Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 16:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe
-
Size
486KB
-
MD5
29af4b2a038577970e00dd43b3859286
-
SHA1
7b6137179b820ed76f342e9a287a14dc575fcd8b
-
SHA256
7393daa2bcb693f8112224519c3ba4f6ed13fba15789e54794cfde2ee9179a02
-
SHA512
efdcbc49c71c4a0bf00f55528d6598c6c8ee7b9a0df8bc5d67bfe13b8ae868ffea4b09dce09c35ad5d27871549077592652a2a3d1f5e5810846f128979f72c55
-
SSDEEP
6144:Forf3lPvovsgZnqG2C7mOTeiLfD7kRiNFimtq7Ahm45Dd/PH5H2nZfGq1jB7VaZQ:UU5rCOTeiDeiXimtq74m4pd/OGs7vNZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2796 3717.tmp 2972 3830.tmp 2968 3949.tmp 2660 3A33.tmp 2668 3B1D.tmp 2440 3C26.tmp 2468 3CD2.tmp 2460 3DBC.tmp 2544 3E96.tmp 2464 3F80.tmp 2904 407A.tmp 2912 4183.tmp 1360 427C.tmp 2772 4357.tmp 2888 4450.tmp 240 452B.tmp 2044 4634.tmp 1696 471E.tmp 1976 4827.tmp 1068 49EC.tmp 900 4AE5.tmp 2500 4B62.tmp 1048 4C5C.tmp 1544 4CD8.tmp 1728 4D65.tmp 980 4DD2.tmp 1652 4E5E.tmp 860 4EDB.tmp 2260 4F48.tmp 2528 4FB6.tmp 2832 5052.tmp 2132 50CE.tmp 3008 513C.tmp 576 51B8.tmp 916 5235.tmp 640 52A2.tmp 1956 531F.tmp 2116 539C.tmp 836 5419.tmp 1324 5486.tmp 2188 5503.tmp 1808 5580.tmp 1348 55ED.tmp 1948 566A.tmp 2840 56F6.tmp 276 5763.tmp 708 57E0.tmp 2144 586C.tmp 2124 58E9.tmp 1004 5976.tmp 2220 59F2.tmp 2088 5A60.tmp 2040 5ADC.tmp 1468 5B59.tmp 2932 5C53.tmp 2724 5CDF.tmp 3060 5D6C.tmp 2612 5EF2.tmp 2696 5FBC.tmp 2644 6039.tmp 2660 60C6.tmp 2668 6142.tmp 2548 61BF.tmp 2440 622C.tmp -
Loads dropped DLL 64 IoCs
pid Process 2932 2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe 2796 3717.tmp 2972 3830.tmp 2968 3949.tmp 2660 3A33.tmp 2668 3B1D.tmp 2440 3C26.tmp 2468 3CD2.tmp 2460 3DBC.tmp 2544 3E96.tmp 2464 3F80.tmp 2904 407A.tmp 2912 4183.tmp 1360 427C.tmp 2772 4357.tmp 2888 4450.tmp 240 452B.tmp 2044 4634.tmp 1696 471E.tmp 1976 4827.tmp 1068 49EC.tmp 900 4AE5.tmp 2500 4B62.tmp 1048 4C5C.tmp 1544 4CD8.tmp 1728 4D65.tmp 980 4DD2.tmp 1652 4E5E.tmp 860 4EDB.tmp 2260 4F48.tmp 2528 4FB6.tmp 2832 5052.tmp 2132 50CE.tmp 3008 513C.tmp 576 51B8.tmp 916 5235.tmp 640 52A2.tmp 1956 531F.tmp 2116 539C.tmp 836 5419.tmp 1324 5486.tmp 2188 5503.tmp 1808 5580.tmp 1348 55ED.tmp 1948 566A.tmp 2840 56F6.tmp 276 5763.tmp 708 57E0.tmp 2144 586C.tmp 2124 58E9.tmp 1004 5976.tmp 2220 59F2.tmp 2088 5A60.tmp 2040 5ADC.tmp 1616 5BD6.tmp 2932 5C53.tmp 2724 5CDF.tmp 3060 5D6C.tmp 2612 5EF2.tmp 2696 5FBC.tmp 2644 6039.tmp 2660 60C6.tmp 2668 6142.tmp 2548 61BF.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2796 2932 2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe 28 PID 2932 wrote to memory of 2796 2932 2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe 28 PID 2932 wrote to memory of 2796 2932 2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe 28 PID 2932 wrote to memory of 2796 2932 2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe 28 PID 2796 wrote to memory of 2972 2796 3717.tmp 29 PID 2796 wrote to memory of 2972 2796 3717.tmp 29 PID 2796 wrote to memory of 2972 2796 3717.tmp 29 PID 2796 wrote to memory of 2972 2796 3717.tmp 29 PID 2972 wrote to memory of 2968 2972 3830.tmp 30 PID 2972 wrote to memory of 2968 2972 3830.tmp 30 PID 2972 wrote to memory of 2968 2972 3830.tmp 30 PID 2972 wrote to memory of 2968 2972 3830.tmp 30 PID 2968 wrote to memory of 2660 2968 3949.tmp 31 PID 2968 wrote to memory of 2660 2968 3949.tmp 31 PID 2968 wrote to memory of 2660 2968 3949.tmp 31 PID 2968 wrote to memory of 2660 2968 3949.tmp 31 PID 2660 wrote to memory of 2668 2660 3A33.tmp 32 PID 2660 wrote to memory of 2668 2660 3A33.tmp 32 PID 2660 wrote to memory of 2668 2660 3A33.tmp 32 PID 2660 wrote to memory of 2668 2660 3A33.tmp 32 