Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
Resource
win7-20240220-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
-
Size
536KB
-
MD5
3355c5b157f98c45704b739e429e099b
-
SHA1
32689a4e4b4c407aeaba3df45ee2b6053a27c6b3
-
SHA256
59e6a0adb3c14b46fbb1d6f98cc0e34a793d4fe958577a8625306eb31ef2195f
-
SHA512
fef0912fd32fdc7433536bb229f83993b094f08583d5216ee8a3e912cd7111de898636c80452bc78a23394a9029ae2f924ef5f29094cfd68ee9b0c9cf9ee3290
-
SSDEEP
12288:wU5rCOTeiUEm0mBgOwtxSCV5E24Q/x3IZxVJ0ZT9:wUQOJUEm0mBrwtxSC7T/dIRJ0ZT9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2800 676.tmp 2564 6F3.tmp 2688 760.tmp 2028 7ED.tmp 2000 879.tmp 2584 8D7.tmp 2432 973.tmp 2936 9E0.tmp 712 A2E.tmp 2728 ACA.tmp 2788 B47.tmp 1496 BA4.tmp 1576 C40.tmp 1508 CAE.tmp 1264 D3A.tmp 2488 DB7.tmp 1176 E34.tmp 1736 ED0.tmp 2004 F6C.tmp 2828 FC9.tmp 2216 1056.tmp 572 10C3.tmp 1080 1111.tmp 1804 116E.tmp 1968 11DC.tmp 2220 121A.tmp 1232 1278.tmp 1516 12B6.tmp 3020 1314.tmp 1704 1352.tmp 1368 13B0.tmp 1680 140D.tmp 960 146B.tmp 2976 14A9.tmp 1600 1516.tmp 2944 1564.tmp 2380 15A3.tmp 896 1610.tmp 2080 166E.tmp 1544 16AC.tmp 2740 170A.tmp 3024 1748.tmp 2624 1786.tmp 2572 17C5.tmp 2692 1803.tmp 2676 1842.tmp 2652 1880.tmp 1452 18BE.tmp 2476 190C.tmp 2472 194B.tmp 2880 1989.tmp 2932 19C8.tmp 2708 1A06.tmp 712 1A44.tmp 2764 1A83.tmp 1260 1AC1.tmp 776 1B00.tmp 1436 1B4E.tmp 1752 1B8C.tmp 556 1BDA.tmp 876 1C09.tmp 1360 1C47.tmp 1612 1C86.tmp 1216 1CC4.tmp -
Loads dropped DLL 64 IoCs
pid Process 2916 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 2800 676.tmp 2564 6F3.tmp 2688 760.tmp 2028 7ED.tmp 2000 879.tmp 2584 8D7.tmp 2432 973.tmp 2936 9E0.tmp 712 A2E.tmp 2728 ACA.tmp 2788 B47.tmp 1496 BA4.tmp 1576 C40.tmp 1508 CAE.tmp 1264 D3A.tmp 2488 DB7.tmp 1176 E34.tmp 1736 ED0.tmp 2004 F6C.tmp 2828 FC9.tmp 2216 1056.tmp 572 10C3.tmp 1080 1111.tmp 1804 116E.tmp 1968 11DC.tmp 2220 121A.tmp 1232 1278.tmp 1516 12B6.tmp 3020 1314.tmp 1704 1352.tmp 1368 13B0.tmp 1680 140D.tmp 960 146B.tmp 2976 14A9.tmp 1600 1516.tmp 2944 1564.tmp 2380 15A3.tmp 896 1610.tmp 2080 166E.tmp 1544 16AC.tmp 2740 170A.tmp 3024 1748.tmp 2624 1786.tmp 2572 17C5.tmp 2692 1803.tmp 2676 1842.tmp 2652 1880.tmp 1452 18BE.tmp 2476 190C.tmp 2472 194B.tmp 2880 1989.tmp 2932 19C8.tmp 2708 1A06.tmp 712 1A44.tmp 2764 1A83.tmp 1260 1AC1.tmp 776 1B00.tmp 1436 1B4E.tmp 1752 1B8C.tmp 556 1BDA.tmp 876 1C09.tmp 1360 1C47.tmp 1612 1C86.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2800 2916 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 28 PID 2916 wrote to memory of 2800 2916 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 28 PID 2916 wrote to memory of 2800 2916 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 28 PID 2916 wrote to memory of 2800 2916 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 28 PID 2800 wrote to memory of 2564 2800 676.tmp 29 PID 2800 wrote to memory of 2564 2800 676.tmp 29 PID 2800 wrote to memory of 2564 2800 676.tmp 29 PID 2800 wrote to memory of 2564 2800 676.tmp 29 PID 2564 wrote to memory of 2688 2564 6F3.tmp 30 PID 2564 wrote to memory of 2688 2564 6F3.tmp 30 PID 2564 wrote to memory of 2688 2564 6F3.tmp 30 PID 2564 wrote to memory of 2688 2564 6F3.tmp 30 PID 2688 wrote to memory of 2028 2688 760.tmp 31 PID 2688 wrote to memory of 2028 2688 760.tmp 31 PID 2688 wrote to memory of 2028 2688 760.tmp 31 PID 2688 wrote to memory of 2028 2688 760.tmp 31 PID 2028 wrote to memory of 2000 2028 7ED.tmp 32 PID 2028 wrote to memory of 2000 2028 7ED.tmp 32 PID 2028 wrote to memory of 2000 2028 7ED.tmp 32 PID 2028 wrote to memory of 2000 2028 7ED.tmp 32 PID 2000 wrote to memory of 2584 2000 879.tmp 33 PID 2000 wrote to memory of 2584 2000 879.tmp 33 PID 2000 wrote to memory of 2584 2000 879.tmp 33 PID 2000 wrote