Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe
-
Size
488KB
-
MD5
1a50754d2035b1baadc5d27d412139eb
-
SHA1
f2092f4b69b1c31cdf3b54eed23f4979df0f5b23
-
SHA256
e0d2057e3c4cd70df91a33d472c63b97b195505943c52e89f901c1901e39541f
-
SHA512
4de68488ba0971364fd9ebe37efffbabb70e6002ad777c995fc10ba144b6487b9b8467a207b6adfa96dab0690e013151a891936398dd191b38e8faea22ec09e4
-
SSDEEP
12288:/U5rCOTeiDNllp4mglYxwi0197QsrLst1kNZ:/UQOJD3r4dYxwFBstCN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2056 5DAA.tmp 2648 5E65.tmp 2760 5F7E.tmp 2628 6078.tmp 2796 6190.tmp 2620 627A.tmp 2264 6345.tmp 2780 6420.tmp 2548 6519.tmp 2196 6603.tmp 2500 66CE.tmp 520 67B8.tmp 580 68B2.tmp 1632 699C.tmp 2992 6A57.tmp 2988 6B03.tmp 2092 6BDD.tmp 2608 6CA8.tmp 1616 6D82.tmp 1668 6E5D.tmp 2776 6F47.tmp 2924 70CD.tmp 2848 7188.tmp 2292 7214.tmp 1096 7291.tmp 1260 730E.tmp 1680 736B.tmp 1712 73D9.tmp 328 7455.tmp 2720 74C3.tmp 2396 7530.tmp 3060 75AD.tmp 512 760A.tmp 2012 7677.tmp 344 76E5.tmp 2280 7761.tmp 308 77DE.tmp 1424 786B.tmp 2936 78C8.tmp 1628 7945.tmp 1804 79B2.tmp 1108 7A2F.tmp 2064 7AAC.tmp 1080 7B19.tmp 608 7B96.tmp 2476 7BF3.tmp 2088 7C61.tmp 2968 7CCE.tmp 1732 7D2B.tmp 1144 7D89.tmp 1748 7DF6.tmp 2168 7E73.tmp 1132 7EE0.tmp 2248 7F5D.tmp 2304 7FAB.tmp 2344 8028.tmp 2740 8085.tmp 2752 8102.tmp 2788 816F.tmp 2652 81EC.tmp 2708 8269.tmp 3040 82F5.tmp 2864 8334.tmp 2540 83B1.tmp -
Loads dropped DLL 64 IoCs
pid Process 1488 2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe 2056 5DAA.tmp 2648 5E65.tmp 2760 5F7E.tmp 2628 6078.tmp 2796 6190.tmp 2620 627A.tmp 2264 6345.tmp 2780 6420.tmp 2548 6519.tmp 2196 6603.tmp 2500 66CE.tmp 520 67B8.tmp 580 68B2.tmp 1632 699C.tmp 2992 6A57.tmp 2988 6B03.tmp 2092 6BDD.tmp 2608 6CA8.tmp 1616 6D82.tmp 1668 6E5D.tmp 2776 6F47.tmp 2924 70CD.tmp 2848 7188.tmp 2292 7214.tmp 1096 7291.tmp 1260 730E.tmp 1680 736B.tmp 1712 73D9.tmp 328 7455.tmp 2720 74C3.tmp 2396 7530.tmp 3060 75AD.tmp 512 760A.tmp 2012 7677.tmp 344 76E5.tmp 2280 7761.tmp 308 77DE.tmp 1424 786B.tmp 2936 78C8.tmp 1628 7945.tmp 1804 79B2.tmp 1108 7A2F.tmp 2064 7AAC.tmp 1080 7B19.tmp 608 7B96.tmp 2476 7BF3.tmp 2088 7C61.tmp 2968 7CCE.tmp 1732 7D2B.tmp 1144 7D89.tmp 1748 7DF6.tmp 2168 7E73.tmp 1132 7EE0.tmp 2248 7F5D.tmp 2304 7FAB.tmp 2344 8028.tmp 2740 8085.tmp 2752 8102.tmp 2788 816F.tmp 2652 81EC.tmp 2708 8269.tmp 3040 82F5.tmp 2864 8334.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2056 1488 2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe 28 PID 1488 wrote to memory of 2056 1488 2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe 28 PID 1488 wrote to memory of 2056 1488 2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe 28 PID 1488 wrote to memory of 2056 1488 2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe 28 PID 2056 wrote to memory of 2648 2056 5DAA.tmp 29 PID 2056 wrote to memory of 2648 2056 5DAA.tmp 29 PID 2056 wrote to memory of 2648 2056 5DAA.tmp 29 PID 2056 wrote to memory of 2648 2056 5DAA.tmp 29 PID 2648 wrote to memory of 2760 2648 5E65.tmp 30 PID 2648 wrote to memory of 2760 2648 5E65.tmp 30 PID 2648 wrote to memory of 2760 2648 5E65.tmp 30 PID 2648 wrote to memory of 2760 2648 5E65.tmp 30 PID 2760 wrote to memory of 2628 2760 5F7E.tmp 31 PID 2760 wrote to memory of 2628 2760 5F7E.tmp 31 PID 2760 wrote to memory of 2628 2760 5F7E.tmp 31 PID 2760 wrote to memory of 2628 2760 5F7E.tmp 31 PID 2628 wrote to memory of 2796 2628 6078.tmp 32 PID 2628 wrote to memory of 2796 2628 6078.tmp 32 PID 2628 wrote to memory of 2796 2628 6078.tmp 32 PID 2628 wrote to memory of 2796 2628 6078.tmp 32 PID 2796 wrote to memory of 2620 2796 6190.tmp 33 PID 2796 wrote to memory of 2620 2796 6190.tmp 33 PID 