Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe
Resource
win7-20240220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe
-
Size
712KB
-
MD5
e415e1311d2cd25feb011cf3bc67894d
-
SHA1
5675d879a5aa9dcd950de0951858b54f8390650c
-
SHA256
8e753d20cc4a52c4393eaaa10a9d0c7d8e1dd3e890e464000754ab9131763457
-
SHA512
fed6dc8782cc0d63f9bc36588d68b01e5cbf6c00dadc2c17f874dda2add27e747a3987a86cb626b4947e2236741c7c3ba4fd8a8f8d8c4bf6a1192552bef59423
-
SSDEEP
12288:FU5rCOTeiDc+GmCp9IrxB39xJbqZNZdCvq5TJLCvY90D8/LVBlVk736Y79GWzNbA:FUQOJD3GzpSXNGNnCvq5TJLCvY90D8/V
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2580 17B5.tmp 2968 1822.tmp 2600 18BE.tmp 2556 192C.tmp 2712 19A8.tmp 2560 1A25.tmp 2940 1A73.tmp 2512 1AF0.tmp 2432 1B4E.tmp 2900 1BCA.tmp 2916 1C28.tmp 2576 1C95.tmp 2736 1D02.tmp 2800 1D70.tmp 1508 1DEC.tmp 1824 1E69.tmp 1468 1ED6.tmp 332 1F44.tmp 2364 1FB1.tmp 2680 201E.tmp 492 208B.tmp 860 2108.tmp 2248 2166.tmp 2220 21A4.tmp 1888 21E2.tmp 2236 2221.tmp 2660 225F.tmp 2200 229E.tmp 668 22DC.tmp 984 231A.tmp 1072 2359.tmp 1416 2397.tmp 1748 23D6.tmp 1792 2414.tmp 2368 2462.tmp 2976 24A0.tmp 1624 24DF.tmp 1112 251D.tmp 3000 256B.tmp 1896 25AA.tmp 1488 25E8.tmp 964 2626.tmp 1840 2674.tmp 1292 26B3.tmp 752 26F1.tmp 768 2730.tmp 2948 277E.tmp 2856 27BC.tmp 976 27FA.tmp 1724 2839.tmp 1656 2877.tmp 1728 28B6.tmp 2936 28F4.tmp 1940 2942.tmp 1548 2980.tmp 2732 29BF.tmp 2804 29FD.tmp 2528 2A3C.tmp 2596 2A8A.tmp 2552 2AC8.tmp 2600 2B06.tmp 2720 2B45.tmp 1992 2B83.tmp 2712 2BD1.tmp -
Loads dropped DLL 64 IoCs
pid Process 2092 2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe 2580 17B5.tmp 2968 1822.tmp 2600 18BE.tmp 2556 192C.tmp 2712 19A8.tmp 2560 1A25.tmp 2940 1A73.tmp 2512 1AF0.tmp 2432 1B4E.tmp 2900 1BCA.tmp 2916 1C28.tmp 2576 1C95.tmp 2736 1D02.tmp 2800 1D70.tmp 1508 1DEC.tmp 1824 1E69.tmp 1468 1ED6.tmp 332 1F44.tmp 2364 1FB1.tmp 2680 201E.tmp 492 208B.tmp 860 2108.tmp 2248 2166.tmp 2220 21A4.tmp 1888 21E2.tmp 2236 2221.tmp 2660 225F.tmp 2200 229E.tmp 668 22DC.tmp 984 231A.tmp 1072 2359.tmp 1416 2397.tmp 1748 23D6.tmp 1792 2414.tmp 2368 2462.tmp 2976 24A0.tmp 1624 24DF.tmp 1112 251D.tmp 3000 256B.tmp 1896 25AA.tmp 1488 25E8.tmp 964 2626.tmp 1840 2674.tmp 1292 26B3.tmp 752 26F1.tmp 768 2730.tmp 2948 277E.tmp 2856 27BC.tmp 976 27FA.tmp 1724 2839.tmp 1656 2877.tmp 1728 28B6.tmp 2936 28F4.tmp 1940 2942.tmp 1548 2980.tmp 2732 29BF.tmp 2804 29FD.tmp 2528 2A3C.tmp 2596 2A8A.tmp 2552 2AC8.tmp 2600 2B06.tmp 2720 2B45.tmp 1992 2B83.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2580 2092 2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe 28 PID 2092 wrote to memory of 2580 2092 2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe 28 PID 2092 wrote to memory of 2580 2092 2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe 28 PID 2092 wrote to memory of 2580 2092 2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe 28 PID 2580 wrote to memory of 2968 2580 17B5.tmp 29 PID 2580 wrote to memory of 2968 2580 17B5.tmp 29 PID 2580 wrote to memory of 2968 2580 17B5.tmp 29 PID 2580 wrote to memory of 2968 2580 17B5.tmp 29 PID 2968 wrote to memory of 2600 2968 1822.tmp 30 PID 2968 wrote to memory of 2600 2968 1822.tmp 30 PID 2968 wrote to memory of 2600 2968 1822.tmp 30 PID 2968 wrote to memory of 2600 2968 1822.tmp 30 PID 2600 wrote to memory of 2556 2600 18BE.tmp 31 PID 2600 wrote to memory of 2556 2600 18BE.tmp 31 PID 2600 wrote to memory of 2556 2600 18BE.tmp 31 PID 2600 wrote to memory of 2556 2600 18BE.tmp 31 PID 2556 wrote to memory of 2712 2556 192C.tmp 32 PID 2556 wrote to memory of 2712 2556 192C.tmp 32 PID 2556 wrote to memory of 2712 2556 192C.tmp 32 PID 2556 wrote to memory of 2712 2556 192C.tmp 32 PID 2712 wrote to memory of 2560 2712 19A8.tmp 33 PID 2712 wrote to memory of 2560 2712 19A8.tmp 33 