\AppData\Local\Temp\DDAE.tmp
"C:\Users\Admin\AppData\Local\Temp\DDAE.tmp"
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\DE4A.tmp
  "C:\Users\Admin\AppData\Local\Temp\DE4A.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\DEC7.tmp
    "C:\Users\Admin\AppData\Local\Temp\DEC7.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\DF54.tmp
      "C:\Users\Admin\AppData\Local\Temp\DF54.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:448

C:\Users\Admin\AppData\Local\Temp\E203.tmp
"C:\Users\Admin\AppData\Local\Temp\E203.tmp"
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\E280.tmp
  "C:\Users\Admin\AppData\Local\Temp\E280.tmp"
  2⤵
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\E30D.tmp
    "C:\Users\Admin\AppData\Local\Temp\E30D.tmp"
    3⤵
    PID:3740

C:\Users\Admin\AppData\Local\Temp\E407.tmp
"C:\Users\Admin\AppData\Local\Temp\E407.tmp"
1⤵
PID:2528
- C:\Users\Admin\AppData\Local\Temp\E484.tmp
  "C:\Users\Admin\AppData\Local\Temp\E484.tmp"
  2⤵
  PID:2136

C:\Users\Admin\AppData\Local\Temp\E38A.tmp
"C:\Users\Admin\AppData\Local\Temp\E38A.tmp"
1⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\E58D.tmp
"C:\Users\Admin\AppData\Local\Temp\E58D.tmp"
1⤵
- Executes dropped EXE
PID:2108
- C:\Users\Admin\AppData\Local\Temp\E639.tmp
  "C:\Users\Admin\AppData\Local\Temp\E639.tmp"
  2⤵
  - Executes dropped EXE
  PID:2920

C:\Users\Admin\AppData\Local\Temp\E80E.tmp
"C:\Users\Admin\AppData\Local\Temp\E80E.tmp"
1⤵
- Executes dropped EXE
PID:4884
- C:\Users\Admin\AppData\Local\Temp\E89B.tmp
  "C:\Users\Admin\AppData\Local\Temp\E89B.tmp"
  2⤵
  - Executes dropped EXE
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\E927.tmp
    "C:\Users\Admin\AppData\Local\Temp\E927.tmp"
    3⤵
    - Executes dropped EXE
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\E9A4.tmp
      "C:\Users\Admin\AppData\Local\Temp\E9A4.tmp"
      4⤵
      Executes dropped EXE
      PID:3088
    - - C:\Users\Admin\AppData\Local\Temp\EA21.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EA21.tmp"
        5⤵
        Executes dropped EXE
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\EACD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EACD.tmp"
        6⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\EB5A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EB5A.tmp"
        7⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\EBB8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EBB8.tmp"
        8⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\EC44.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EC44.tmp"
        9⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\ECB2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ECB2.tmp"
        10⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\ED1F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ED1F.tmp"
        11⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\ED7D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ED7D.tmp"
        12⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\EE19.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EE19.tmp"
        13⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\EE86.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EE86.tmp"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\EF03.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EF03.tmp"
        15⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\EF80.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EF80.tmp"
        16⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\F05B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F05B.tmp"
        17⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\F0B9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F0B9.tmp"
        18⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\F145.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F145.tmp"
        19⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\F1B3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F1B3.tmp"
        20⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\F24F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F24F.tmp"
        21⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\F2BC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F2BC.tmp"
        22⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\F349.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F349.tmp"
        23⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\F3D6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F3D6.tmp"
        24⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\F443.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F443.tmp"
        25⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\F4D0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F4D0.tmp"
        26⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\F56C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F56C.tmp"
        27⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\F5D9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F5D9.tmp"
        28⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\F6B4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F6B4.tmp"
        29⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\F721.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F721.tmp"
        30⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\F79E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F79E.tmp"
        31⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\F80C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F80C.tmp"
        32⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\F86A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F86A.tmp"
        33⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\F906.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F906.tmp"
        34⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\F964.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F964.tmp"
        35⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\F9D1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F9D1.tmp"
        36⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\FB09.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FB09.tmp"
        37⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\FB77.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FB77.tmp"
        38⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\FBD5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FBD5.tmp"
        39⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\FC42.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FC42.tmp"
        40⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\FCAF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FCAF.tmp"
        41⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\FD1D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FD1D.tmp"
        42⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\FD7A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FD7A.tmp"
        43⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\FE17.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FE17.tmp"
        44⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\23DF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\23DF.tmp"
        32⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\242D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\242D.tmp"
        33⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\24AA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\24AA.tmp"
        34⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2517.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2517.tmp"
        35⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\2584.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2584.tmp"
        36⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\25F2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\25F2.tmp"
        37⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2788.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2788.tmp"
        38⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\DA04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DA04.tmp"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852

