Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 19:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe
-
Size
486KB
-
MD5
d96e59d94b949ebc95180eb569d45432
-
SHA1
7771d8d9f8343acbc2e7871bb420d366bdbff325
-
SHA256
f1f279f62344b9e9370c1f6dc70a7defee2018a4388f792e747511cdb1fffc5d
-
SHA512
5c2f1041a7dc66b7402e9338e603e1faa4d7179383b8e66d4cfcaceb5d12dd5a89e833857fb551a21d26cace11750ff8784f7c957c5fb588eca29792341a1c9b
-
SSDEEP
12288:UU5rCOTeiDFlMtokvEwXPf0bsoknoSLKnXNZ:UUQOJDFC3VPf0bwLYXN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2688 4672.tmp 2820 46EF.tmp 2692 475C.tmp 2940 47CA.tmp 2780 4837.tmp 2712 48A4.tmp 2544 4902.tmp 2612 497E.tmp 2596 49EC.tmp 1552 4A59.tmp 2900 4AA7.tmp 2288 4B14.tmp 1664 4B72.tmp 2348 4BCF.tmp 2812 4C3C.tmp 2088 4CB9.tmp 2868 4D36.tmp 3000 4DA3.tmp 1676 4DF1.tmp 2364 4E6E.tmp 532 4ECC.tmp 572 4F48.tmp 1408 4FA6.tmp 992 4FF4.tmp 596 5032.tmp 2316 5080.tmp 2176 50BF.tmp 2152 510D.tmp 3064 514B.tmp 2232 518A.tmp 2424 51C8.tmp 1284 5206.tmp 988 5245.tmp 2060 5293.tmp 876 52D1.tmp 1200 531F.tmp 1368 535E.tmp 708 539C.tmp 1456 53DA.tmp 2376 5428.tmp 1956 5467.tmp 1152 54A5.tmp 1032 54E4.tmp 2056 5532.tmp 2300 5570.tmp 1036 55BE.tmp 2276 55FC.tmp 3008 564A.tmp 1808 5689.tmp 1972 56C7.tmp 1424 5706.tmp 860 5754.tmp 3060 5792.tmp 2796 57D1.tmp 2816 580F.tmp 2880 584D.tmp 2820 588C.tmp 2768 58CA.tmp 2708 5909.tmp 2580 5947.tmp 2684 59A5.tmp 2592 59E3.tmp 2884 5A21.tmp 2604 5A60.tmp -
Loads dropped DLL 64 IoCs
pid Process 2640 2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe 2688 4672.tmp 2820 46EF.tmp 2692 475C.tmp 2940 47CA.tmp 2780 4837.tmp 2712 48A4.tmp 2544 4902.tmp 2612 497E.tmp 2596 49EC.tmp 1552 4A59.tmp 2900 4AA7.tmp 2288 4B14.tmp 1664 4B72.tmp 2348 4BCF.tmp 2812 4C3C.tmp 2088 4CB9.tmp 2868 4D36.tmp 3000 4DA3.tmp 1676 4DF1.tmp 2364 4E6E.tmp 532 4ECC.tmp 572 4F48.tmp 1408 4FA6.tmp 992 4FF4.tmp 596 5032.tmp 2316 5080.tmp 2176 50BF.tmp 2152 510D.tmp 3064 514B.tmp 2232 518A.tmp 2424 51C8.tmp 1284 5206.tmp 988 5245.tmp 2060 5293.tmp 876 52D1.tmp 1200 531F.tmp 1368 535E.tmp 708 539C.tmp 1456 53DA.tmp 2376 5428.tmp 1956 5467.tmp 1152 54A5.tmp 1032 54E4.tmp 2056 5532.tmp 2300 5570.tmp 1036 55BE.tmp 2276 55FC.tmp 3008 564A.tmp 1808 5689.tmp 1972 56C7.tmp 1424 5706.tmp 860 5754.tmp 3060 5792.tmp 2796 57D1.tmp 2816 580F.tmp 2880 584D.tmp 2820 588C.tmp 2768 58CA.tmp 2708 5909.tmp 2580 5947.tmp 2684 59A5.tmp 2592 59E3.tmp 2884 5A21.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2FE6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 691F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9CFB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D1B1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F7B7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24CF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C284.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FC88.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D03A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ECC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E762.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F8B1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A6E9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5B79.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9270.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C33F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E225.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19E7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 451B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59E3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3DBC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7C13.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F834.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E418.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8A65.