PID 2712 wrote to memory of 2560 2712 19A8.tmp 33 PID 2712 wrote to memory of 2560 2712 19A8.tmp 33 PID 2560 wrote to memory of 2940 2560 1A25.tmp 34 PID 2560 wrote to memory of 2940 2560 1A25.tmp 34 PID 2560 wrote to memory of 2940 2560 1A25.tmp 34 PID 2560 wrote to memory of 2940 2560 1A25.tmp 34 PID 2940 wrote to memory of 2512 2940 1A73.tmp 35 PID 2940 wrote to memory of 2512 2940 1A73.tmp 35 PID 2940 wrote to memory of 2512 2940 1A73.tmp 35 PID 2940 wrote to memory of 2512 2940 1A73.tmp 35 PID 2512 wrote to memory of 2432 2512 1AF0.tmp 36 PID 2512 wrote to memory of 2432 2512 1AF0.tmp 36 PID 2512 wrote to memory of 2432 2512 1AF0.tmp 36 PID 2512 wrote to memory of 2432 2512 1AF0.tmp 36 PID 2432 wrote to memory of 2900 2432 1B4E.tmp 37 PID 2432 wrote to memory of 2900 2432 1B4E.tmp 37 PID 2432 wrote to memory of 2900 2432 1B4E.tmp 37 PID 2432 wrote to memory of 2900 2432 1B4E.tmp 37 PID 2900 wrote to memory of 2916 2900 1BCA.tmp 38 PID 2900 wrote to memory of 2916 2900 1BCA.tmp 38 PID 2900 wrote to memory of 2916 2900 1BCA.tmp 38 PID 2900 wrote to memory of 2916 2900 1BCA.tmp 38 PID 2916 wrote to memory of 2576 2916 1C28.tmp 39 PID 2916 wrote to memory of 2576 2916 1C28.tmp 39 PID 2916 wrote to memory of 2576 2916 1C28.tmp 39 PID 2916 wrote to memory of 2576 2916 1C28.tmp 39 PID 2576 wrote to memory of 2736 2576 1C95.tmp 40 PID 2576 wrote to memory of 2736 2576 1C95.tmp 40 PID 2576 wrote to memory of 2736 2576 1C95.tmp 40 PID 2576 wrote to memory of 2736 2576 1C95.tmp 40 PID 2736 wrote to memory of 2800 2736 1D02.tmp 41 PID 2736 wrote to memory of 2800 2736 1D02.tmp 41 PID 2736 wrote to memory of 2800 2736 1D02.tmp 41 PID 2736 wrote to memory of 2800 2736 1D02.tmp 41 PID 2800 wrote to memory of 1508 2800 1D70.tmp 42 PID 2800 wrote to memory of 1508 2800 1D70.tmp 42 PID 2800 wrote to memory of 1508 2800 1D70.tmp 42 PID 2800 wrote to memory of 1508 2800 1D70.tmp 42 PID 1508 wrote to memory of 1824 1508 1DEC.tmp 43 PID 1508 wrote to memory of 1824 1508 1DEC.tmp 43 PID 1508 wrote to memory of 1824 1508 1DEC.tmp 43 PID 1508 wrote to memory of 1824 1508 1DEC.tmp 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-21_e415e1311d2cd25feb011cf3bc67894d_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\17B5.tmp"C:\Users\Admin\AppData\Local\Temp\17B5.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\1822.tmp"C:\Users\Admin\AppData\Local\Temp\1822.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\18BE.tmp"C:\Users\Admin\AppData\Local\Temp\18BE.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\192C.tmp"C:\Users\Admin\AppData\Local\Temp\192C.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\19A8.tmp"C:\Users\Admin\AppData\Local\Temp\19A8.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\1A25.tmp"C:\Users\Admin\AppData\Local\Temp\1A25.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\1A73.tmp"C:\Users\Admin\AppData\Local\Temp\1A73.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp"C:\Users\Admin\AppData\Local\Temp\1AF0.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\1B4E.tmp"C:\Users\Admin\AppData\Local\Temp\1B4E.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\1BCA.tmp"C:\Users\Admin\AppData\Local\Temp\1BCA.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\1C28.tmp"C:\Users\Admin\AppData\Local\Temp\1C28.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\1C95.tmp"C:\Users\Admin\AppData\Local\Temp\1C95.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\1D02.tmp"C:\Users\Admin\AppData\Local\Temp\1D02.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\1D70.tmp"C:\Users\Admin\AppData\Local\Temp\1D70.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\1DEC.tmp"C:\Users\Admin\AppData\Local\Temp\1DEC.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\1E69.tmp"C:\Users\Admin\AppData\Local\Temp\1E69.