Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe
-
Size
488KB
-
MD5
a51b45ce4fd6755104909c518017bb96
-
SHA1
a4472ad05731c204f9ca261b3241d43f4a267ea3
-
SHA256
0ba93be6d22e0d21f9c62be7eb49767d91d993ed71914e00d098f37524977272
-
SHA512
34cd15ca7b8b7e4e8140055c12e2c9eeb8fadfbfc4685010aec61dc91fe9e4a4f0646bef83531373011888cf24b5eb0cf58d0c31f63accbba05787ebe169cc0a
-
SSDEEP
12288:/U5rCOTeiDU/8ufLn03hogoOQwwLtHn+iyMmGkNZ:/UQOJDU/82Whogo5wYtHn+0kN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2984 6419.tmp 4040 6486.tmp 3712 6503.tmp 2856 6571.tmp 3836 65DE.tmp 3668 662C.tmp 3264 667A.tmp 1536 66F7.tmp 2672 6765.tmp 5076 67C2.tmp 3692 6820.tmp 2956 687E.tmp 1852 68DC.tmp 1792 6939.tmp 4428 69A7.tmp 1576 6A24.tmp 3124 6A91.tmp 3112 6AEF.tmp 2900 6B3D.tmp 3912 6BAA.tmp 4628 6C18.tmp 3828 6C66.tmp 1532 6CC4.tmp 3648 6D31.tmp 4888 6D9E.tmp 3540 6DEC.tmp 760 6E5A.tmp 1836 6EA8.tmp 3860 6F06.tmp 3164 6F54.tmp 3780 6FB2.tmp 3896 700F.tmp 3388 706D.tmp 920 70CB.tmp 2024 7129.tmp 2736 7186.tmp 4372 71D4.tmp 2952 7251.tmp 3952 72AF.tmp 3760 730D.tmp 4344 735B.tmp 1028 73A9.tmp 3076 73F7.tmp 4820 7455.tmp 3268 74B3.tmp 3764 7501.tmp 2856 755F.tmp 3836 75AD.tmp 3176 75FB.tmp 3264 7659.tmp 1648 76B6.tmp 3888 7724.tmp 2672 7772.tmp 1188 77D0.tmp 3724 782D.tmp 3772 788B.tmp 4400 78E9.tmp 2956 7947.tmp 1592 79A4.tmp 3484 7A02.tmp 4940 7A60.tmp 1204 7ABE.tmp 1576 7B1B.tmp 4564 7B89.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5484.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5B98.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7385.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 897E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A1C9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EAAE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21BC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3D23.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8F1C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9451.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6AEA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8B14.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F58B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3469.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3CD5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7AA9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6B3D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1FA8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D9C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 817F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F443.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34B7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB63.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF0A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CD14.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A901.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5C92.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2798.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFF4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60B9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83A2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A3F1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D784.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1D66.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 954B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AEB9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83D6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F491.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7153.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97D6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF58.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D68A.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4172 wrote to memory of 2984 4172 2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe 84 PID 4172 wrote to memory of 2984 4172 2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe 84 PID 4172 wrote to memory of 2984 4172 2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe 84 PID 2984 wrote to memory of 4040 2984 6419.tmp 86 PID 2984 wrote to memory of 4040 2984 6419.tmp 86 PID 2984 wrote to memory of 4040 2984 6419.tmp 86 PID 4040 wrote to memory of 3712 4040 6486.tmp 88 PID 4040 wrote to memory of 3712 4040 6486.tmp 88 PID 4040 wrote to memory of 3712 4040 6486.tmp 88 PID 3712 wrote to memory of 2856 3712 6503.tmp 90 PID 3712 wrote to memory of 2856 3712 6503.tmp 90 PID 3712 wrote to memory of 2856 3712 6503.tmp 90 PID 2856 wrote to memory of 3836 2856 6571.tmp 91 PID 2856 wrote to memory of 3836 2856 6571.tmp 91 PID 2856 wrote to memory of 3836 2856 6571.tmp 91 PID 3836 wrote to memory of 3668 3836 65DE.tmp 92 PID 3836 wrote to memory of 3668 3836 65DE.tmp 92 PID 