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2688 2640 2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe 30 PID 2640 wrote to memory of 2688 2640 2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe 30 PID 2640 wrote to memory of 2688 2640 2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe 30 PID 2640 wrote to memory of 2688 2640 2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe 30 PID 2688 wrote to memory of 2820 2688 4672.tmp 31 PID 2688 wrote to memory of 2820 2688 4672.tmp 31 PID 2688 wrote to memory of 2820 2688 4672.tmp 31 PID 2688 wrote to memory of 2820 2688 4672.tmp 31 PID 2820 wrote to memory of 2692 2820 46EF.tmp 32 PID 2820 wrote to memory of 2692 2820 46EF.tmp 32 PID 2820 wrote to memory of 2692 2820 46EF.tmp 32 PID 2820 wrote to memory of 2692 2820 46EF.tmp 32 PID 2692 wrote to memory of 2940 2692 475C.tmp 33 PID 2692 wrote to memory of 2940 2692 475C.tmp 33 PID 2692 wrote to memory of 2940 2692 475C.tmp 33 PID 2692 wrote to memory of 2940 2692 475C.tmp 33 PID 2940 wrote to memory of 2780 2940 47CA.tmp 34 PID 2940 wrote to memory of 2780 2940 47CA.tmp 34 PID 2940 wrote to memory of 2780 2940 47CA.tmp 34 PID 2940 wrote to memory of 2780 2940 47CA.tmp 34 PID 2780 wrote to memory of 2712 2780 4837.tmp 35 PID 2780 wrote to memory of 2712 2780 4837.tmp 35 PID 2780 wrote to memory of 2712 2780 4837.tmp 35 PID 2780 wrote to memory of 2712 2780 4837.tmp 35 PID 2712 wrote to memory of 2544 2712 48A4.tmp 36 PID 2712 wrote to memory of 2544 2712 48A4.tmp 36 PID 2712 wrote to memory of 2544 2712 48A4.tmp 36 PID 2712 wrote to memory of 2544 2712 48A4.tmp 36 PID 2544 wrote to memory of 2612 2544 4902.tmp 37 PID 2544 wrote to memory of 2612 2544 4902.tmp 37 PID 2544 wrote to memory of 2612 2544 4902.tmp 37 PID 2544 wrote to memory of 2612 2544 4902.tmp 37 PID 2612 wrote to memory of 2596 2612 497E.tmp 38 PID 2612 wrote to memory of 2596 2612 497E.tmp 38 PID 2612 wrote to memory of 2596 2612 497E.tmp 38 PID 2612 wrote to memory of 2596 2612 497E.tmp 38 PID 2596 wrote to memory of 1552 2596 49EC.tmp 39 PID 2596 wrote to memory of 1552 2596 49EC.tmp 39 PID 2596 wrote to memory of 1552 2596 49EC.tmp 39 PID 2596 wrote to memory of 1552 2596 49EC.tmp 39 PID 1552 wrote to memory of 2900 1552 4A59.tmp 40 PID 1552 wrote to memory of 2900 1552 4A59.tmp 40 PID 1552 wrote to memory of 2900 1552 4A59.tmp 40 PID 1552 wrote to memory of 2900 1552 4A59.tmp 40 PID 2900 wrote to memory of 2288 2900 4AA7.tmp 41 PID 2900 wrote to memory of 2288 2900 4AA7.tmp 41 PID 2900 wrote to memory of 2288 2900 4AA7.tmp 41 PID 2900 wrote to memory of 2288 2900 4AA7.tmp 41 PID 2288 wrote to memory of 1664 2288 4B14.tmp 42 PID 2288 wrote to memory of 1664 2288 4B14.tmp 42 PID 2288 wrote to memory of 1664 2288 4B14.tmp 42 PID 2288 wrote to memory of 1664 2288 4B14.tmp 42 PID 1664 wrote to memory of 2348 1664 4B72.tmp 43 PID 1664 wrote to memory of 2348 1664 4B72.tmp 43 PID 1664 wrote to memory of 2348 1664 4B72.tmp 43 PID 1664 wrote to memory of 2348 1664 4B72.tmp 43 PID 2348 wrote to memory of 2812 2348 4BCF.tmp 44 PID 2348 wrote to memory of 2812 2348 4BCF.tmp 44 PID 2348 wrote to memory of 2812 2348 4BCF.tmp 44 PID 2348 wrote to memory of 2812 2348 4BCF.tmp 44 PID 2812 wrote to memory of 2088 2812 4C3C.tmp 45 PID 2812 wrote to memory of 2088 2812 4C3C.tmp 45 PID 2812 wrote to memory of 2088 2812 4C3C.tmp 45 PID 2812 wrote to memory of 2088 2812 4C3C.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-04_d96e59d94b949ebc95180eb569d45432_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\4672.tmp"C:\Users\Admin\AppData\Local\Temp\4672.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\46EF.tmp"C:\Users\Admin\AppData\Local\Temp\46EF.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\475C.tmp"C:\Users\Admin\AppData\Local\Temp\475C.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\47CA.tmp"C:\Users\Admin\AppData\Local\Temp\47CA.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\4837.tmp"C:\Users\Admin\AppData\Local\Temp\4837.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\48A4.tmp"C:\Users\Admin\AppData\Local\Temp\48A4.