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\1ED6.tmp"C:\Users\Admin\AppData\Local\Temp\1ED6.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\1F44.tmp"C:\Users\Admin\AppData\Local\Temp\1F44.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Users\Admin\AppData\Local\Temp\1FB1.tmp"C:\Users\Admin\AppData\Local\Temp\1FB1.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\201E.tmp"C:\Users\Admin\AppData\Local\Temp\201E.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\208B.tmp"C:\Users\Admin\AppData\Local\Temp\208B.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Users\Admin\AppData\Local\Temp\2108.tmp"C:\Users\Admin\AppData\Local\Temp\2108.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\2166.tmp"C:\Users\Admin\AppData\Local\Temp\2166.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\21A4.tmp"C:\Users\Admin\AppData\Local\Temp\21A4.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\21E2.tmp"C:\Users\Admin\AppData\Local\Temp\21E2.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\2221.tmp"C:\Users\Admin\AppData\Local\Temp\2221.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\225F.tmp"C:\Users\Admin\AppData\Local\Temp\225F.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\229E.tmp"C:\Users\Admin\AppData\Local\Temp\229E.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\22DC.tmp"C:\Users\Admin\AppData\Local\Temp\22DC.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Users\Admin\AppData\Local\Temp\231A.tmp"C:\Users\Admin\AppData\Local\Temp\231A.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Users\Admin\AppData\Local\Temp\2359.tmp"C:\Users\Admin\AppData\Local\Temp\2359.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\2397.tmp"C:\Users\Admin\AppData\Local\Temp\2397.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\23D6.tmp"C:\Users\Admin\AppData\Local\Temp\23D6.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\2414.tmp"C:\Users\Admin\AppData\Local\Temp\2414.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\2462.tmp"C:\Users\Admin\AppData\Local\Temp\2462.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\24A0.tmp"C:\Users\Admin\AppData\Local\Temp\24A0.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\24DF.tmp"C:\Users\Admin\AppData\Local\Temp\24DF.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\251D.tmp"C:\Users\Admin\AppData\Local\Temp\251D.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\256B.tmp"C:\Users\Admin\AppData\Local\Temp\256B.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\25AA.tmp"C:\Users\Admin\AppData\Local\Temp\25AA.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\25E8.tmp"C:\Users\Admin\AppData\Local\Temp\25E8.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\2626.tmp"C:\Users\Admin\AppData\Local\Temp\2626.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Users\Admin\AppData\Local\Temp\2674.tmp"C:\Users\Admin\AppData\Local\Temp\2674.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\26B3.tmp"C:\Users\Admin\AppData\Local\Temp\26B3.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\26F1.tmp"C:\Users\Admin\AppData\Local\Temp\26F1.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Users\Admin\AppData\Local\Temp\2730.tmp"C:\Users\Admin\AppData\Local\Temp\2730.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Users\Admin\AppData\Local\Temp\277E.tmp"C:\Users\Admin\AppData\Local\Temp\277E.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\27BC.tmp"C:\Users\Admin\AppData\Local\Temp\27BC.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\27FA.tmp"C:\Users\Admin\AppData\Local\Temp\27FA.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Users\Admin\AppData\Local\Temp\2839.tmp"C:\Users\Admin\AppData\Local\Temp\2839.