PID 2668 wrote to memory of 2440 2668 3B1D.tmp 33 PID 2668 wrote to memory of 2440 2668 3B1D.tmp 33 PID 2668 wrote to memory of 2440 2668 3B1D.tmp 33 PID 2668 wrote to memory of 2440 2668 3B1D.tmp 33 PID 2440 wrote to memory of 2468 2440 3C26.tmp 34 PID 2440 wrote to memory of 2468 2440 3C26.tmp 34 PID 2440 wrote to memory of 2468 2440 3C26.tmp 34 PID 2440 wrote to memory of 2468 2440 3C26.tmp 34 PID 2468 wrote to memory of 2460 2468 3CD2.tmp 35 PID 2468 wrote to memory of 2460 2468 3CD2.tmp 35 PID 2468 wrote to memory of 2460 2468 3CD2.tmp 35 PID 2468 wrote to memory of 2460 2468 3CD2.tmp 35 PID 2460 wrote to memory of 2544 2460 3DBC.tmp 36 PID 2460 wrote to memory of 2544 2460 3DBC.tmp 36 PID 2460 wrote to memory of 2544 2460 3DBC.tmp 36 PID 2460 wrote to memory of 2544 2460 3DBC.tmp 36 PID 2544 wrote to memory of 2464 2544 3E96.tmp 37 PID 2544 wrote to memory of 2464 2544 3E96.tmp 37 PID 2544 wrote to memory of 2464 2544 3E96.tmp 37 PID 2544 wrote to memory of 2464 2544 3E96.tmp 37 PID 2464 wrote to memory of 2904 2464 3F80.tmp 38 PID 2464 wrote to memory of 2904 2464 3F80.tmp 38 PID 2464 wrote to memory of 2904 2464 3F80.tmp 38 PID 2464 wrote to memory of 2904 2464 3F80.tmp 38 PID 2904 wrote to memory of 2912 2904 407A.tmp 39 PID 2904 wrote to memory of 2912 2904 407A.tmp 39 PID 2904 wrote to memory of 2912 2904 407A.tmp 39 PID 2904 wrote to memory of 2912 2904 407A.tmp 39 PID 2912 wrote to memory of 1360 2912 4183.tmp 40 PID 2912 wrote to memory of 1360 2912 4183.tmp 40 PID 2912 wrote to memory of 1360 2912 4183.tmp 40 PID 2912 wrote to memory of 1360 2912 4183.tmp 40 PID 1360 wrote to memory of 2772 1360 427C.tmp 41 PID 1360 wrote to memory of 2772 1360 427C.tmp 41 PID 1360 wrote to memory of 2772 1360 427C.tmp 41 PID 1360 wrote to memory of 2772 1360 427C.tmp 41 PID 2772 wrote to memory of 2888 2772 4357.tmp 42 PID 2772 wrote to memory of 2888 2772 4357.tmp 42 PID 2772 wrote to memory of 2888 2772 4357.tmp 42 PID 2772 wrote to memory of 2888 2772 4357.tmp 42 PID 2888 wrote to memory of 240 2888 4450.tmp 43 PID 2888 wrote to memory of 240 2888 4450.tmp 43 PID 2888 wrote to memory of 240 2888 4450.tmp 43 PID 2888 wrote to memory of 240 2888 4450.tmp 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_29af4b2a038577970e00dd43b3859286_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\3717.tmp"C:\Users\Admin\AppData\Local\Temp\3717.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\3830.tmp"C:\Users\Admin\AppData\Local\Temp\3830.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\3949.tmp"C:\Users\Admin\AppData\Local\Temp\3949.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\3A33.tmp"C:\Users\Admin\AppData\Local\Temp\3A33.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3B1D.tmp"C:\Users\Admin\AppData\Local\Temp\3B1D.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\3C26.tmp"C:\Users\Admin\AppData\Local\Temp\3C26.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\3CD2.tmp"C:\Users\Admin\AppData\Local\Temp\3CD2.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\3DBC.tmp"C:\Users\Admin\AppData\Local\Temp\3DBC.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3E96.tmp"C:\Users\Admin\AppData\Local\Temp\3E96.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\3F80.tmp"C:\Users\Admin\AppData\Local\Temp\3F80.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\407A.tmp"C:\Users\Admin\AppData\Local\Temp\407A.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\4183.tmp"C:\Users\Admin\AppData\Local\Temp\4183.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\427C.tmp"C:\Users\Admin\AppData\Local\Temp\427C.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\4357.tmp"C:\Users\Admin\AppData\Local\Temp\4357.