Analysis
-
max time kernel
124s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
-
Size
520KB
-
MD5
521c968a6f05554793686458f35d38e7
-
SHA1
4198e10cdf08c5cb4156d7cb49f2bc85f7c4ac60
-
SHA256
95ed89688f64074763108d44a14e969b02692dce3ab783be6d40772e1315ffdb
-
SHA512
c14a8d77a9ebbaace917f689dadb17581429a6789b8fd673d30113874909eed39a8163163898b89443c07bba9557abe1eea5bf0cb635dc8518cb7236d350ee09
-
SSDEEP
12288:roRXOQjmOytwBxn75l07O65HZIT9czSbICNZ:rogQ9ytwXE95Zo+SsCN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 880 1AF0.tmp 2180 1B3E.tmp 1504 1B8C.tmp 1700 1BDA.tmp 3060 1C18.tmp 2644 1C66.tmp 2588 1CB4.tmp 2728 1D02.tmp 2552 1D50.tmp 2812 1D8F.tmp 2548 1DDD.tmp 2448 1E2B.tmp 3020 1E69.tmp 2992 1EB7.tmp 2804 1EF6.tmp 2740 1F34.tmp 1996 1F82.tmp 1428 1FD0.tmp 1812 200E.tmp 1808 205C.tmp 2976 20AA.tmp 2176 20F8.tmp 1244 2146.tmp 1252 2185.tmp 2100 21C3.tmp 2308 2202.tmp 1724 2240.tmp 1944 227E.tmp 2332 22BD.tmp 2388 22FB.tmp 2096 233A.tmp 776 2378.tmp 1712 23B6.tmp 1088 23F5.tmp 1852 2433.tmp 2924 2472.tmp 2396 24B0.tmp 944 24EE.tmp 1108 253C.tmp 2872 257B.tmp 676 25B9.tmp 1644 25F8.tmp 1328 2646.tmp 2868 2684.tmp 812 26C2.tmp 1040 2701.tmp 912 273F.tmp 2276 277E.tmp 2996 27AC.tmp 1744 27EB.tmp 2148 2829.tmp 2836 2868.tmp 3036 28A6.tmp 1660 28E4.tmp 2036 2913.tmp 1580 2961.tmp 2732 29A0.tmp 2324 29DE.tmp 2220 2A1C.tmp 2828 2A5B.tmp 1044 2A99.tmp 2656 2AD8.tmp 2540 2B16.tmp 2436 2B54.tmp -
Loads dropped DLL 64 IoCs
pid Process 2512 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 880 1AF0.tmp 2180 1B3E.tmp 1504 1B8C.tmp 1700 1BDA.tmp 3060 1C18.tmp 2644 1C66.tmp 2588 1CB4.tmp 2728 1D02.tmp 2552 1D50.tmp 2812 1D8F.tmp 2548 1DDD.tmp 2448 1E2B.tmp 3020 1E69.tmp 2992 1EB7.tmp 2804 1EF6.tmp 2740 1F34.tmp 1996 1F82.tmp 1428 1FD0.tmp 1812 200E.tmp 1808 205C.tmp 2976 20AA.tmp 2176 20F8.tmp 1244 2146.tmp 1252 2185.tmp 2100 21C3.tmp 2308 2202.tmp 1724 2240.tmp 1944 227E.tmp 2332 22BD.tmp 2388 22FB.tmp 2096 233A.tmp 776 2378.tmp 1712 23B6.tmp 1088 23F5.tmp 1852 2433.tmp 2924 2472.tmp 2396 24B0.tmp 944 24EE.tmp 1108 253C.tmp 2872 257B.tmp 676 25B9.tmp 1644 25F8.tmp 1328 2646.tmp 2868 2684.tmp 812 26C2.tmp 1040 2701.tmp 912 273F.tmp 2276 277E.tmp 2996 27AC.tmp 1744 27EB.tmp 2148 2829.tmp 2836 2868.tmp 3036 28A6.tmp 1660 28E4.tmp 2036 2913.tmp 1580 2961.tmp 2732 29A0.tmp 2324 29DE.tmp 2220 2A1C.tmp 2828 2A5B.tmp 1044 2A99.tmp 2656 2AD8.tmp 2540 2B16.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 880 2512 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 28 PID 2512 wrote to memory of 880 2512 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 28 PID 2512 wrote to memory of 880 2512 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 28 PID 2512 wrote to memory of 880 2512 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 28 PID 880 wrote to memory of 2180 880 1AF0.tmp 29 PID 880 wrote to memory of 2180 880 1AF0.tmp 29 PID 880 wrote to memory of 2180 880 1AF0.tmp 29 PID 880 wrote to memory of 2180 880 1AF0.tmp 29 PID 2180 wrote to memory of 1504 2180 1B3E.tmp 30 PID 2180 wrote to memory of 1504 2180 1B3E.tmp 30 PID 2180 wrote to memory of 1504 2180 1B3E.tmp 30 PID 2180 wrote to memory of 1504 2180 1B3E.tmp 30 PID 1504 wrote to memory of 1700 1504 1B8C.tmp 31 PID 1504 wrote to memory of 1700 1504 1B8C.tmp 31 PID 1504 wrote to memory of 1700 1504 1B8C.tmp 31 PID 1504 wrote to memory of 1700 1504 1B8C.tmp 31 PID 1700 wrote to memory of 3060 1700 1BDA.tmp 32 PID 1700 wrote to memory of 3060 1700 1BDA.tmp 32 PID 1700 wrote to memory of 3060 1700 1BDA.tmp 32 PID 1700 wrote to memory of 3060 1700 1BDA.tmp 32 PID 3060 wrote to memory of 2644 3060 1C18.tmp 33 PID 3060 wrote to memory of 2644 3060 1C18.tmp 33 PID 3060 wrote to memory of 2644 3060 1C18.tmp 33 PID 3060 wrote to memory of 2644 3060 1C18.tmp 33 PID 2644 wrote to memory of 2588 2644 1C66.tmp 34 PID 2644 wrote to memory of 2588 2644 1C66.tmp 34 PID 2644 wrote to memory of 2588 2644 1C66.tmp 34 PID 2644 wrote to memory of 2588 2644 1C66.tmp 34 PID 2588 wrote to memory of 2728 2588 1CB4.tmp 35 PID 2588 wrote to memory of 2728 2588 1CB4.tmp 35 PID 2588 wrote to memory of 2728 2588 1CB4.tmp 35 PID 2588 wrote to memory of 2728 2588 1CB4.tmp 35 PID 2728 wrote to memory of 2552 2728 1D02.tmp 36 PID 2728 wrote to memory of 2552 2728 1D02.tmp 36 PID 2728 wrote to memory of 2552 2728 1D02.tmp 36 PID 2728 wrote to memory of 2552 2728 1D02.tmp 36 PID 2552 wrote to memory of 2812 2552 1D50.tmp 37 PID 2552 wrote to memory of 2812 2552 1D50.tmp 37 PID 2552 wrote to memory of 2812 2552 1D50.tmp 37 PID 2552 wrote to memory of 2812 2552 1D50.tmp 37 PID 2812 wrote to memory of 2548 2812 1D8F.tmp 38 PID 2812 wrote to memory of 2548 2812 1D8F.tmp 38 PID 2812 wrote to memory of 2548 2812 1D8F.tmp 38 PID 2812 wrote to memory of 2548 2812 1D8F.tmp 38 PID 2548 wrote to memory of 2448 2548 1DDD.tmp 39 PID 2548 wrote to memory of 2448 2548 1DDD.tmp 39 PID 2548 wrote to memory of 2448 2548 1DDD.tmp 39 PID 2548 wrote to memory of 2448 2548 1DDD.tmp 39 PID 2448 wrote to memory of 3020 2448 1E2B.tmp 40 PID 2448 wrote to memory of 3020 2448 1E2B.tmp 40 PID 2448 wrote to memory of 3020 2448 1E2B.tmp 40 PID 2448 wrote to memory of 3020 2448 1E2B.tmp 40 PID 3020 wrote to memory of 2992 3020 1E69.tmp 41 PID 3020 wrote to memory of 2992 3020 1E69.tmp 41 PID 3020 wrote to memory of 2992 3020 1E69.tmp 41 PID 3020 wrote to memory of 2992 3020 1E69.tmp 41 PID 2992 wrote to memory of 2804 2992 1EB7.tmp 42 PID 2992 wrote to memory of 2804 2992 1EB7.tmp 42 PID 2992 wrote to memory of 2804 2992 1EB7.tmp 42 PID 2992 wrote to memory of 2804 2992 1EB7.tmp 42 PID 2804 wrote to memory of 2740 2804 1EF6.tmp 43 PID 2804 wrote to memory of 2740 2804 1EF6.tmp 43 PID 2804 wrote to memory of 2740 2804 1EF6.tmp 43 PID 2804 wrote to memory of 2740 2804 1EF6.tmp 43
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp"C:\Users\Admin\AppData\Local\Temp\1AF0.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\1B3E.tmp"C:\Users\Admin\AppData\Local\Temp\1B3E.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\1B8C.tmp"C:\Users\Admin\AppData\Local\Temp\1B8C.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\1BDA.tmp"C:\Users\Admin\AppData\Local\Temp\1BDA.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\1C18.tmp"C:\Users\Admin\AppData\Local\Temp\1C18.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\1C66.tmp"C:\Users\Admin\AppData\Local\Temp\1C66.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\1CB4.tmp"C:\Users\Admin\AppData\Local\Temp\1CB4.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\1D02.tmp"C:\Users\Admin\AppData\Local\Temp\1D02.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\1D50.tmp"C:\Users\Admin\AppData\Local\Temp\1D50.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\1D8F.tmp"C:\Users\Admin\AppData\Local\Temp\1D8F.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\1DDD.tmp"C:\Users\Admin\AppData\Local\Temp\1DDD.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp"C:\Users\Admin\AppData\Local\Temp\1E2B.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\1E69.tmp"C:\Users\Admin\AppData\Local\Temp\1E69.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\1EB7.tmp"C:\Users\Admin\AppData\Local\Temp\1EB7.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\1EF6.tmp"C:\Users\Admin\AppData\Local\Temp\1EF6.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\1F34.tmp"C:\Users\Admin\AppData\Local\Temp\1F34.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\1F82.tmp"C:\Users\Admin\AppData\Local\Temp\1F82.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\1FD0.tmp"C:\Users\Admin\AppData\Local\Temp\1FD0.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\200E.tmp"C:\Users\Admin\AppData\Local\Temp\200E.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\205C.tmp"C:\Users\Admin\AppData\Local\Temp\205C.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\20AA.tmp"C:\Users\Admin\AppData\Local\Temp\20AA.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\20F8.tmp"C:\Users\Admin\AppData\Local\Temp\20F8.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\2146.tmp"C:\Users\Admin\AppData\Local\Temp\2146.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\2185.tmp"C:\Users\Admin\AppData\Local\Temp\2185.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\21C3.tmp"C:\Users\Admin\AppData\Local\Temp\21C3.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\2202.tmp"C:\Users\Admin\AppData\Local\Temp\2202.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\2240.tmp"C:\Users\Admin\AppData\Local\Temp\2240.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\227E.tmp"C:\Users\Admin\AppData\Local\Temp\227E.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\22BD.tmp"C:\Users\Admin\AppData\Local\Temp\22BD.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\22FB.tmp"C:\Users\Admin\AppData\Local\Temp\22FB.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\233A.tmp"C:\Users\Admin\AppData\Local\Temp\233A.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\2378.tmp"C:\Users\Admin\AppData\Local\Temp\2378.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Users\Admin\AppData\Local\Temp\23B6.tmp"C:\Users\Admin\AppData\Local\Temp\23B6.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\23F5.tmp"C:\Users\Admin\AppData\Local\Temp\23F5.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\2433.tmp"C:\Users\Admin\AppData\Local\Temp\2433.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\2472.tmp"C:\Users\Admin\AppData\Local\Temp\2472.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\24B0.tmp"C:\Users\Admin\AppData\Local\Temp\24B0.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\24EE.tmp"C:\Users\Admin\AppData\Local\Temp\24EE.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Users\Admin\AppData\Local\Temp\253C.tmp"C:\Users\Admin\AppData\Local\Temp\253C.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\257B.tmp"C:\Users\Admin\AppData\Local\Temp\257B.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\25B9.tmp"C:\Users\Admin\AppData\Local\Temp\25B9.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Users\Admin\AppData\Local\Temp\25F8.tmp"C:\Users\Admin\AppData\Local\Temp\25F8.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\2646.tmp"C:\Users\Admin\AppData\Local\Temp\2646.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\2684.tmp"C:\Users\Admin\AppData\Local\Temp\2684.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\26C2.tmp"C:\Users\Admin\AppData\Local\Temp\26C2.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Users\Admin\AppData\Local\Temp\2701.tmp"C:\Users\Admin\AppData\Local\Temp\2701.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\273F.tmp"C:\Users\Admin\AppData\Local\Temp\273F.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Users\Admin\AppData\Local\Temp\277E.tmp"C:\Users\Admin\AppData\Local\Temp\277E.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\27AC.tmp"C:\Users\Admin\AppData\Local\Temp\27AC.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\27EB.tmp"C:\Users\Admin\AppData\Local\Temp\27EB.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\2829.tmp"C:\Users\Admin\AppData\Local\Temp\2829.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\2868.tmp"C:\Users\Admin\AppData\Local\Temp\2868.