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\2877.tmp"C:\Users\Admin\AppData\Local\Temp\2877.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\28B6.tmp"C:\Users\Admin\AppData\Local\Temp\28B6.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\28F4.tmp"C:\Users\Admin\AppData\Local\Temp\28F4.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\2942.tmp"C:\Users\Admin\AppData\Local\Temp\2942.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\2980.tmp"C:\Users\Admin\AppData\Local\Temp\2980.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\29BF.tmp"C:\Users\Admin\AppData\Local\Temp\29BF.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\29FD.tmp"C:\Users\Admin\AppData\Local\Temp\29FD.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\2A3C.tmp"C:\Users\Admin\AppData\Local\Temp\2A3C.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\2A8A.tmp"C:\Users\Admin\AppData\Local\Temp\2A8A.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\2AC8.tmp"C:\Users\Admin\AppData\Local\Temp\2AC8.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\2B06.tmp"C:\Users\Admin\AppData\Local\Temp\2B06.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\2B45.tmp"C:\Users\Admin\AppData\Local\Temp\2B45.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\2B83.tmp"C:\Users\Admin\AppData\Local\Temp\2B83.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\2BD1.tmp"C:\Users\Admin\AppData\Local\Temp\2BD1.tmp"65⤵
- Executes dropped EXE
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"66⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"67⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\2C9C.tmp"C:\Users\Admin\AppData\Local\Temp\2C9C.tmp"68⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\2CDA.tmp"C:\Users\Admin\AppData\Local\Temp\2CDA.tmp"69⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2D19.tmp"C:\Users\Admin\AppData\Local\Temp\2D19.tmp"70⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\2D57.tmp"C:\Users\Admin\AppData\Local\Temp\2D57.tmp"71⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\2D96.tmp"C:\Users\Admin\AppData\Local\Temp\2D96.tmp"72⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\2DD4.tmp"C:\Users\Admin\AppData\Local\Temp\2DD4.tmp"73⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\2E12.tmp"C:\Users\Admin\AppData\Local\Temp\2E12.tmp"74⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\2E51.tmp"C:\Users\Admin\AppData\Local\Temp\2E51.tmp"75⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2E9F.tmp"C:\Users\Admin\AppData\Local\Temp\2E9F.tmp"76⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2EED.tmp"C:\Users\Admin\AppData\Local\Temp\2EED.tmp"77⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2F2B.tmp"C:\Users\Admin\AppData\Local\Temp\2F2B.tmp"78⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2F6A.tmp"C:\Users\Admin\AppData\Local\Temp\2F6A.tmp"79⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\2FA8.tmp"C:\Users\Admin\AppData\Local\Temp\2FA8.tmp"80⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"81⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\3034.tmp"C:\Users\Admin\AppData\Local\Temp\3034.tmp"82⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\3073.tmp"C:\Users\Admin\AppData\Local\Temp\3073.tmp"83⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\30C1.tmp"C:\Users\Admin\AppData\Local\Temp\30C1.tmp"84⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\30FF.tmp"C:\Users\Admin\AppData\Local\Temp\30FF.tmp"85⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\314D.tmp"C:\Users\Admin\AppData\Local\Temp\314D.tmp"86⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\318C.tmp"C:\Users\Admin\AppData\Local\Temp\318C.tmp"87⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\31CA.tmp"C:\Users\Admin\AppData\Local\Temp\31CA.tmp"88⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