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\4450.tmp"C:\Users\Admin\AppData\Local\Temp\4450.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\452B.tmp"C:\Users\Admin\AppData\Local\Temp\452B.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Users\Admin\AppData\Local\Temp\4634.tmp"C:\Users\Admin\AppData\Local\Temp\4634.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\471E.tmp"C:\Users\Admin\AppData\Local\Temp\471E.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\4827.tmp"C:\Users\Admin\AppData\Local\Temp\4827.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\49EC.tmp"C:\Users\Admin\AppData\Local\Temp\49EC.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\4AE5.tmp"C:\Users\Admin\AppData\Local\Temp\4AE5.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Users\Admin\AppData\Local\Temp\4B62.tmp"C:\Users\Admin\AppData\Local\Temp\4B62.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\4C5C.tmp"C:\Users\Admin\AppData\Local\Temp\4C5C.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\4D65.tmp"C:\Users\Admin\AppData\Local\Temp\4D65.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\4F48.tmp"C:\Users\Admin\AppData\Local\Temp\4F48.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\5052.tmp"C:\Users\Admin\AppData\Local\Temp\5052.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\50CE.tmp"C:\Users\Admin\AppData\Local\Temp\50CE.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\513C.tmp"C:\Users\Admin\AppData\Local\Temp\513C.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\51B8.tmp"C:\Users\Admin\AppData\Local\Temp\51B8.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Users\Admin\AppData\Local\Temp\5235.tmp"C:\Users\Admin\AppData\Local\Temp\5235.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Users\Admin\AppData\Local\Temp\52A2.tmp"C:\Users\Admin\AppData\Local\Temp\52A2.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Users\Admin\AppData\Local\Temp\531F.tmp"C:\Users\Admin\AppData\Local\Temp\531F.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\539C.tmp"C:\Users\Admin\AppData\Local\Temp\539C.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\5419.tmp"C:\Users\Admin\AppData\Local\Temp\5419.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Users\Admin\AppData\Local\Temp\5486.tmp"C:\Users\Admin\AppData\Local\Temp\5486.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\5503.tmp"C:\Users\Admin\AppData\Local\Temp\5503.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\5580.tmp"C:\Users\Admin\AppData\Local\Temp\5580.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\55ED.tmp"C:\Users\Admin\AppData\Local\Temp\55ED.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\566A.tmp"C:\Users\Admin\AppData\Local\Temp\566A.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\56F6.tmp"C:\Users\Admin\AppData\Local\Temp\56F6.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\5763.tmp"C:\Users\Admin\AppData\Local\Temp\5763.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Users\Admin\AppData\Local\Temp\57E0.tmp"C:\Users\Admin\AppData\Local\Temp\57E0.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Users\Admin\AppData\Local\Temp\586C.tmp"C:\Users\Admin\AppData\Local\Temp\586C.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\58E9.tmp"C:\Users\Admin\AppData\Local\Temp\58E9.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\5976.tmp"C:\Users\Admin\AppData\Local\Temp\5976.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\59F2.tmp"C:\Users\Admin\AppData\Local\Temp\59F2.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\5A60.tmp"C:\Users\Admin\AppData\Local\Temp\5A60.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\5ADC.tmp"C:\Users\Admin\AppData\Local\Temp\5ADC.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\5B59.tmp"C:\Users\Admin\AppData\Local\Temp\5B59.tmp"55⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\5BD6.tmp"C:\Users\Admin\AppData\Local\Temp\5BD6.tmp"56⤵