to memory of 2584 2000 879.tmp 33 PID 2584 wrote to memory of 2432 2584 8D7.tmp 34 PID 2584 wrote to memory of 2432 2584 8D7.tmp 34 PID 2584 wrote to memory of 2432 2584 8D7.tmp 34 PID 2584 wrote to memory of 2432 2584 8D7.tmp 34 PID 2432 wrote to memory of 2936 2432 973.tmp 35 PID 2432 wrote to memory of 2936 2432 973.tmp 35 PID 2432 wrote to memory of 2936 2432 973.tmp 35 PID 2432 wrote to memory of 2936 2432 973.tmp 35 PID 2936 wrote to memory of 712 2936 9E0.tmp 36 PID 2936 wrote to memory of 712 2936 9E0.tmp 36 PID 2936 wrote to memory of 712 2936 9E0.tmp 36 PID 2936 wrote to memory of 712 2936 9E0.tmp 36 PID 712 wrote to memory of 2728 712 A2E.tmp 37 PID 712 wrote to memory of 2728 712 A2E.tmp 37 PID 712 wrote to memory of 2728 712 A2E.tmp 37 PID 712 wrote to memory of 2728 712 A2E.tmp 37 PID 2728 wrote to memory of 2788 2728 ACA.tmp 38 PID 2728 wrote to memory of 2788 2728 ACA.tmp 38 PID 2728 wrote to memory of 2788 2728 ACA.tmp 38 PID 2728 wrote to memory of 2788 2728 ACA.tmp 38 PID 2788 wrote to memory of 1496 2788 B47.tmp 39 PID 2788 wrote to memory of 1496 2788 B47.tmp 39 PID 2788 wrote to memory of 1496 2788 B47.tmp 39 PID 2788 wrote to memory of 1496 2788 B47.tmp 39 PID 1496 wrote to memory of 1576 1496 BA4.tmp 40 PID 1496 wrote to memory of 1576 1496 BA4.tmp 40 PID 1496 wrote to memory of 1576 1496 BA4.tmp 40 PID 1496 wrote to memory of 1576 1496 BA4.tmp 40 PID 1576 wrote to memory of 1508 1576 C40.tmp 41 PID 1576 wrote to memory of 1508 1576 C40.tmp 41 PID 1576 wrote to memory of 1508 1576 C40.tmp 41 PID 1576 wrote to memory of 1508 1576 C40.tmp 41 PID 1508 wrote to memory of 1264 1508 CAE.tmp 42 PID 1508 wrote to memory of 1264 1508 CAE.tmp 42 PID 1508 wrote to memory of 1264 1508 CAE.tmp 42 PID 1508 wrote to memory of 1264 1508 CAE.tmp 42 PID 1264 wrote to memory of 2488 1264 D3A.tmp 43 PID 1264 wrote to memory of 2488 1264 D3A.tmp 43 PID 1264 wrote to memory of 2488 1264 D3A.tmp 43 PID 1264 wrote to memory of 2488 1264 D3A.tmp 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\676.tmp"C:\Users\Admin\AppData\Local\Temp\676.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\6F3.tmp"C:\Users\Admin\AppData\Local\Temp\6F3.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\760.tmp"C:\Users\Admin\AppData\Local\Temp\760.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\7ED.tmp"C:\Users\Admin\AppData\Local\Temp\7ED.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\879.tmp"C:\Users\Admin\AppData\Local\Temp\879.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\8D7.tmp"C:\Users\Admin\AppData\Local\Temp\8D7.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\973.tmp"C:\Users\Admin\AppData\Local\Temp\973.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\9E0.tmp"C:\Users\Admin\AppData\Local\Temp\9E0.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\A2E.tmp"C:\Users\Admin\AppData\Local\Temp\A2E.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\ACA.tmp"C:\Users\Admin\AppData\Local\Temp\ACA.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\B47.tmp"C:\Users\Admin\AppData\Local\Temp\B47.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\BA4.tmp"C:\Users\Admin\AppData\Local\Temp\BA4.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\C40.tmp"C:\Users\Admin\AppData\Local\Temp\C40.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\CAE.tmp"C:\Users\Admin\AppData\Local\Temp\CAE.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\D3A.tmp"C:\Users\Admin\AppData\Local\Temp\D3A.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\DB7.tmp"C:\Users\Admin\AppData\Local\Temp\DB7.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\E34.tmp"C:\Users\Admin\AppData\Local\Temp\E34.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\ED0.tmp"C:\Users\Admin\AppData\Local\Temp\ED0.