\3208.tmp"C:\Users\Admin\AppData\Local\Temp\3208.tmp"89⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\3247.tmp"C:\Users\Admin\AppData\Local\Temp\3247.tmp"90⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\3285.tmp"C:\Users\Admin\AppData\Local\Temp\3285.tmp"91⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\32C4.tmp"C:\Users\Admin\AppData\Local\Temp\32C4.tmp"92⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\3302.tmp"C:\Users\Admin\AppData\Local\Temp\3302.tmp"93⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\3340.tmp"C:\Users\Admin\AppData\Local\Temp\3340.tmp"94⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\337F.tmp"C:\Users\Admin\AppData\Local\Temp\337F.tmp"95⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\33BD.tmp"C:\Users\Admin\AppData\Local\Temp\33BD.tmp"96⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\33FC.tmp"C:\Users\Admin\AppData\Local\Temp\33FC.tmp"97⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\343A.tmp"C:\Users\Admin\AppData\Local\Temp\343A.tmp"98⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\3478.tmp"C:\Users\Admin\AppData\Local\Temp\3478.tmp"99⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\34B7.tmp"C:\Users\Admin\AppData\Local\Temp\34B7.tmp"100⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\3562.tmp"C:\Users\Admin\AppData\Local\Temp\3562.tmp"101⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\35A1.tmp"C:\Users\Admin\AppData\Local\Temp\35A1.tmp"102⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\35DF.tmp"C:\Users\Admin\AppData\Local\Temp\35DF.tmp"103⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\361E.tmp"C:\Users\Admin\AppData\Local\Temp\361E.tmp"104⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\365C.tmp"C:\Users\Admin\AppData\Local\Temp\365C.tmp"105⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\369A.tmp"C:\Users\Admin\AppData\Local\Temp\369A.tmp"106⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\36D9.tmp"C:\Users\Admin\AppData\Local\Temp\36D9.tmp"107⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\3717.tmp"C:\Users\Admin\AppData\Local\Temp\3717.tmp"108⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\3756.tmp"C:\Users\Admin\AppData\Local\Temp\3756.tmp"109⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\3794.tmp"C:\Users\Admin\AppData\Local\Temp\3794.tmp"110⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\37D2.tmp"C:\Users\Admin\AppData\Local\Temp\37D2.tmp"111⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\3811.tmp"C:\Users\Admin\AppData\Local\Temp\3811.tmp"112⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\384F.tmp"C:\Users\Admin\AppData\Local\Temp\384F.tmp"113⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\389D.tmp"C:\Users\Admin\AppData\Local\Temp\389D.tmp"114⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\38DC.tmp"C:\Users\Admin\AppData\Local\Temp\38DC.tmp"115⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\391A.tmp"C:\Users\Admin\AppData\Local\Temp\391A.tmp"116⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\3958.tmp"C:\Users\Admin\AppData\Local\Temp\3958.tmp"117⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\3997.tmp"C:\Users\Admin\AppData\Local\Temp\3997.tmp"118⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\39D5.tmp"C:\Users\Admin\AppData\Local\Temp\39D5.tmp"119⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\3A14.tmp"C:\Users\Admin\AppData\Local\Temp\3A14.tmp"120⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\3A52.tmp"C:\Users\Admin\AppData\Local\Temp\3A52.tmp"121⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\3A90.tmp"C:\Users\Admin\AppData\Local\Temp\3A90.tmp"122⤵PID:1940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-