3836 wrote to memory of 3668 3836 65DE.tmp 92 PID 3668 wrote to memory of 3264 3668 662C.tmp 93 PID 3668 wrote to memory of 3264 3668 662C.tmp 93 PID 3668 wrote to memory of 3264 3668 662C.tmp 93 PID 3264 wrote to memory of 1536 3264 667A.tmp 94 PID 3264 wrote to memory of 1536 3264 667A.tmp 94 PID 3264 wrote to memory of 1536 3264 667A.tmp 94 PID 1536 wrote to memory of 2672 1536 66F7.tmp 95 PID 1536 wrote to memory of 2672 1536 66F7.tmp 95 PID 1536 wrote to memory of 2672 1536 66F7.tmp 95 PID 2672 wrote to memory of 5076 2672 6765.tmp 96 PID 2672 wrote to memory of 5076 2672 6765.tmp 96 PID 2672 wrote to memory of 5076 2672 6765.tmp 96 PID 5076 wrote to memory of 3692 5076 67C2.tmp 97 PID 5076 wrote to memory of 3692 5076 67C2.tmp 97 PID 5076 wrote to memory of 3692 5076 67C2.tmp 97 PID 3692 wrote to memory of 2956 3692 6820.tmp 98 PID 3692 wrote to memory of 2956 3692 6820.tmp 98 PID 3692 wrote to memory of 2956 3692 6820.tmp 98 PID 2956 wrote to memory of 1852 2956 687E.tmp 99 PID 2956 wrote to memory of 1852 2956 687E.tmp 99 PID 2956 wrote to memory of 1852 2956 687E.tmp 99 PID 1852 wrote to memory of 1792 1852 68DC.tmp 100 PID 1852 wrote to memory of 1792 1852 68DC.tmp 100 PID 1852 wrote to memory of 1792 1852 68DC.tmp 100 PID 1792 wrote to memory of 4428 1792 6939.tmp 101 PID 1792 wrote to memory of 4428 1792 6939.tmp 101 PID 1792 wrote to memory of 4428 1792 6939.tmp 101 PID 4428 wrote to memory of 1576 4428 69A7.tmp 102 PID 4428 wrote to memory of 1576 4428 69A7.tmp 102 PID 4428 wrote to memory of 1576 4428 69A7.tmp 102 PID 1576 wrote to memory of 3124 1576 6A24.tmp 103 PID 1576 wrote to memory of 3124 1576 6A24.tmp 103 PID 1576 wrote to memory of 3124 1576 6A24.tmp 103 PID 3124 wrote to memory of 3112 3124 6A91.tmp 104 PID 3124 wrote to memory of 3112 3124 6A91.tmp 104 PID 3124 wrote to memory of 3112 3124 6A91.tmp 104 PID 3112 wrote to memory of 2900 3112 6AEF.tmp 105 PID 3112 wrote to memory of 2900 3112 6AEF.tmp 105 PID 3112 wrote to memory of 2900 3112 6AEF.tmp 105 PID 2900 wrote to memory of 3912 2900 6B3D.tmp 106 PID 2900 wrote to memory of 3912 2900 6B3D.tmp 106 PID 2900 wrote to memory of 3912 2900 6B3D.tmp 106 PID 3912 wrote to memory of 4628 3912 6BAA.tmp 107 PID 3912 wrote to memory of 4628 3912 6BAA.tmp 107 PID 3912 wrote to memory of 4628 3912 6BAA.tmp 107 PID 4628 wrote to memory of 3828 4628 6C18.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-12_a51b45ce4fd6755104909c518017bb96_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\6419.tmp"C:\Users\Admin\AppData\Local\Temp\6419.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\6486.tmp"C:\Users\Admin\AppData\Local\Temp\6486.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\6503.tmp"C:\Users\Admin\AppData\Local\Temp\6503.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\65DE.tmp"C:\Users\Admin\AppData\Local\Temp\65DE.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\662C.tmp"C:\Users\Admin\AppData\Local\Temp\662C.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\667A.tmp"C:\Users\Admin\AppData\Local\Temp\667A.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\66F7.tmp"C:\Users\Admin\AppData\Local\Temp\66F7.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\6765.tmp"C:\Users\Admin\AppData\Local\Temp\6765.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\67C2.tmp"C:\Users\Admin\AppData\Local\Temp\67C2.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\6820.tmp"C:\Users\Admin\AppData\Local\Temp\6820.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\687E.tmp"C:\Users\Admin\AppData\Local\Temp\687E.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\68DC.tmp"C:\Users\Admin\AppData\Local\Temp\68DC.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\6939.tmp"C:\Users\Admin\AppData\Local\Temp\6939.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\69A7.tmp"C:\Users\Admin\AppData\Local\Temp\69A7.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\6A24.tmp"C:\Users\Admin\AppData\Local\Temp\6A24.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\6C18.tmp"C:\Users\Admin\AppData\Local\Temp\6C18.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\6C66.tmp"C:\Users\Admin\AppData\Local\Temp\6C66.tmp"23⤵
- Executes dropped EXE
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"24⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"25⤵
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"26⤵
- Executes dropped EXE
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"27⤵
- Executes dropped EXE
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\6E5A.tmp"C:\Users\Admin\AppData\Local\Temp\6E5A.tmp"28⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"29⤵
- Executes dropped EXE
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\6F06.tmp"C:\Users\Admin\AppData\Local\Temp\6F06.tmp"30⤵
- Executes dropped EXE
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\6F54.tmp"C:\Users\Admin\AppData\Local\Temp\6F54.tmp"31⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\6FB2.tmp"C:\Users\Admin\AppData\Local\Temp\6FB2.tmp"32⤵
- Executes dropped EXE
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\700F.tmp"C:\Users\Admin\AppData\Local\Temp\700F.tmp"33⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\706D.tmp"C:\Users\Admin\AppData\Local\Temp\706D.tmp"34⤵
- Executes dropped EXE
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\70CB.tmp"C:\Users\Admin\AppData\Local\Temp\70CB.tmp"35⤵
- Executes dropped EXE
PID:920 -
C:\Users\Admin\AppData\Local\Temp\7129.tmp"C:\Users\Admin\AppData\Local\Temp\7129.tmp"36⤵
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\7186.tmp"C:\Users\Admin\AppData\Local\Temp\7186.tmp"37⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\71D4.tmp"C:\Users\Admin\AppData\Local\Temp\71D4.tmp"38⤵
- Executes dropped EXE
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\7251.tmp"C:\Users\Admin\AppData\Local\Temp\7251.tmp"39⤵
- Executes dropped EXE
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\72AF.tmp"C:\Users\Admin\AppData\Local\Temp\72AF.tmp"40⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\730D.tmp"C:\Users\Admin\AppData\Local\Temp\730D.tmp"41⤵
- Executes dropped EXE
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\735B.tmp"C:\Users\Admin\AppData\Local\Temp\735B.tmp"42⤵
- Executes dropped EXE
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\73A9.tmp"C:\Users\Admin\AppData\Local\Temp\73A9.tmp"43⤵
- Executes dropped EXE
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\73F7.tmp"C:\Users\Admin\AppData\Local\Temp\73F7.tmp"44⤵
- Executes dropped EXE
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\7455.tmp"C:\Users\Admin\AppData\Local\Temp\7455.tmp"45⤵
- Executes dropped EXE
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\74B3.tmp"C:\Users\Admin\AppData\Local\Temp\74B3.tmp"46⤵
- Executes dropped EXE
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"47⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\755F.tmp"C:\Users\Admin\AppData\Local\Temp\755F.tmp"48⤵
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\75AD.tmp"C:\Users\Admin\AppData\Local\Temp\75AD.tmp"49⤵
- Executes dropped EXE
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\75FB.tmp"C:\Users\Admin\AppData\Local\Temp\75FB.tmp"50⤵
- Executes dropped EXE
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\7659.tmp"C:\Users\Admin\AppData\Local\Temp\7659.tmp"51⤵
- Executes dropped EXE
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"52⤵
- Executes dropped EXE
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\7724.tmp"C:\Users\Admin\AppData\Local\Temp\7724.tmp"53⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\7772.tmp"C:\Users\Admin\AppData\Local\Temp\7772.tmp"54⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\77D0.tmp"C:\Users\Admin\AppData\Local\Temp\77D0.tmp"55⤵
- Executes dropped EXE
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\782D.tmp"C:\Users\Admin\AppData\Local\Temp\782D.tmp"56⤵
- Executes dropped EXE
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\788B.tmp"C:\Users\Admin\AppData\Local\Temp\788B.tmp"57⤵
- Executes dropped EXE
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\78E9.tmp"C:\Users\Admin\AppData\Local\Temp\78E9.tmp"58⤵
- Executes dropped EXE
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\7947.tmp"C:\Users\Admin\AppData\Local\Temp\7947.tmp"59⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"60⤵
- Executes dropped EXE
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\7A02.tmp"C:\Users\Admin\AppData\Local\Temp\7A02.tmp"61⤵
- Executes dropped EXE
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\7A60.tmp"C:\Users\Admin\AppData\Local\Temp\7A60.tmp"62⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"63⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"64⤵
- Executes dropped EXE
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\7B89.tmp"C:\Users\Admin\AppData\Local\Temp\7B89.tmp"65⤵
- Executes dropped EXE
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\7BD7.tmp"C:\Users\Admin\AppData\Local\Temp\7BD7.tmp"66⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"67⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\7C83.tmp"C:\Users\Admin\AppData\Local\Temp\7C83.tmp"68⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"69⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"70⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\7D9C.tmp"C:\Users\Admin\AppData\Local\Temp\7D9C.tmp"71⤵
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\7DEA.tmp"C:\Users\Admin\AppData\Local\Temp\7DEA.tmp"72⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\7E48.tmp"C:\Users\Admin\AppData\Local\Temp\7E48.tmp"73⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\7E96.tmp"C:\Users\Admin\AppData\Local\Temp\7E96.tmp"74⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\7EF4.tmp"C:\Users\Admin\AppData\Local\Temp\7EF4.tmp"75⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"76⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"77⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"78⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\805B.tmp"C:\Users\Admin\AppData\Local\Temp\805B.tmp"79⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\80A9.tmp"C:\Users\Admin\AppData\Local\Temp\80A9.tmp"80⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\8107.tmp"C:\Users\Admin\AppData\Local\Temp\8107.tmp"81⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"82⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\81B3.tmp"C:\Users\Admin\AppData\Local\Temp\81B3.tmp"83⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"84⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\826E.tmp"C:\Users\Admin\AppData\Local\Temp\826E.tmp"85⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\82BD.tmp"C:\Users\Admin\AppData\Local\Temp\82BD.tmp"86⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"87⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\8378.tmp"C:\Users\Admin\AppData\Local\Temp\8378.tmp"88⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\83D6.tmp"C:\Users\Admin\AppData\Local\Temp\83D6.tmp"89⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\8424.tmp"C:\Users\Admin\AppData\Local\Temp\8424.tmp"90⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\8482.tmp"C:\Users\Admin\AppData\Local\Temp\8482.tmp"91⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\84D0.tmp"C:\Users\Admin\AppData\Local\Temp\84D0.tmp"92⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\852E.tmp"C:\Users\Admin\AppData\Local\Temp\852E.tmp"93⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\858B.tmp"C:\Users\Admin\AppData\Local\Temp\858B.tmp"94⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\85E9.tmp"C:\Users\Admin\AppData\Local\Temp\85E9.tmp"95⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\8647.tmp"C:\Users\Admin\AppData\Local\Temp\8647.tmp"96⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\86A5.tmp"C:\Users\Admin\AppData\Local\Temp\86A5.tmp"97⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\8702.tmp"C:\Users\Admin\AppData\Local\Temp\8702.tmp"98⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\8760.tmp"C:\Users\Admin\AppData\Local\Temp\8760.tmp"99⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\87BE.tmp"C:\Users\Admin\AppData\Local\Temp\87BE.tmp"100⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\881C.tmp"C:\Users\Admin\AppData\Local\Temp\881C.tmp"101⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\886A.tmp"C:\Users\Admin\AppData\Local\Temp\886A.tmp"102⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\88C7.tmp"C:\Users\Admin\AppData\Local\Temp\88C7.tmp"103⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\8916.tmp"C:\Users\Admin\AppData\Local\Temp\8916.tmp"104⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\8973.tmp"C:\Users\Admin\AppData\Local\Temp\8973.tmp"105⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\89C1.tmp"C:\Users\Admin\AppData\Local\Temp\89C1.tmp"106⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\8A10.tmp"C:\Users\Admin\AppData\Local\Temp\8A10.tmp"107⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"108⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\8ACB.tmp"C:\Users\Admin\AppData\Local\Temp\8ACB.tmp"109⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\8B29.tmp"C:\Users\Admin\AppData\Local\Temp\8B29.tmp"110⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\8B87.tmp"C:\Users\Admin\AppData\Local\Temp\8B87.tmp"111⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\8BD5.tmp"C:\Users\Admin\AppData\Local\Temp\8BD5.tmp"112⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\8C32.tmp"C:\Users\Admin\AppData\Local\Temp\8C32.tmp"113⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\8C81.tmp"C:\Users\Admin\AppData\Local\Temp\8C81.tmp"114⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"115⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\8D2C.tmp"C:\Users\Admin\AppData\Local\Temp\8D2C.tmp"116⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\8D7B.tmp"C:\Users\Admin\AppData\Local\Temp\8D7B.tmp"117⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"118⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\8E36.tmp"C:\Users\Admin\AppData\Local\Temp\8E36.tmp"119⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\8E84.tmp"C:\Users\Admin\AppData\Local\Temp\8E84.tmp"120⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"121⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\8F30.tmp"C:\Users\Admin\AppData\Local\Temp\8F30.tmp"122⤵PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-