Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 11:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
Resource
win7-20240215-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
-
Size
488KB
-
MD5
d3e1a9168a025fbcf6e139cca0e0b55b
-
SHA1
2fbd4bd20dde86667a58724546611f1a556fa646
-
SHA256
e0b81eee4c54b7a6acd4ceb10a12506dca4c6b38d7408182d10d3e1a5cf9b970
-
SHA512
0689031eb2a50270bf73b16f5d0c08a9f69c0acbe2a423d64dbe741b303df66ccb10810c6a199a7465c9a43cb0e74d4d84ad28ad28641489b78c29c185e44045
-
SSDEEP
12288:/U5rCOTeiDIv4BTtHTrkB6tGygfLCyiBRFNZ:/UQOJDIgtJtGygf2yiB3N
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1716 934.tmp 2564 992.tmp 2720 9F0.tmp 2544 A5D.tmp 2628 ACA.tmp 2792 B28.tmp 2600 B85.tmp 2440 BF2.tmp 2512 C60.tmp 2944 CCD.tmp 1892 D69.tmp 2692 DD6.tmp 2784 E24.tmp 2908 E91.tmp 824 EFE.tmp 1600 F7B.tmp 2316 1008.tmp 2148 1075.tmp 1368 10D2.tmp 2140 1130.tmp 1252 11BC.tmp 2532 1249.tmp 2960 12A6.tmp 1736 12E5.tmp 1976 1333.tmp 1964 1371.tmp 1992 13BF.tmp 540 140D.tmp 944 145B.tmp 2852 14A9.tmp 588 14E8.tmp 564 1526.tmp 1020 1574.tmp 1996 15C2.tmp 1708 1610.tmp 1036 165E.tmp 452 16AC.tmp 1924 16EA.tmp 3020 1729.tmp 1288 1767.tmp 1048 17B5.tmp 1556 1803.tmp 1272 1851.tmp 2292 189F.tmp 864 18ED.tmp 2252 193B.tmp 2984 1989.tmp 2284 19C8.tmp 2204 1A06.tmp 1040 1A54.tmp 1604 1AA2.tmp 2988 1AE0.tmp 1484 1B2E.tmp 2824 1B6D.tmp 2740 1BBB.tmp 1664 1C09.tmp 2364 1C57.tmp 3068 1CA5.tmp 2656 1CF3.tmp 2704 1D41.tmp 2592 1D7F.tmp 1944 1DBE.tmp 2444 1E0C.tmp 2628 1E5A.tmp -
Loads dropped DLL 64 IoCs
pid Process 2364 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 1716 934.tmp 2564 992.tmp 2720 9F0.tmp 2544 A5D.tmp 2628 ACA.tmp 2792 B28.tmp 2600 B85.tmp 2440 BF2.tmp 2512 C60.tmp 2944 CCD.tmp 1892 D69.tmp 2692 DD6.tmp 2784 E24.tmp 2908 E91.tmp 824 EFE.tmp 1600 F7B.tmp 2316 1008.tmp 2148 1075.tmp 1368 10D2.tmp 2140 1130.tmp 1252 11BC.tmp 2532 1249.tmp 2960 12A6.tmp 1736 12E5.tmp 1976 1333.tmp 1964 1371.tmp 1992 13BF.tmp 540 140D.tmp 944 145B.tmp 2852 14A9.tmp 588 14E8.tmp 564 1526.tmp 1020 1574.tmp 1996 15C2.tmp 1708 1610.tmp 1036 165E.tmp 452 16AC.tmp 1924 16EA.tmp 3020 1729.tmp 1288 1767.tmp 1048 17B5.tmp 1556 1803.tmp 1272 1851.tmp 2292 189F.tmp 864 18ED.tmp 2252 193B.tmp 2984 1989.tmp 2284 19C8.tmp 2204 1A06.tmp 1040 1A54.tmp 1604 1AA2.tmp 2988 1AE0.tmp 1484 1B2E.tmp 2824 1B6D.tmp 2740 1BBB.tmp 1664 1C09.tmp 2364 1C57.tmp 3068 1CA5.tmp 2656 1CF3.tmp 2704 1D41.tmp 2592 1D7F.tmp 1944 1DBE.tmp 2444 1E0C.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1716 2364 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 28 PID 2364 wrote to memory of 1716 2364 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 28 PID 2364 wrote to memory of 1716 2364 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 28 PID 2364 wrote to memory of 1716 2364 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 28 PID 1716 wrote to memory of 2564 1716 934.tmp 29 PID 1716 wrote to memory of 2564 1716 934.tmp 29 PID 1716 wrote to memory of 2564 1716 934.tmp 29 PID 1716 wrote to memory of 2564 1716 934.tmp 29 PID 2564 wrote to memory of 2720 2564 992.tmp 30 PID 2564 wrote to memory of 2720 2564 992.tmp 30 PID 2564 wrote to memory of 2720 2564 992.tmp 30 PID 2564 wrote to memory of 2720 2564 992.tmp 30 PID 2720 wrote to memory of 2544 2720 9F0.tmp 31 PID 2720 wrote to memory of 2544 2720 9F0.tmp 31 PID 2720 wrote to memory of 2544 2720 9F0.tmp 31 PID 2720 wrote to memory of 2544 2720 9F0.tmp 31 PID 2544 wrote to memory of 2628 2544 A5D.tmp 32 PID 2544 wrote to memory of 2628 2544 A5D.tmp 32 PID 2544 wrote to memory of 2628 2544 A5D.tmp 32 PID 2544 wrote to memory of 2628 2544 A5D.tmp 32 PID 2628 wrote to memory of 2792 2628 ACA.tmp 33 PID 2628 wrote