2796 wrote to memory of 2620 2796 6190.tmp 33 PID 2796 wrote to memory of 2620 2796 6190.tmp 33 PID 2620 wrote to memory of 2264 2620 627A.tmp 34 PID 2620 wrote to memory of 2264 2620 627A.tmp 34 PID 2620 wrote to memory of 2264 2620 627A.tmp 34 PID 2620 wrote to memory of 2264 2620 627A.tmp 34 PID 2264 wrote to memory of 2780 2264 6345.tmp 35 PID 2264 wrote to memory of 2780 2264 6345.tmp 35 PID 2264 wrote to memory of 2780 2264 6345.tmp 35 PID 2264 wrote to memory of 2780 2264 6345.tmp 35 PID 2780 wrote to memory of 2548 2780 6420.tmp 36 PID 2780 wrote to memory of 2548 2780 6420.tmp 36 PID 2780 wrote to memory of 2548 2780 6420.tmp 36 PID 2780 wrote to memory of 2548 2780 6420.tmp 36 PID 2548 wrote to memory of 2196 2548 6519.tmp 37 PID 2548 wrote to memory of 2196 2548 6519.tmp 37 PID 2548 wrote to memory of 2196 2548 6519.tmp 37 PID 2548 wrote to memory of 2196 2548 6519.tmp 37 PID 2196 wrote to memory of 2500 2196 6603.tmp 38 PID 2196 wrote to memory of 2500 2196 6603.tmp 38 PID 2196 wrote to memory of 2500 2196 6603.tmp 38 PID 2196 wrote to memory of 2500 2196 6603.tmp 38 PID 2500 wrote to memory of 520 2500 66CE.tmp 39 PID 2500 wrote to memory of 520 2500 66CE.tmp 39 PID 2500 wrote to memory of 520 2500 66CE.tmp 39 PID 2500 wrote to memory of 520 2500 66CE.tmp 39 PID 520 wrote to memory of 580 520 67B8.tmp 40 PID 520 wrote to memory of 580 520 67B8.tmp 40 PID 520 wrote to memory of 580 520 67B8.tmp 40 PID 520 wrote to memory of 580 520 67B8.tmp 40 PID 580 wrote to memory of 1632 580 68B2.tmp 41 PID 580 wrote to memory of 1632 580 68B2.tmp 41 PID 580 wrote to memory of 1632 580 68B2.tmp 41 PID 580 wrote to memory of 1632 580 68B2.tmp 41 PID 1632 wrote to memory of 2992 1632 699C.tmp 42 PID 1632 wrote to memory of 2992 1632 699C.tmp 42 PID 1632 wrote to memory of 2992 1632 699C.tmp 42 PID 1632 wrote to memory of 2992 1632 699C.tmp 42 PID 2992 wrote to memory of 2988 2992 6A57.tmp 43 PID 2992 wrote to memory of 2988 2992 6A57.tmp 43 PID 2992 wrote to memory of 2988 2992 6A57.tmp 43 PID 2992 wrote to memory of 2988 2992 6A57.tmp 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_1a50754d2035b1baadc5d27d412139eb_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\5DAA.tmp"C:\Users\Admin\AppData\Local\Temp\5DAA.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\5E65.tmp"C:\Users\Admin\AppData\Local\Temp\5E65.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\5F7E.tmp"C:\Users\Admin\AppData\Local\Temp\5F7E.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\6078.tmp"C:\Users\Admin\AppData\Local\Temp\6078.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\6190.tmp"C:\Users\Admin\AppData\Local\Temp\6190.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\627A.tmp"C:\Users\Admin\AppData\Local\Temp\627A.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\6345.tmp"C:\Users\Admin\AppData\Local\Temp\6345.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\6420.tmp"C:\Users\Admin\AppData\Local\Temp\6420.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\6519.tmp"C:\Users\Admin\AppData\Local\Temp\6519.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\6603.tmp"C:\Users\Admin\AppData\Local\Temp\6603.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\66CE.tmp"C:\Users\Admin\AppData\Local\Temp\66CE.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\67B8.tmp"C:\Users\Admin\AppData\Local\Temp\67B8.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\68B2.tmp"C:\Users\Admin\AppData\Local\Temp\68B2.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\699C.tmp"C:\Users\Admin\AppData\Local\Temp\699C.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\6A57.tmp"C:\Users\Admin\AppData\Local\Temp\6A57.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\6B03.tmp"C:\Users\Admin\AppData\Local\Temp\6B03.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\6BDD.tmp"C:\Users\Admin\AppData\Local\Temp\6BDD.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\6CA8.tmp"C:\Users\Admin\AppData\Local\Temp\6CA8.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\6D82.tmp"C:\Users\Admin\AppData\Local\Temp\6D82.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\6F47.tmp"C:\Users\Admin\AppData\Local\Temp\6F47.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\70CD.tmp"C:\Users\Admin\AppData\Local\Temp\70CD.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\7188.tmp"C:\Users\Admin\AppData\Local\Temp\7188.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\7214.tmp"C:\Users\Admin\AppData\Local\Temp\7214.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\7291.tmp"C:\Users\Admin\AppData\Local\Temp\7291.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\730E.tmp"C:\Users\Admin\AppData\Local\Temp\730E.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\736B.tmp"C:\Users\Admin\AppData\Local\Temp\736B.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\73D9.tmp"C:\Users\Admin\AppData\Local\Temp\73D9.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\7455.tmp"C:\Users\Admin\AppData\Local\Temp\7455.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Users\Admin\AppData\Local\Temp\74C3.tmp"C:\Users\Admin\AppData\Local\Temp\74C3.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\75AD.tmp"C:\Users\Admin\AppData\Local\Temp\75AD.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\760A.tmp"C:\Users\Admin\AppData\Local\Temp\760A.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:512 -
C:\Users\Admin\AppData\Local\Temp\7677.tmp"C:\Users\Admin\AppData\Local\Temp\7677.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Users\Admin\AppData\Local\Temp\7761.tmp"C:\Users\Admin\AppData\Local\Temp\7761.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\77DE.tmp"C:\Users\Admin\AppData\Local\Temp\77DE.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Users\Admin\AppData\Local\Temp\786B.tmp"C:\Users\Admin\AppData\Local\Temp\786B.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\78C8.tmp"C:\Users\Admin\AppData\Local\Temp\78C8.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\7945.tmp"C:\Users\Admin\AppData\Local\Temp\7945.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\79B2.tmp"C:\Users\Admin\AppData\Local\Temp\79B2.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\7A2F.tmp"C:\Users\Admin\AppData\Local\Temp\7A2F.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\7AAC.tmp"C:\Users\Admin\AppData\Local\Temp\7AAC.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\7B19.tmp"C:\Users\Admin\AppData\Local\Temp\7B19.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\7B96.tmp"C:\Users\Admin\AppData\Local\Temp\7B96.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\7C61.tmp"C:\Users\Admin\AppData\Local\Temp\7C61.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\7CCE.tmp"C:\Users\Admin\AppData\Local\Temp\7CCE.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\7D2B.tmp"C:\Users\Admin\AppData\Local\Temp\7D2B.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\7D89.tmp"C:\Users\Admin\AppData\Local\Temp\7D89.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\7DF6.tmp"C:\Users\Admin\AppData\Local\Temp\7DF6.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7E73.tmp"C:\Users\Admin\AppData\Local\Temp\7E73.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\7EE0.tmp"C:\Users\Admin\AppData\Local\Temp\7EE0.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\7F5D.tmp"C:\Users\Admin\AppData\Local\Temp\7F5D.