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\4902.tmp"C:\Users\Admin\AppData\Local\Temp\4902.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\497E.tmp"C:\Users\Admin\AppData\Local\Temp\497E.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\49EC.tmp"C:\Users\Admin\AppData\Local\Temp\49EC.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\4A59.tmp"C:\Users\Admin\AppData\Local\Temp\4A59.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\4AA7.tmp"C:\Users\Admin\AppData\Local\Temp\4AA7.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\4B14.tmp"C:\Users\Admin\AppData\Local\Temp\4B14.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\4B72.tmp"C:\Users\Admin\AppData\Local\Temp\4B72.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\4BCF.tmp"C:\Users\Admin\AppData\Local\Temp\4BCF.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\4C3C.tmp"C:\Users\Admin\AppData\Local\Temp\4C3C.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\4CB9.tmp"C:\Users\Admin\AppData\Local\Temp\4CB9.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\4D36.tmp"C:\Users\Admin\AppData\Local\Temp\4D36.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\4ECC.tmp"C:\Users\Admin\AppData\Local\Temp\4ECC.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:532 -
C:\Users\Admin\AppData\Local\Temp\4F48.tmp"C:\Users\Admin\AppData\Local\Temp\4F48.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\4FF4.tmp"C:\Users\Admin\AppData\Local\Temp\4FF4.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Users\Admin\AppData\Local\Temp\5032.tmp"C:\Users\Admin\AppData\Local\Temp\5032.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Users\Admin\AppData\Local\Temp\5080.tmp"C:\Users\Admin\AppData\Local\Temp\5080.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\50BF.tmp"C:\Users\Admin\AppData\Local\Temp\50BF.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\510D.tmp"C:\Users\Admin\AppData\Local\Temp\510D.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\514B.tmp"C:\Users\Admin\AppData\Local\Temp\514B.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\518A.tmp"C:\Users\Admin\AppData\Local\Temp\518A.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\51C8.tmp"C:\Users\Admin\AppData\Local\Temp\51C8.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\5206.tmp"C:\Users\Admin\AppData\Local\Temp\5206.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\5245.tmp"C:\Users\Admin\AppData\Local\Temp\5245.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Users\Admin\AppData\Local\Temp\5293.tmp"C:\Users\Admin\AppData\Local\Temp\5293.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\52D1.tmp"C:\Users\Admin\AppData\Local\Temp\52D1.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Users\Admin\AppData\Local\Temp\531F.tmp"C:\Users\Admin\AppData\Local\Temp\531F.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\535E.tmp"C:\Users\Admin\AppData\Local\Temp\535E.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\539C.tmp"C:\Users\Admin\AppData\Local\Temp\539C.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Users\Admin\AppData\Local\Temp\53DA.tmp"C:\Users\Admin\AppData\Local\Temp\53DA.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\5428.tmp"C:\Users\Admin\AppData\Local\Temp\5428.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\5467.tmp"C:\Users\Admin\AppData\Local\Temp\5467.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\54A5.tmp"C:\Users\Admin\AppData\Local\Temp\54A5.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\54E4.tmp"C:\Users\Admin\AppData\Local\Temp\54E4.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\5532.tmp"C:\Users\Admin\AppData\Local\Temp\5532.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\5570.tmp"C:\Users\Admin\AppData\Local\Temp\5570.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\55BE.tmp"C:\Users\Admin\AppData\Local\Temp\55BE.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\55FC.tmp"C:\Users\Admin\AppData\Local\Temp\55FC.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\564A.tmp"C:\Users\Admin\AppData\Local\Temp\564A.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\5689.tmp"C:\Users\Admin\AppData\Local\Temp\5689.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\56C7.tmp"C:\Users\Admin\AppData\Local\Temp\56C7.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\5706.tmp"C:\Users\Admin\AppData\Local\Temp\5706.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\5754.tmp"C:\Users\Admin\AppData\Local\Temp\5754.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\5792.tmp"C:\Users\Admin\AppData\Local\Temp\5792.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\57D1.tmp"C:\Users\Admin\AppData\Local\Temp\57D1.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\580F.tmp"C:\Users\Admin\AppData\Local\Temp\580F.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\584D.tmp"C:\Users\Admin\AppData\Local\Temp\584D.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\588C.tmp"C:\Users\Admin\AppData\Local\Temp\588C.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\58CA.tmp"C:\Users\Admin\AppData\Local\Temp\58CA.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\5909.tmp"C:\Users\Admin\AppData\Local\Temp\5909.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\5947.tmp"C:\Users\Admin\AppData\Local\Temp\5947.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\59A5.tmp"C:\Users\Admin\AppData\Local\Temp\59A5.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\59E3.tmp"C:\Users\Admin\AppData\Local\Temp\59E3.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\5A21.tmp"C:\Users\Admin\AppData\Local\Temp\5A21.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\5A60.tmp"C:\Users\Admin\AppData\Local\Temp\5A60.tmp"65⤵
- Executes dropped EXE
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\5A9E.tmp"C:\Users\Admin\AppData\Local\Temp\5A9E.tmp"66⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\5AEC.tmp"C:\Users\Admin\AppData\Local\Temp\5AEC.tmp"67⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\5B2B.tmp"C:\Users\Admin\AppData\Local\Temp\5B2B.tmp"68⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\5B79.tmp"C:\Users\Admin\AppData\Local\Temp\5B79.tmp"69⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\5BB7.tmp"C:\Users\Admin\AppData\Local\Temp\5BB7.tmp"70⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\5BF5.tmp"C:\Users\Admin\AppData\Local\Temp\5BF5.tmp"71⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\5C34.tmp"C:\Users\Admin\AppData\Local\Temp\5C34.tmp"72⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\5C72.tmp"C:\Users\Admin\AppData\Local\Temp\5C72.tmp"73⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\5CB1.tmp"C:\Users\Admin\AppData\Local\Temp\5CB1.tmp"74⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\5CEF.tmp"C:\Users\Admin\AppData\Local\Temp\5CEF.tmp"75⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\5D2D.tmp"C:\Users\Admin\AppData\Local\Temp\5D2D.tmp"76⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\5D7B.tmp"C:\Users\Admin\AppData\Local\Temp\5D7B.tmp"77⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\5DBA.tmp"C:\Users\Admin\AppData\Local\Temp\5DBA.tmp"78⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\5DF8.tmp"C:\Users\Admin\AppData\Local\Temp\5DF8.tmp"79⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\5E37.tmp"C:\Users\Admin\AppData\Local\Temp\5E37.tmp"80⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\5E85.tmp"C:\Users\Admin\AppData\Local\Temp\5E85.tmp"81⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\5EC3.tmp"C:\Users\Admin\AppData\Local\Temp\5EC3.tmp"82⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\5F11.tmp"C:\Users\Admin\AppData\Local\Temp\5F11.tmp"83⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\5F4F.tmp"C:\Users\Admin\AppData\Local\Temp\5F4F.tmp"84⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\5F8E.tmp"C:\Users\Admin\AppData\Local\Temp\5F8E.tmp"85⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\5FCC.tmp"C:\Users\Admin\AppData\Local\Temp\5FCC.tmp"86⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