C:\Users\Admin\AppData\Local\Temp\E791.tmp
"C:\Users\Admin\AppData\Local\Temp\E791.tmp"
1⤵
- Executes dropped EXE
PID:3648

C:\Users\Admin\AppData\Local\Temp\E724.tmp
"C:\Users\Admin\AppData\Local\Temp\E724.tmp"
1⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\E6B6.tmp
"C:\Users\Admin\AppData\Local\Temp\E6B6.tmp"
1⤵
- Executes dropped EXE
PID:4032

C:\Users\Admin\AppData\Local\Temp\E186.tmp
"C:\Users\Admin\AppData\Local\Temp\E186.tmp"
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\E109.tmp
"C:\Users\Admin\AppData\Local\Temp\E109.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\E08C.tmp
"C:\Users\Admin\AppData\Local\Temp\E08C.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\E01F.tmp
"C:\Users\Admin\AppData\Local\Temp\E01F.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\DBF8.tmp
"C:\Users\Admin\AppData\Local\Temp\DBF8.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\D830.tmp
"C:\Users\Admin\AppData\Local\Temp\D830.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv N7FIgLUv506ns6JsNY+Fvg.0.2
1⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\Temp\FE74.tmp
"C:\Users\Admin\AppData\Local\Temp\FE74.tmp"
1⤵
PID:332
- C:\Users\Admin\AppData\Local\Temp\FEF1.tmp
  "C:\Users\Admin\AppData\Local\Temp\FEF1.tmp"
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\FF4F.tmp
    "C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"
    3⤵
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\FFFB.tmp
      "C:\Users\Admin\AppData\Local\Temp\FFFB.tmp"
      4⤵
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\68.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\68.tmp"
        5⤵
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\105.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\105.tmp"
        6⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\172.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\172.tmp"
        7⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\1EF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1EF.tmp"
        8⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\28B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\28B.tmp"
        9⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\308.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\308.tmp"
        10⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\366.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\366.tmp"
        11⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3D3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3D3.tmp"
        12⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\441.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\441.tmp"
        13⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\49F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\49F.tmp"
        14⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\53B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\53B.tmp"
        15⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\5B8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5B8.tmp"
        16⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\635.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\635.tmp"
        17⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\6D1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6D1.tmp"
        18⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\75E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\75E.tmp"
        19⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\7BB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7BB.tmp"
        20⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\858.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\858.tmp"
        21⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\8D5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8D5.tmp"
        22⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\952.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\952.tmp"
        23⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\9CF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9CF.tmp"
        24⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\A2C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A2C.tmp"
        25⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\A8A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A8A.tmp"
        26⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\AF8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF8.tmp"
        27⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\B75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B75.tmp"
        28⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\BE2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BE2.tmp"
        29⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\C4F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C4F.tmp"
        30⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\CAD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CAD.tmp"
        31⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\D1A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D1A.tmp"
        32⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\D97.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D97.tmp"
        33⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\E14.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E14.tmp"
        34⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\E82.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E82.tmp"
        35⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\F0E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F0E.tmp"
        36⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\1F1C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1F1C.tmp"
        37⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\22B6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\22B6.tmp"
        38⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\2333.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2333.tmp"
        39⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\2390.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2390.tmp"
        40⤵
        Executes dropped EXE
        