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\5C53.tmp"C:\Users\Admin\AppData\Local\Temp\5C53.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\5CDF.tmp"C:\Users\Admin\AppData\Local\Temp\5CDF.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\5D6C.tmp"C:\Users\Admin\AppData\Local\Temp\5D6C.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\5EF2.tmp"C:\Users\Admin\AppData\Local\Temp\5EF2.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\5FBC.tmp"C:\Users\Admin\AppData\Local\Temp\5FBC.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\6039.tmp"C:\Users\Admin\AppData\Local\Temp\6039.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\60C6.tmp"C:\Users\Admin\AppData\Local\Temp\60C6.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\6142.tmp"C:\Users\Admin\AppData\Local\Temp\6142.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\61BF.tmp"C:\Users\Admin\AppData\Local\Temp\61BF.tmp"65⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\622C.tmp"C:\Users\Admin\AppData\Local\Temp\622C.tmp"66⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\62A9.tmp"C:\Users\Admin\AppData\Local\Temp\62A9.tmp"67⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\6307.tmp"C:\Users\Admin\AppData\Local\Temp\6307.tmp"68⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\6393.tmp"C:\Users\Admin\AppData\Local\Temp\6393.tmp"69⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\6410.tmp"C:\Users\Admin\AppData\Local\Temp\6410.tmp"70⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\648D.tmp"C:\Users\Admin\AppData\Local\Temp\648D.tmp"71⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\64FA.tmp"C:\Users\Admin\AppData\Local\Temp\64FA.tmp"72⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\6587.tmp"C:\Users\Admin\AppData\Local\Temp\6587.tmp"73⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\6603.tmp"C:\Users\Admin\AppData\Local\Temp\6603.tmp"74⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\6671.tmp"C:\Users\Admin\AppData\Local\Temp\6671.tmp"75⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\66DE.tmp"C:\Users\Admin\AppData\Local\Temp\66DE.tmp"76⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\675B.tmp"C:\Users\Admin\AppData\Local\Temp\675B.tmp"77⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\67B8.tmp"C:\Users\Admin\AppData\Local\Temp\67B8.tmp"78⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\6835.tmp"C:\Users\Admin\AppData\Local\Temp\6835.tmp"79⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\68B2.tmp"C:\Users\Admin\AppData\Local\Temp\68B2.tmp"80⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\692F.tmp"C:\Users\Admin\AppData\Local\Temp\692F.tmp"81⤵PID:240
-
C:\Users\Admin\AppData\Local\Temp\69AB.tmp"C:\Users\Admin\AppData\Local\Temp\69AB.tmp"82⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\6A28.tmp"C:\Users\Admin\AppData\Local\Temp\6A28.tmp"83⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\6A95.tmp"C:\Users\Admin\AppData\Local\Temp\6A95.tmp"84⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\6B03.tmp"C:\Users\Admin\AppData\Local\Temp\6B03.tmp"85⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\6B7F.tmp"C:\Users\Admin\AppData\Local\Temp\6B7F.tmp"86⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\6BFC.tmp"C:\Users\Admin\AppData\Local\Temp\6BFC.tmp"87⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