\601A.tmp"C:\Users\Admin\AppData\Local\Temp\601A.tmp"87⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\6059.tmp"C:\Users\Admin\AppData\Local\Temp\6059.tmp"88⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\60A7.tmp"C:\Users\Admin\AppData\Local\Temp\60A7.tmp"89⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\60E5.tmp"C:\Users\Admin\AppData\Local\Temp\60E5.tmp"90⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\6133.tmp"C:\Users\Admin\AppData\Local\Temp\6133.tmp"91⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\6171.tmp"C:\Users\Admin\AppData\Local\Temp\6171.tmp"92⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\61BF.tmp"C:\Users\Admin\AppData\Local\Temp\61BF.tmp"93⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\61FE.tmp"C:\Users\Admin\AppData\Local\Temp\61FE.tmp"94⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\623C.tmp"C:\Users\Admin\AppData\Local\Temp\623C.tmp"95⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\627B.tmp"C:\Users\Admin\AppData\Local\Temp\627B.tmp"96⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\62B9.tmp"C:\Users\Admin\AppData\Local\Temp\62B9.tmp"97⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\62F7.tmp"C:\Users\Admin\AppData\Local\Temp\62F7.tmp"98⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\6336.tmp"C:\Users\Admin\AppData\Local\Temp\6336.tmp"99⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\6374.tmp"C:\Users\Admin\AppData\Local\Temp\6374.tmp"100⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\63B3.tmp"C:\Users\Admin\AppData\Local\Temp\63B3.tmp"101⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\63F1.tmp"C:\Users\Admin\AppData\Local\Temp\63F1.tmp"102⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\643F.tmp"C:\Users\Admin\AppData\Local\Temp\643F.tmp"103⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\647D.tmp"C:\Users\Admin\AppData\Local\Temp\647D.tmp"104⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\64BC.tmp"C:\Users\Admin\AppData\Local\Temp\64BC.tmp"105⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\64FA.tmp"C:\Users\Admin\AppData\Local\Temp\64FA.tmp"106⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\6539.tmp"C:\Users\Admin\AppData\Local\Temp\6539.tmp"107⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\6577.tmp"C:\Users\Admin\AppData\Local\Temp\6577.tmp"108⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\65C5.tmp"C:\Users\Admin\AppData\Local\Temp\65C5.tmp"109⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\6603.tmp"C:\Users\Admin\AppData\Local\Temp\6603.tmp"110⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\6642.tmp"C:\Users\Admin\AppData\Local\Temp\6642.tmp"111⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\6680.tmp"C:\Users\Admin\AppData\Local\Temp\6680.tmp"112⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\66CE.tmp"C:\Users\Admin\AppData\Local\Temp\66CE.tmp"113⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\670D.tmp"C:\Users\Admin\AppData\Local\Temp\670D.tmp"114⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\675B.tmp"C:\Users\Admin\AppData\Local\Temp\675B.tmp"115⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\6799.tmp"C:\Users\Admin\AppData\Local\Temp\6799.tmp"116⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\67E7.tmp"C:\Users\Admin\AppData\Local\Temp\67E7.tmp"117⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\6825.tmp"C:\Users\Admin\AppData\Local\Temp\6825.tmp"118⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\6864.tmp"C:\Users\Admin\AppData\Local\Temp\6864.tmp"119⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\68A2.tmp"C:\Users\Admin\AppData\Local\Temp\68A2.tmp"120⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\68E1.tmp"C:\Users\Admin\AppData\Local\Temp\68E1.tmp"121⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\691F.tmp"C:\Users\Admin\AppData\Local\Temp\691F.tmp"122⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-