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\F6C.tmp"C:\Users\Admin\AppData\Local\Temp\F6C.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\FC9.tmp"C:\Users\Admin\AppData\Local\Temp\FC9.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\1056.tmp"C:\Users\Admin\AppData\Local\Temp\1056.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\10C3.tmp"C:\Users\Admin\AppData\Local\Temp\10C3.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Users\Admin\AppData\Local\Temp\1111.tmp"C:\Users\Admin\AppData\Local\Temp\1111.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\116E.tmp"C:\Users\Admin\AppData\Local\Temp\116E.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\11DC.tmp"C:\Users\Admin\AppData\Local\Temp\11DC.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\121A.tmp"C:\Users\Admin\AppData\Local\Temp\121A.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\1278.tmp"C:\Users\Admin\AppData\Local\Temp\1278.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\12B6.tmp"C:\Users\Admin\AppData\Local\Temp\12B6.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\1314.tmp"C:\Users\Admin\AppData\Local\Temp\1314.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\1352.tmp"C:\Users\Admin\AppData\Local\Temp\1352.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\13B0.tmp"C:\Users\Admin\AppData\Local\Temp\13B0.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\140D.tmp"C:\Users\Admin\AppData\Local\Temp\140D.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\146B.tmp"C:\Users\Admin\AppData\Local\Temp\146B.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Users\Admin\AppData\Local\Temp\14A9.tmp"C:\Users\Admin\AppData\Local\Temp\14A9.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\1516.tmp"C:\Users\Admin\AppData\Local\Temp\1516.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\1564.tmp"C:\Users\Admin\AppData\Local\Temp\1564.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\15A3.tmp"C:\Users\Admin\AppData\Local\Temp\15A3.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\1610.tmp"C:\Users\Admin\AppData\Local\Temp\1610.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Users\Admin\AppData\Local\Temp\166E.tmp"C:\Users\Admin\AppData\Local\Temp\166E.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\16AC.tmp"C:\Users\Admin\AppData\Local\Temp\16AC.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\170A.tmp"C:\Users\Admin\AppData\Local\Temp\170A.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\1748.tmp"C:\Users\Admin\AppData\Local\Temp\1748.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\1786.tmp"C:\Users\Admin\AppData\Local\Temp\1786.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\17C5.tmp"C:\Users\Admin\AppData\Local\Temp\17C5.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\1803.tmp"C:\Users\Admin\AppData\Local\Temp\1803.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\1842.tmp"C:\Users\Admin\AppData\Local\Temp\1842.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\1880.tmp"C:\Users\Admin\AppData\Local\Temp\1880.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\18BE.tmp"C:\Users\Admin\AppData\Local\Temp\18BE.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\190C.tmp"C:\Users\Admin\AppData\Local\Temp\190C.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\194B.tmp"C:\Users\Admin\AppData\Local\Temp\194B.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\1989.tmp"C:\Users\Admin\AppData\Local\Temp\1989.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\19C8.tmp"C:\Users\Admin\AppData\Local\Temp\19C8.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\1A06.tmp"C:\Users\Admin\AppData\Local\Temp\1A06.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\1A44.tmp"C:\Users\Admin\AppData\Local\Temp\1A44.