\6C79.tmp"C:\Users\Admin\AppData\Local\Temp\6C79.tmp"88⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\6CE6.tmp"C:\Users\Admin\AppData\Local\Temp\6CE6.tmp"89⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\6D53.tmp"C:\Users\Admin\AppData\Local\Temp\6D53.tmp"90⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\6DD0.tmp"C:\Users\Admin\AppData\Local\Temp\6DD0.tmp"91⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"92⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\6EE9.tmp"C:\Users\Admin\AppData\Local\Temp\6EE9.tmp"93⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\6F56.tmp"C:\Users\Admin\AppData\Local\Temp\6F56.tmp"94⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\6FD3.tmp"C:\Users\Admin\AppData\Local\Temp\6FD3.tmp"95⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\705F.tmp"C:\Users\Admin\AppData\Local\Temp\705F.tmp"96⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\70CD.tmp"C:\Users\Admin\AppData\Local\Temp\70CD.tmp"97⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\713A.tmp"C:\Users\Admin\AppData\Local\Temp\713A.tmp"98⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\71A7.tmp"C:\Users\Admin\AppData\Local\Temp\71A7.tmp"99⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\7214.tmp"C:\Users\Admin\AppData\Local\Temp\7214.tmp"100⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\7281.tmp"C:\Users\Admin\AppData\Local\Temp\7281.tmp"101⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\72FE.tmp"C:\Users\Admin\AppData\Local\Temp\72FE.tmp"102⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\73E8.tmp"C:\Users\Admin\AppData\Local\Temp\73E8.tmp"103⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\7484.tmp"C:\Users\Admin\AppData\Local\Temp\7484.tmp"104⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"105⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\758D.tmp"C:\Users\Admin\AppData\Local\Temp\758D.tmp"106⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\75DB.tmp"C:\Users\Admin\AppData\Local\Temp\75DB.tmp"107⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\7639.tmp"C:\Users\Admin\AppData\Local\Temp\7639.tmp"108⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"109⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\7742.tmp"C:\Users\Admin\AppData\Local\Temp\7742.tmp"110⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\77AF.tmp"C:\Users\Admin\AppData\Local\Temp\77AF.tmp"111⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\782C.tmp"C:\Users\Admin\AppData\Local\Temp\782C.tmp"112⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\78A9.tmp"C:\Users\Admin\AppData\Local\Temp\78A9.tmp"113⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\7935.tmp"C:\Users\Admin\AppData\Local\Temp\7935.tmp"114⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\79A3.tmp"C:\Users\Admin\AppData\Local\Temp\79A3.tmp"115⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\7A00.tmp"C:\Users\Admin\AppData\Local\Temp\7A00.tmp"116⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\7A6D.tmp"C:\Users\Admin\AppData\Local\Temp\7A6D.tmp"117⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\7AFA.tmp"C:\Users\Admin\AppData\Local\Temp\7AFA.tmp"118⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\7B77.tmp"C:\Users\Admin\AppData\Local\Temp\7B77.tmp"119⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"120⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\7C80.tmp"C:\Users\Admin\AppData\Local\Temp\7C80.tmp"121⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\7D0C.tmp"C:\Users\Admin\AppData\Local\Temp\7D0C.tmp"122⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-