to memory of 2792 2628 ACA.tmp 33 PID 2628 wrote to memory of 2792 2628 ACA.tmp 33 PID 2628 wrote to memory of 2792 2628 ACA.tmp 33 PID 2792 wrote to memory of 2600 2792 B28.tmp 34 PID 2792 wrote to memory of 2600 2792 B28.tmp 34 PID 2792 wrote to memory of 2600 2792 B28.tmp 34 PID 2792 wrote to memory of 2600 2792 B28.tmp 34 PID 2600 wrote to memory of 2440 2600 B85.tmp 35 PID 2600 wrote to memory of 2440 2600 B85.tmp 35 PID 2600 wrote to memory of 2440 2600 B85.tmp 35 PID 2600 wrote to memory of 2440 2600 B85.tmp 35 PID 2440 wrote to memory of 2512 2440 BF2.tmp 36 PID 2440 wrote to memory of 2512 2440 BF2.tmp 36 PID 2440 wrote to memory of 2512 2440 BF2.tmp 36 PID 2440 wrote to memory of 2512 2440 BF2.tmp 36 PID 2512 wrote to memory of 2944 2512 C60.tmp 37 PID 2512 wrote to memory of 2944 2512 C60.tmp 37 PID 2512 wrote to memory of 2944 2512 C60.tmp 37 PID 2512 wrote to memory of 2944 2512 C60.tmp 37 PID 2944 wrote to memory of 1892 2944 CCD.tmp 38 PID 2944 wrote to memory of 1892 2944 CCD.tmp 38 PID 2944 wrote to memory of 1892 2944 CCD.tmp 38 PID 2944 wrote to memory of 1892 2944 CCD.tmp 38 PID 1892 wrote to memory of 2692 1892 D69.tmp 39 PID 1892 wrote to memory of 2692 1892 D69.tmp 39 PID 1892 wrote to memory of 2692 1892 D69.tmp 39 PID 1892 wrote to memory of 2692 1892 D69.tmp 39 PID 2692 wrote to memory of 2784 2692 DD6.tmp 40 PID 2692 wrote to memory of 2784 2692 DD6.tmp 40 PID 2692 wrote to memory of 2784 2692 DD6.tmp 40 PID 2692 wrote to memory of 2784 2692 DD6.tmp 40 PID 2784 wrote to memory of 2908 2784 E24.tmp 41 PID 2784 wrote to memory of 2908 2784 E24.tmp 41 PID 2784 wrote to memory of 2908 2784 E24.tmp 41 PID 2784 wrote to memory of 2908 2784 E24.tmp 41 PID 2908 wrote to memory of 824 2908 E91.tmp 42 PID 2908 wrote to memory of 824 2908 E91.tmp 42 PID 2908 wrote to memory of 824 2908 E91.tmp 42 PID 2908 wrote to memory of 824 2908 E91.tmp 42 PID 824 wrote to memory of 1600 824 EFE.tmp 43 PID 824 wrote to memory of 1600 824 EFE.tmp 43 PID 824 wrote to memory of 1600 824 EFE.tmp 43 PID 824 wrote to memory of 1600 824 EFE.tmp 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\934.tmp"C:\Users\Admin\AppData\Local\Temp\934.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\992.tmp"C:\Users\Admin\AppData\Local\Temp\992.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\9F0.tmp"C:\Users\Admin\AppData\Local\Temp\9F0.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\A5D.tmp"C:\Users\Admin\AppData\Local\Temp\A5D.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\ACA.tmp"C:\Users\Admin\AppData\Local\Temp\ACA.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\B28.tmp"C:\Users\Admin\AppData\Local\Temp\B28.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\B85.tmp"C:\Users\Admin\AppData\Local\Temp\B85.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\BF2.tmp"C:\Users\Admin\AppData\Local\Temp\BF2.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\C60.tmp"C:\Users\Admin\AppData\Local\Temp\C60.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\CCD.tmp"C:\Users\Admin\AppData\Local\Temp\CCD.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\D69.tmp"C:\Users\Admin\AppData\Local\Temp\D69.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\DD6.tmp"C:\Users\Admin\AppData\Local\Temp\DD6.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\E24.tmp"C:\Users\Admin\AppData\Local\Temp\E24.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\E91.tmp"C:\Users\Admin\AppData\Local\Temp\E91.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\EFE.tmp"C:\Users\Admin\AppData\Local\Temp\EFE.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\F7B.tmp"C:\Users\Admin\AppData\Local\Temp\F7B.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\1008.tmp"C:\Users\Admin\AppData\Local\Temp\1008.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\1075.tmp"C:\Users\Admin\AppData\Local\Temp\1075.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\10D2.tmp"C:\Users\Admin\AppData\Local\Temp\10D2.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\1130.tmp"C:\Users\Admin\AppData\Local\Temp\1130.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\11BC.tmp"C:\Users\Admin\AppData\Local\Temp\11BC.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\1249.tmp"C:\Users\Admin\AppData\Local\Temp\1249.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\12A6.tmp"C:\Users\Admin\AppData\Local\Temp\12A6.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\12E5.tmp"C:\Users\Admin\AppData\Local\Temp\12E5.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\1333.tmp"C:\Users\Admin\AppData\Local\Temp\1333.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\1371.tmp"C:\Users\Admin\AppData\Local\Temp\1371.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\13BF.tmp"C:\Users\Admin\AppData\Local\Temp\13BF.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\140D.tmp"C:\Users\Admin\AppData\Local\Temp\140D.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Users\Admin\AppData\Local\Temp\145B.tmp"C:\Users\Admin\AppData\Local\Temp\145B.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Users\Admin\AppData\Local\Temp\14A9.tmp"C:\Users\Admin\AppData\Local\Temp\14A9.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\14E8.tmp"C:\Users\Admin\AppData\Local\Temp\14E8.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Users\Admin\AppData\Local\Temp\1526.tmp"C:\Users\Admin\AppData\Local\Temp\1526.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Users\Admin\AppData\Local\Temp\1574.tmp"C:\Users\Admin\AppData\Local\Temp\1574.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\15C2.tmp"C:\Users\Admin\AppData\Local\Temp\15C2.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\1610.tmp"C:\Users\Admin\AppData\Local\Temp\1610.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\165E.tmp"C:\Users\Admin\AppData\Local\Temp\165E.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\16AC.tmp"C:\Users\Admin\AppData\Local\Temp\16AC.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Users\Admin\AppData\Local\Temp\16EA.tmp"C:\Users\Admin\AppData\Local\Temp\16EA.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\1729.tmp"C:\Users\Admin\AppData\Local\Temp\1729.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\1767.tmp"C:\Users\Admin\AppData\Local\Temp\1767.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\17B5.tmp"C:\Users\Admin\AppData\Local\Temp\17B5.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\1803.tmp"C:\Users\Admin\AppData\Local\Temp\1803.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\1851.tmp"C:\Users\Admin\AppData\Local\Temp\1851.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\189F.tmp"C:\Users\Admin\AppData\Local\Temp\189F.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\18ED.tmp"C:\Users\Admin\AppData\Local\Temp\18ED.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Users\Admin\AppData\Local\Temp\193B.tmp"C:\Users\Admin\AppData\Local\Temp\193B.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\1989.tmp"C:\Users\Admin\AppData\Local\Temp\1989.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\19C8.tmp"C:\Users\Admin\AppData\Local\Temp\19C8.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\1A06.tmp"C:\Users\Admin\AppData\Local\Temp\1A06.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\1A54.tmp"C:\Users\Admin\AppData\Local\Temp\1A54.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\1AE0.tmp"C:\Users\Admin\AppData\Local\Temp\1AE0.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\1B2E.tmp"C:\Users\Admin\AppData\Local\Temp\1B2E.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\1B6D.tmp"C:\Users\Admin\AppData\Local\Temp\1B6D.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\1BBB.tmp"C:\Users\Admin\AppData\Local\Temp\1BBB.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\1C09.tmp"C:\Users\Admin\AppData\Local\Temp\1C09.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\1C57.tmp"C:\Users\Admin\AppData\Local\Temp\1C57.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\1CA5.tmp"C:\Users\Admin\AppData\Local\Temp\1CA5.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\1CF3.tmp"C:\Users\Admin\AppData\Local\Temp\1CF3.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\1D41.tmp"C:\Users\Admin\AppData\Local\Temp\1D41.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\1D7F.tmp"C:\Users\Admin\AppData\Local\Temp\1D7F.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\1DBE.tmp"C:\Users\Admin\AppData\Local\Temp\1DBE.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\1E0C.tmp"C:\Users\Admin\AppData\Local\Temp\1E0C.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\1E5A.tmp"C:\Users\Admin\AppData\Local\Temp\1E5A.tmp"65⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\1EA8.tmp"C:\Users\Admin\AppData\Local\Temp\1EA8.tmp"66⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\1EE6.tmp"C:\Users\Admin\AppData\Local\Temp\1EE6.tmp"67⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\1F44.tmp"C:\Users\Admin\AppData\Local\Temp\1F44.tmp"68⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\1F92.tmp"C:\Users\Admin\AppData\Local\Temp\1F92.tmp"69⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\1FE0.tmp"C:\Users\Admin\AppData\Local\Temp\1FE0.tmp"70⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\202E.tmp"C:\Users\Admin\AppData\Local\Temp\202E.tmp"71⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\206C.tmp"C:\Users\Admin\AppData\Local\Temp\206C.tmp"72⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\20BA.tmp"C:\Users\Admin\AppData\Local\Temp\20BA.tmp"73⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\2108.tmp"C:\Users\Admin\AppData\Local\Temp\2108.tmp"74⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2146.tmp"C:\Users\Admin\AppData\Local\Temp\2146.tmp"75⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\2185.tmp"C:\Users\Admin\AppData\Local\Temp\2185.tmp"76⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\21C3.tmp"C:\Users\Admin\AppData\Local\Temp\21C3.tmp"77⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\2211.tmp"C:\Users\Admin\AppData\Local\Temp\2211.tmp"78⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2250.tmp"C:\Users\Admin\AppData\Local\Temp\2250.tmp"79⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\228E.tmp"C:\Users\Admin\AppData\Local\Temp\228E.tmp"80⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\22DC.tmp"C:\Users\Admin\AppData\Local\Temp\22DC.tmp"81⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\231A.tmp"C:\Users\Admin\AppData\Local\Temp\231A.tmp"82⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\2368.tmp"C:\Users\Admin\AppData\Local\Temp\2368.tmp"83⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\23B6.tmp"C:\Users\Admin\AppData\Local\Temp\23B6.tmp"84⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2404.tmp"C:\Users\Admin\AppData\Local\Temp\2404.tmp"85⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\2452.tmp"C:\Users\Admin\AppData\Local\Temp\2452.tmp"86⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\2491.tmp"C:\Users\Admin\AppData\Local\Temp\2491.tmp"87⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\24DF.tmp"C:\Users\Admin\AppData\Local\Temp\24DF.tmp"88⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\252D.tmp"C:\Users\Admin\AppData\Local\Temp\252D.tmp"89⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\257B.tmp"C:\Users\Admin\AppData\Local\Temp\257B.tmp"90⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\25B9.tmp"C:\Users\Admin\AppData\Local\Temp\25B9.tmp"91⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\2607.tmp"C:\Users\Admin\AppData\Local\Temp\2607.tmp"92⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\2655.tmp"C:\Users\Admin\AppData\Local\Temp\2655.tmp"93⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\2694.tmp"C:\Users\Admin\AppData\Local\Temp\2694.tmp"94⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\26E2.tmp"C:\Users\Admin\AppData\Local\Temp\26E2.tmp"95⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\2720.tmp"C:\Users\Admin\AppData\Local\Temp\2720.tmp"96⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\276E.tmp"C:\Users\Admin\AppData\Local\Temp\276E.tmp"97⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\27AC.tmp"C:\Users\Admin\AppData\Local\Temp\27AC.tmp"98⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\27FA.tmp"C:\Users\Admin\AppData\Local\Temp\27FA.tmp"99⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\2848.tmp"C:\Users\Admin\AppData\Local\Temp\2848.tmp"100⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\2887.tmp"C:\Users\Admin\AppData\Local\Temp\2887.tmp"101⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\28D5.tmp"C:\Users\Admin\AppData\Local\Temp\28D5.tmp"102⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\2913.tmp"C:\Users\Admin\AppData\Local\Temp\2913.tmp"103⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2952.tmp"C:\Users\Admin\AppData\Local\Temp\2952.tmp"104⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\2990.tmp"C:\Users\Admin\AppData\Local\Temp\2990.tmp"105⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\29CE.tmp"C:\Users\Admin\AppData\Local\Temp\29CE.tmp"106⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\2A1C.tmp"C:\Users\Admin\AppData\Local\Temp\2A1C.tmp"107⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2A5B.tmp"C:\Users\Admin\AppData\Local\Temp\2A5B.tmp"108⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2AA9.tmp"C:\Users\Admin\AppData\Local\Temp\2AA9.tmp"109⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\2AE7.tmp"C:\Users\Admin\AppData\Local\Temp\2AE7.tmp"110⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\2B35.tmp"C:\Users\Admin\AppData\Local\Temp\2B35.tmp"111⤵PID:500
-
C:\Users\Admin\AppData\Local\Temp\2B83.tmp"C:\Users\Admin\AppData\Local\Temp\2B83.tmp"112⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\2BD1.tmp"C:\Users\Admin\AppData\Local\Temp\2BD1.tmp"113⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"114⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"115⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\2CAC.tmp"C:\Users\Admin\AppData\Local\Temp\2CAC.tmp"116⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2CEA.tmp"C:\Users\Admin\AppData\Local\Temp\2CEA.tmp"117⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\2D28.tmp"C:\Users\Admin\AppData\Local\Temp\2D28.tmp"118⤵PID:352
-
C:\Users\Admin\AppData\Local\Temp\2D67.tmp"C:\Users\Admin\AppData\Local\Temp\2D67.tmp"119⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\2DA5.tmp"C:\Users\Admin\AppData\Local\Temp\2DA5.tmp"120⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\2DF3.tmp"C:\Users\Admin\AppData\Local\Temp\2DF3.tmp"121⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\2E41.tmp"C:\Users\Admin\AppData\Local\Temp\2E41.tmp"122⤵PID:472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-