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Users\Admin\AppData\Local\Temp\1A83.tmp"C:\Users\Admin\AppData\Local\Temp\1A83.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\1AC1.tmp"C:\Users\Admin\AppData\Local\Temp\1AC1.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\1B00.tmp"C:\Users\Admin\AppData\Local\Temp\1B00.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Users\Admin\AppData\Local\Temp\1B4E.tmp"C:\Users\Admin\AppData\Local\Temp\1B4E.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\1B8C.tmp"C:\Users\Admin\AppData\Local\Temp\1B8C.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\1BDA.tmp"C:\Users\Admin\AppData\Local\Temp\1BDA.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Users\Admin\AppData\Local\Temp\1C09.tmp"C:\Users\Admin\AppData\Local\Temp\1C09.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Users\Admin\AppData\Local\Temp\1C47.tmp"C:\Users\Admin\AppData\Local\Temp\1C47.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\1C86.tmp"C:\Users\Admin\AppData\Local\Temp\1C86.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\1CC4.tmp"C:\Users\Admin\AppData\Local\Temp\1CC4.tmp"65⤵
- Executes dropped EXE
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\1D02.tmp"C:\Users\Admin\AppData\Local\Temp\1D02.tmp"66⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\1D41.tmp"C:\Users\Admin\AppData\Local\Temp\1D41.tmp"67⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\1D7F.tmp"C:\Users\Admin\AppData\Local\Temp\1D7F.tmp"68⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\1DCD.tmp"C:\Users\Admin\AppData\Local\Temp\1DCD.tmp"69⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\1E0C.tmp"C:\Users\Admin\AppData\Local\Temp\1E0C.tmp"70⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\1E4A.tmp"C:\Users\Admin\AppData\Local\Temp\1E4A.tmp"71⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\1E88.tmp"C:\Users\Admin\AppData\Local\Temp\1E88.tmp"72⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\1EC7.tmp"C:\Users\Admin\AppData\Local\Temp\1EC7.tmp"73⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\1F05.tmp"C:\Users\Admin\AppData\Local\Temp\1F05.tmp"74⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\1F53.tmp"C:\Users\Admin\AppData\Local\Temp\1F53.tmp"75⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\1F92.tmp"C:\Users\Admin\AppData\Local\Temp\1F92.tmp"76⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\1FD0.tmp"C:\Users\Admin\AppData\Local\Temp\1FD0.tmp"77⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\201E.tmp"C:\Users\Admin\AppData\Local\Temp\201E.tmp"78⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\205C.tmp"C:\Users\Admin\AppData\Local\Temp\205C.tmp"79⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\209B.tmp"C:\Users\Admin\AppData\Local\Temp\209B.tmp"80⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\20E9.tmp"C:\Users\Admin\AppData\Local\Temp\20E9.tmp"81⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2127.tmp"C:\Users\Admin\AppData\Local\Temp\2127.tmp"82⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\2166.tmp"C:\Users\Admin\AppData\Local\Temp\2166.tmp"83⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\21A4.tmp"C:\Users\Admin\AppData\Local\Temp\21A4.tmp"84⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\21E2.tmp"C:\Users\Admin\AppData\Local\Temp\21E2.tmp"85⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\2221.tmp"C:\Users\Admin\AppData\Local\Temp\2221.tmp"86⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\225F.tmp"C:\Users\Admin\AppData\Local\Temp\225F.tmp"87⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\229E.tmp"C:\Users\Admin\AppData\Local\Temp\229E.tmp"88⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\22DC.tmp"C:\Users\Admin\AppData\Local\Temp\22DC.tmp"89⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\231A.tmp"C:\Users\Admin\AppData\Local\Temp\231A.tmp"90⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\2368.tmp"C:\Users\Admin\AppData\Local\Temp\2368.tmp"91⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\23A7.tmp"C:\Users\Admin\AppData\Local\Temp\23A7.tmp"92⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\23E5.tmp"C:\Users\Admin\AppData\Local\Temp\23E5.tmp"93⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\2424.tmp"C:\Users\Admin\AppData\Local\Temp\2424.tmp"94⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\2462.tmp"C:\Users\Admin\AppData\Local\Temp\2462.tmp"95⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\24A0.tmp"C:\Users\Admin\AppData\Local\Temp\24A0.tmp"96⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\24DF.tmp"C:\Users\Admin\AppData\Local\Temp\24DF.tmp"97⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\251D.tmp"C:\Users\Admin\AppData\Local\Temp\251D.tmp"98⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\255C.tmp"C:\Users\Admin\AppData\Local\Temp\255C.tmp"99⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\259A.tmp"C:\Users\Admin\AppData\Local\Temp\259A.tmp"100⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\25D8.tmp"C:\Users\Admin\AppData\Local\Temp\25D8.tmp"101⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\2617.tmp"C:\Users\Admin\AppData\Local\Temp\2617.tmp"102⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2655.tmp"C:\Users\Admin\AppData\Local\Temp\2655.tmp"103⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2694.tmp"C:\Users\Admin\AppData\Local\Temp\2694.tmp"104⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\26D2.tmp"C:\Users\Admin\AppData\Local\Temp\26D2.tmp"105⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\2710.tmp"C:\Users\Admin\AppData\Local\Temp\2710.tmp"106⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\274F.tmp"C:\Users\Admin\AppData\Local\Temp\274F.tmp"107⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\279D.tmp"C:\Users\Admin\AppData\Local\Temp\279D.tmp"108⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\27DB.tmp"C:\Users\Admin\AppData\Local\Temp\27DB.tmp"109⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\281A.tmp"C:\Users\Admin\AppData\Local\Temp\281A.tmp"110⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\2858.tmp"C:\Users\Admin\AppData\Local\Temp\2858.tmp"111⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\2896.tmp"C:\Users\Admin\AppData\Local\Temp\2896.tmp"112⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\28D5.tmp"C:\Users\Admin\AppData\Local\Temp\28D5.tmp"113⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\2913.tmp"C:\Users\Admin\AppData\Local\Temp\2913.tmp"114⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\2952.tmp"C:\Users\Admin\AppData\Local\Temp\2952.tmp"115⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\2990.tmp"C:\Users\Admin\AppData\Local\Temp\2990.tmp"116⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\29CE.tmp"C:\Users\Admin\AppData\Local\Temp\29CE.tmp"117⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\2A0D.tmp"C:\Users\Admin\AppData\Local\Temp\2A0D.tmp"118⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\2A4B.tmp"C:\Users\Admin\AppData\Local\Temp\2A4B.tmp"119⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\2A8A.tmp"C:\Users\Admin\AppData\Local\Temp\2A8A.tmp"120⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\2AC8.tmp"C:\Users\Admin\AppData\Local\Temp\2AC8.tmp"121⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\2B06.tmp"C:\Users\Admin\AppData\Local\Temp\2B06.tmp"122⤵PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-