        PID:1168

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:3740

C:\Users\Admin\AppData\Local\Temp\27F5.tmp
"C:\Users\Admin\AppData\Local\Temp\27F5.tmp"
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\2853.tmp
  "C:\Users\Admin\AppData\Local\Temp\2853.tmp"
  2⤵
  - Executes dropped EXE
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\28C1.tmp
    "C:\Users\Admin\AppData\Local\Temp\28C1.tmp"
    3⤵
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\4234.tmp
      "C:\Users\Admin\AppData\Local\Temp\4234.tmp"
      4⤵
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\4B3D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4B3D.tmp"
        5⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\4BD9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4BD9.tmp"
        6⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\580E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\580E.tmp"
        7⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\6647.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6647.tmp"
        8⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\6A9C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6A9C.tmp"
        9⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\82B8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\82B8.tmp"
        10⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\93EE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\93EE.tmp"
        11⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\9611.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9611.tmp"
        12⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\97E6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\97E6.tmp"
        13⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\998C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\998C.tmp"
        14⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\9A47.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9A47.tmp"
        15⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\9B9F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9B9F.tmp"
        16⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\9BFD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9BFD.tmp"
        17⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\9D54.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9D54.tmp"
        18⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\9DF1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9DF1.tmp"
        19⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\9EDB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9EDB.tmp"
        20⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\A052.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A052.tmp"
        21⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\A17B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A17B.tmp"
        22⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\A207.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A207.tmp"
        23⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\A3DC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A3DC.tmp"
        24⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\A544.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A544.tmp"
        25⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\A60F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A60F.tmp"
        26⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\A6DA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A6DA.tmp"
        27⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\A7D4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A7D4.tmp"
        28⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A841.tmp"
        29⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\A8BE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A8BE.tmp"
        30⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\A91C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A91C.tmp"
        31⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\A97A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A97A.tmp"
        32⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\A9F7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A9F7.tmp"
        33⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\AA93.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AA93.tmp"
        34⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\AB00.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AB00.tmp"
        35⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\ABBC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ABBC.tmp"
        36⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\AC1A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AC1A.tmp"
        37⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\AC87.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AC87.tmp"
        38⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\ACE5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ACE5.tmp"
        39⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\AD52.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AD52.tmp"
        40⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\ADB0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ADB0.tmp"
        41⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\AE4C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AE4C.tmp"
        42⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\AEAA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AEAA.tmp"
        43⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\AF36.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF36.tmp"
        44⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\AFE2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AFE2.tmp"
        45⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\B050.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B050.tmp"
        46⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\B10B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B10B.tmp"
        47⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\B179.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B179.tmp"
        48⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\B205.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B205.tmp"
        49⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\B2D0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B2D0.tmp"
        50⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\B33E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B33E.tmp"
        51⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\B409.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B409.tmp"
        52⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\B467.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B467.tmp"
        53⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\B4D4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B4D4.tmp"
        54⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\B541.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B541.tmp"
        55⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\B5AF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B5AF.tmp"
        56⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\B64B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B64B.tmp"
        57⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\B6A9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B6A9.tmp"
        58⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\B745.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B745.tmp"
        59⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\B7A3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B7A3.tmp"
        60⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\B820.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B820.tmp"
        61⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\B8CC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B8CC.tmp"
        62⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\B929.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B929.tmp"
        63⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\B997.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B997.tmp"
        64⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\BA71.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BA71.tmp"
        65⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\BB7B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BB7B.tmp"
        66⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\BBF8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BBF8.tmp"
        67⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\BC75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BC75.tmp"
        68⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\BD11.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD11.tmp"
        69⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\BD7F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD7F.tmp"
        70⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\BDEC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BDEC.tmp"
        71⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\BE88.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BE88.tmp"
        72⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\BEE6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BEE6.tmp"
        73⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\BF53.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BF53.tmp"
        74⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\C02E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C02E.tmp"
        75⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\C09C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C09C.tmp"
        9⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\C119.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C119.tmp"
        10⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\C1A5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C1A5.tmp"
        11⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\C203.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C203.tmp"
        12⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\C270.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C270.tmp"
        13⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\C2ED.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C2ED.tmp"
        14⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\C33B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C33B.tmp"
        15⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\C3C8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C3C8.tmp"
        16⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\C426.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C426.tmp"
        17⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\C484.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C484.tmp"
        18⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\C4E1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C4E1.tmp"
        19⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\C54F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C54F.tmp"
        20⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\C5CC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C5CC.tmp"
        21⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\C629.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C629.tmp"
        22⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\C687.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C687.tmp"
        23⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\C6F5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C6F5.tmp"
        24⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\C752.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C752.tmp"
        25⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\C7B0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C7B0.tmp"
        26⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\C7FE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C7FE.tmp"
        27⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\C87B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C87B.tmp"
        28⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\C8D9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C8D9.tmp"
        29⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\C927.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C927.tmp"
        30⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\C985.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C985.tmp"
        31⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\C9F2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C9F2.tmp"
        32⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\CA50.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CA50.tmp"
        33⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\DBB5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DBB5.tmp"
        34⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\E8B5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E8B5.tmp"
        35⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\FC2E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FC2E.tmp"
        36⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\B22.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B22.tmp"
        37⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\1488.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1488.tmp"
        38⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\1B3F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1B3F.tmp"
        39⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\1BAC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1BAC.tmp"
        40⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\33D8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\33D8.tmp"
        41⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\4462.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4462.tmp"
        42⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\44CF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\44CF.tmp"
        43⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\451D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\451D.tmp"
        44⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\457B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\457B.tmp"
        45⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\45E9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\45E9.tmp"
        46⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\4656.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4656.tmp"
        47⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\46B4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\46B4.tmp"
        48⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\54FC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\54FC.tmp"
        49⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\5FAA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5FAA.tmp"
        50⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\6400.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6400.tmp"
        51⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\6817.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6817.tmp"
        52⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\78D0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\78D0.tmp"
        53⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\8F46.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8F46.tmp"
        54⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\9522.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9522.tmp"
        55⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\958F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\958F.tmp"
        56⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\97D1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\97D1.tmp"
        57⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\986E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\986E.tmp"
        58⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\98EB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\98EB.tmp"
        59⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\9996.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9996.tmp"
        60⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\9A42.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9A42.tmp"
        61⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\9AFE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9AFE.tmp"
        62⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\9B9A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9B9A.tmp"
        63⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\9C36.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9C36.tmp"
        64⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\9CE2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9CE2.tmp"
        65⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\9D7E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9D7E.tmp"
        66⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\9E1B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9E1B.tmp"
        67⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\9EA7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9EA7.tmp"
        68⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\9F24.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9F24.tmp"
        69⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\9FD0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9FD0.tmp"
        70⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\A166.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A166.tmp"
        71⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\A203.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A203.tmp"
        72⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\A28F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A28F.tmp"
        73⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\A34B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A34B.tmp"
        74⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\A3F7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A3F7.tmp"
        75⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\A493.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A493.tmp"
        76⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\A510.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A510.tmp"
        77⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\A60A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A60A.tmp"
        78⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\A6B6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A6B6.tmp"
        79⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\A733.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A733.tmp"
        80⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\A7CF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A7CF.tmp"
        81⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\A88B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A88B.tmp"
        82⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\A936.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A936.tmp"
        83⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\AA02.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AA02.tmp"
        84⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\AAFC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AAFC.tmp"
        85⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\AB69.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AB69.tmp"
        86⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\AC05.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AC05.tmp"
        87⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\ACA1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ACA1.tmp"
        88⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\AD4D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AD4D.tmp"
        89⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\ADDA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ADDA.tmp"
        90⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\AE76.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AE76.tmp"
        91⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\AEF3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AEF3.tmp"
        92⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\AF8F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF8F.tmp"
        93⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\B01C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B01C.tmp"
        94⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\B0C8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B0C8.tmp"
        95⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\B164.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B164.tmp"
        96⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\B1E1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B1E1.tmp"
        97⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\B26E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B26E.tmp"
        98⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\B30A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B30A.tmp"
        99⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\B387.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B387.tmp"
        100⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\B414.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B414.tmp"
        101⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\B4B0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B4B0.tmp"
        102⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\B56B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B56B.tmp"
        103⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\B646.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B646.tmp"
        104⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\B6D3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B6D3.tmp"
        105⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\B76F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B76F.tmp"
        106⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\B869.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B869.tmp"
        107⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\B905.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B905.tmp"
        108⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\B9A2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B9A2.tmp"
        109⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\BA2E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BA2E.tmp"
        110⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\BADA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BADA.tmp"
        111⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\BB76.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BB76.tmp"
        112⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\BD0D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD0D.tmp"
        113⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\BDA9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BDA9.tmp"
        114⤵
        