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\7FAB.tmp"C:\Users\Admin\AppData\Local\Temp\7FAB.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\8028.tmp"C:\Users\Admin\AppData\Local\Temp\8028.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\8085.tmp"C:\Users\Admin\AppData\Local\Temp\8085.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\8102.tmp"C:\Users\Admin\AppData\Local\Temp\8102.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\816F.tmp"C:\Users\Admin\AppData\Local\Temp\816F.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\81EC.tmp"C:\Users\Admin\AppData\Local\Temp\81EC.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\8269.tmp"C:\Users\Admin\AppData\Local\Temp\8269.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\82F5.tmp"C:\Users\Admin\AppData\Local\Temp\82F5.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\8334.tmp"C:\Users\Admin\AppData\Local\Temp\8334.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\83B1.tmp"C:\Users\Admin\AppData\Local\Temp\83B1.tmp"65⤵
- Executes dropped EXE
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\840E.tmp"C:\Users\Admin\AppData\Local\Temp\840E.tmp"66⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\846C.tmp"C:\Users\Admin\AppData\Local\Temp\846C.tmp"67⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\84E9.tmp"C:\Users\Admin\AppData\Local\Temp\84E9.tmp"68⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\8611.tmp"C:\Users\Admin\AppData\Local\Temp\8611.tmp"69⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\868E.tmp"C:\Users\Admin\AppData\Local\Temp\868E.tmp"70⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\86FB.tmp"C:\Users\Admin\AppData\Local\Temp\86FB.tmp"71⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\8778.tmp"C:\Users\Admin\AppData\Local\Temp\8778.tmp"72⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\87F5.tmp"C:\Users\Admin\AppData\Local\Temp\87F5.tmp"73⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\8881.tmp"C:\Users\Admin\AppData\Local\Temp\8881.tmp"74⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\88FE.tmp"C:\Users\Admin\AppData\Local\Temp\88FE.tmp"75⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\897B.tmp"C:\Users\Admin\AppData\Local\Temp\897B.tmp"76⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\89E8.tmp"C:\Users\Admin\AppData\Local\Temp\89E8.tmp"77⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\8A74.tmp"C:\Users\Admin\AppData\Local\Temp\8A74.tmp"78⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\8B01.tmp"C:\Users\Admin\AppData\Local\Temp\8B01.tmp"79⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\8B7D.tmp"C:\Users\Admin\AppData\Local\Temp\8B7D.tmp"80⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\8BEB.tmp"C:\Users\Admin\AppData\Local\Temp\8BEB.tmp"81⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\8C77.tmp"C:\Users\Admin\AppData\Local\Temp\8C77.tmp"82⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\8CE4.tmp"C:\Users\Admin\AppData\Local\Temp\8CE4.tmp"83⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\8D71.tmp"C:\Users\Admin\AppData\Local\Temp\8D71.tmp"84⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\8DFD.tmp"C:\Users\Admin\AppData\Local\Temp\8DFD.tmp"85⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\8E6A.tmp"C:\Users\Admin\AppData\Local\Temp\8E6A.tmp"86⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\8ED7.tmp"C:\Users\Admin\AppData\Local\Temp\8ED7.tmp"87⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\8F45.tmp"C:\Users\Admin\AppData\Local\Temp\8F45.tmp"88⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\8FD1.tmp"C:\Users\Admin\AppData\Local\Temp\8FD1.tmp"89⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\904E.tmp"C:\Users\Admin\AppData\Local\Temp\904E.tmp"90⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\90CB.tmp"C:\Users\Admin\AppData\Local\Temp\90CB.tmp"91⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\9147.tmp"C:\Users\Admin\AppData\Local\Temp\9147.tmp"92⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\91B5.tmp"C:\Users\Admin\AppData\Local\Temp\91B5.tmp"93⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\9212.tmp"C:\Users\Admin\AppData\Local\Temp\9212.tmp"94⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\927F.tmp"C:\Users\Admin\AppData\Local\Temp\927F.tmp"95⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\92ED.tmp"C:\Users\Admin\AppData\Local\Temp\92ED.tmp"96⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\935A.tmp"C:\Users\Admin\AppData\Local\Temp\935A.tmp"97⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\93D7.tmp"C:\Users\Admin\AppData\Local\Temp\93D7.tmp"98⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\9434.tmp"C:\Users\Admin\AppData\Local\Temp\9434.tmp"99⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\9492.tmp"C:\Users\Admin\AppData\Local\Temp\9492.tmp"100⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\94EF.tmp"C:\Users\Admin\AppData\Local\Temp\94EF.tmp"101⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\954D.tmp"C:\Users\Admin\AppData\Local\Temp\954D.tmp"102⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\95AB.tmp"C:\Users\Admin\AppData\Local\Temp\95AB.tmp"103⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\9608.tmp"C:\Users\Admin\AppData\Local\Temp\9608.tmp"104⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\9675.tmp"C:\Users\Admin\AppData\Local\Temp\9675.tmp"105⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\96E3.tmp"C:\Users\Admin\AppData\Local\Temp\96E3.tmp"106⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\9750.tmp"C:\Users\Admin\AppData\Local\Temp\9750.tmp"107⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\97BD.tmp"C:\Users\Admin\AppData\Local\Temp\97BD.tmp"108⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\982A.tmp"C:\Users\Admin\AppData\Local\Temp\982A.tmp"109⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\9897.tmp"C:\Users\Admin\AppData\Local\Temp\9897.tmp"110⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\9914.tmp"C:\Users\Admin\AppData\Local\Temp\9914.tmp"111⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\9981.tmp"C:\Users\Admin\AppData\Local\Temp\9981.tmp"112⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\9A8B.tmp"C:\Users\Admin\AppData\Local\Temp\9A8B.tmp"113⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\9B07.tmp"C:\Users\Admin\AppData\Local\Temp\9B07.tmp"114⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\9B84.tmp"C:\Users\Admin\AppData\Local\Temp\9B84.tmp"115⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\9C01.tmp"C:\Users\Admin\AppData\Local\Temp\9C01.tmp"116⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\9C8D.tmp"C:\Users\Admin\AppData\Local\Temp\9C8D.tmp"117⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"118⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\9D58.tmp"C:\Users\Admin\AppData\Local\Temp\9D58.tmp"119⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\9DD5.tmp"C:\Users\Admin\AppData\Local\Temp\9DD5.tmp"120⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\9E52.tmp"C:\Users\Admin\AppData\Local\Temp\9E52.tmp"121⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\9EDE.tmp"C:\Users\Admin\AppData\Local\Temp\9EDE.tmp"122⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-