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\28A6.tmp"C:\Users\Admin\AppData\Local\Temp\28A6.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\28E4.tmp"C:\Users\Admin\AppData\Local\Temp\28E4.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\2913.tmp"C:\Users\Admin\AppData\Local\Temp\2913.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\2961.tmp"C:\Users\Admin\AppData\Local\Temp\2961.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\29A0.tmp"C:\Users\Admin\AppData\Local\Temp\29A0.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\29DE.tmp"C:\Users\Admin\AppData\Local\Temp\29DE.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\2A1C.tmp"C:\Users\Admin\AppData\Local\Temp\2A1C.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\2A5B.tmp"C:\Users\Admin\AppData\Local\Temp\2A5B.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\2A99.tmp"C:\Users\Admin\AppData\Local\Temp\2A99.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\2AD8.tmp"C:\Users\Admin\AppData\Local\Temp\2AD8.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\2B16.tmp"C:\Users\Admin\AppData\Local\Temp\2B16.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\2B54.tmp"C:\Users\Admin\AppData\Local\Temp\2B54.tmp"65⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\2BA2.tmp"C:\Users\Admin\AppData\Local\Temp\2BA2.tmp"66⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\2BE1.tmp"C:\Users\Admin\AppData\Local\Temp\2BE1.tmp"67⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"C:\Users\Admin\AppData\Local\Temp\2C1F.tmp"68⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"C:\Users\Admin\AppData\Local\Temp\2C5E.tmp"69⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\2C9C.tmp"C:\Users\Admin\AppData\Local\Temp\2C9C.tmp"70⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2CDA.tmp"C:\Users\Admin\AppData\Local\Temp\2CDA.tmp"71⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2D19.tmp"C:\Users\Admin\AppData\Local\Temp\2D19.tmp"72⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\2D57.tmp"C:\Users\Admin\AppData\Local\Temp\2D57.tmp"73⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\2D96.tmp"C:\Users\Admin\AppData\Local\Temp\2D96.tmp"74⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\2DE4.tmp"C:\Users\Admin\AppData\Local\Temp\2DE4.tmp"75⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\2E32.tmp"C:\Users\Admin\AppData\Local\Temp\2E32.tmp"76⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2E70.tmp"C:\Users\Admin\AppData\Local\Temp\2E70.tmp"77⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\2EED.tmp"C:\Users\Admin\AppData\Local\Temp\2EED.tmp"78⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\2F2B.tmp"C:\Users\Admin\AppData\Local\Temp\2F2B.tmp"79⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2F6A.tmp"C:\Users\Admin\AppData\Local\Temp\2F6A.tmp"80⤵PID:308
-
C:\Users\Admin\AppData\Local\Temp\2FB8.tmp"C:\Users\Admin\AppData\Local\Temp\2FB8.tmp"81⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"82⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\3034.tmp"C:\Users\Admin\AppData\Local\Temp\3034.tmp"83⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\3073.tmp"C:\Users\Admin\AppData\Local\Temp\3073.tmp"84⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\30B1.tmp"C:\Users\Admin\AppData\Local\Temp\30B1.tmp"85⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\30F0.tmp"C:\Users\Admin\AppData\Local\Temp\30F0.tmp"86⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\312E.tmp"C:\Users\Admin\AppData\Local\Temp\312E.tmp"87⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\316C.tmp"C:\Users\Admin\AppData\Local\Temp\316C.tmp"88⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp"C:\Users\Admin\AppData\Local\Temp\31AB.tmp"89⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\31E9.tmp"C:\Users\Admin\AppData\Local\Temp\31E9.tmp"90⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\3228.tmp"C:\Users\Admin\AppData\Local\Temp\3228.tmp"91⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\3266.tmp"C:\Users\Admin\AppData\Local\Temp\3266.tmp"92⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\32A4.tmp"C:\Users\Admin\AppData\Local\Temp\32A4.tmp"93⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\32E3.tmp"C:\Users\Admin\AppData\Local\Temp\32E3.tmp"94⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\3321.tmp"C:\Users\Admin\AppData\Local\Temp\3321.tmp"95⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\3360.tmp"C:\Users\Admin\AppData\Local\Temp\3360.tmp"96⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\339E.tmp"C:\Users\Admin\AppData\Local\Temp\339E.tmp"97⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\33DC.tmp"C:\Users\Admin\AppData\Local\Temp\33DC.tmp"98⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\341B.tmp"C:\Users\Admin\AppData\Local\Temp\341B.tmp"99⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\3459.tmp"C:\Users\Admin\AppData\Local\Temp\3459.tmp"100⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\3498.tmp"C:\Users\Admin\AppData\Local\Temp\3498.tmp"101⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\34D6.tmp"C:\Users\Admin\AppData\Local\Temp\34D6.tmp"102⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\3514.tmp"C:\Users\Admin\AppData\Local\Temp\3514.tmp"103⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\3553.tmp"C:\Users\Admin\AppData\Local\Temp\3553.tmp"104⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\3591.tmp"C:\Users\Admin\AppData\Local\Temp\3591.tmp"105⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\35D0.tmp"C:\Users\Admin\AppData\Local\Temp\35D0.tmp"106⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\360E.tmp"C:\Users\Admin\AppData\Local\Temp\360E.tmp"107⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\364C.tmp"C:\Users\Admin\AppData\Local\Temp\364C.tmp"108⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\368B.tmp"C:\Users\Admin\AppData\Local\Temp\368B.tmp"109⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\36C9.tmp"C:\Users\Admin\AppData\Local\Temp\36C9.tmp"110⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\3708.tmp"C:\Users\Admin\AppData\Local\Temp\3708.tmp"111⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\3746.tmp"C:\Users\Admin\AppData\Local\Temp\3746.tmp"112⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\3784.tmp"C:\Users\Admin\AppData\Local\Temp\3784.tmp"113⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\37C3.tmp"C:\Users\Admin\AppData\Local\Temp\37C3.tmp"114⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\3801.tmp"C:\Users\Admin\AppData\Local\Temp\3801.tmp"115⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\384F.tmp"C:\Users\Admin\AppData\Local\Temp\384F.tmp"116⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\388E.tmp"C:\Users\Admin\AppData\Local\Temp\388E.tmp"117⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\38CC.tmp"C:\Users\Admin\AppData\Local\Temp\38CC.tmp"118⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\390A.tmp"C:\Users\Admin\AppData\Local\Temp\390A.tmp"119⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\3949.tmp"C:\Users\Admin\AppData\Local\Temp\3949.tmp"120⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\3987.tmp"C:\Users\Admin\AppData\Local\Temp\3987.tmp"121⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\39C6.tmp"C:\Users\Admin\AppData\Local\Temp\39C6.tmp"122⤵PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-