        PID:800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D62C.tmp

Filesize
486KB

MD5
0efbc0da05c0ba5cb1901feb468841b3

SHA1
ac691c30033758e890ec8bf937308be2c4b1276f

SHA256
2d733765d8009a4ab40a5d6bae544deab2d928da5707914794e89b215f41faf1

SHA512
0abd6d0f1299e7c3df4ddcfc0d0b58f9f328b85ec8371f694a4f5f4799339388d4fcc874756d2b51ee3079eb376bbe95ac510d0e037766ad49115891bb8043a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D716.tmp

Filesize
486KB

MD5
cf17f5fa55997aa07379f86a2bbcc268

SHA1
dc4669600bc757973b3f8d616c52bcc1ed58449b

SHA256
51e73d4fb030225f64bb836ab264d938b4e84650af9127ec0d08bf60247dc4ad

SHA512
fbae87f4b9eec11f1853beef99ef922b3f616dd2181dd89f46cc491ef5aa9ade26f4b119fd16c93cc022aef60466abbcef6e003a9dfbd95e66b3fde51ad6d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7B3.tmp

Filesize
92KB

MD5
9508f0a03b873df2e238b9ed667ec563

SHA1
c65f85f219b0ce6a6f8779d37ddf67b57f6ca061

SHA256
ce014192893b902d3a2959cb4ab7cfc333569ca89e8c05acf662f041db39d6dc

SHA512
fda1afa5f3e667cb9bcd78d40aad10ade25831ce7165e97031c90259e2384bc1853df671e7f1013073eca871673559e95f662a638d9e5e2fbbe9f1fd482309a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7B3.tmp

Filesize
486KB

MD5
3ce6205c184082d8106e91695256ad42

SHA1
3210f848766562605d7990beda58b8463d2f96cc

SHA256
20a07e42385b53e97b3080ab9e0fe2a3feed10507fcb1fe5b13a98afcad476a6

SHA512
7d60daa201f85e16f4ed1ee1bd43622331bc11801449f4185858a9fd88f6a29d68462daa821f71e14d38be7545f36256f5af9e85f05d7ff09e85474988de5472

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads