Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 14:18
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe
-
Size
765KB
-
MD5
c7f79a222a552345d263627d6ac89598
-
SHA1
dc3936025dc3d25d5de0e5bdbe751615511e2781
-
SHA256
33c4d2f3da1a2321128fe77549cb8dcf98346f057120960e23c022fa9ccfafac
-
SHA512
89d549aa255fea66a04b880f5c1221eee290b600fa8b3052cac013f0a9c179d58a87c96dd9a8d99c9268b0fe3e4fdee91ef94f4a7075328d111c248d8c08662b
-
SSDEEP
12288:ZU5rCOTeiDgyQP9kIoC6UZAHPy7e9YhYKKpWhk3ZF5rn5rLOa54U5w5A:ZUQOJDsGIoC6cAHPy7e9Y3k3vh5Oa+Uf
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2684 4E5E.tmp 2836 4EAC.tmp 2888 4F39.tmp 2804 4FA6.tmp 2644 5013.tmp 2720 5071.tmp 2560 50BF.tmp 2628 511C.tmp 2816 5199.tmp 444 51F7.tmp 2252 5274.tmp 1208 52F0.tmp 2240 536D.tmp 2736 53FA.tmp 1952 5476.tmp 2060 54C4.tmp 2260 5532.tmp 2196 55BE.tmp 996 562B.tmp 2164 5698.tmp 968 5725.tmp 532 5792.tmp 1288 57FF.tmp 3036 584D.tmp 2088 588C.tmp 1840 58E9.tmp 1708 5928.tmp 1956 5976.tmp 3020 59B4.tmp 2428 5A02.tmp 2160 5A50.tmp 840 5B88.tmp 1508 5BD6.tmp 908 5C15.tmp 1052 5C63.tmp 2280 5CB1.tmp 2776 5CEF.tmp 2404 5D2D.tmp 1936 5D7B.tmp 2468 5DBA.tmp 1704 5DF8.tmp 2296 5E37.tmp 2472 5E75.tmp 844 5EB3.tmp 1428 5F01.tmp 1472 5F40.tmp 1948 601A.tmp 1292 6059.tmp 900 6097.tmp 304 60D5.tmp 1728 6114.tmp 1568 6162.tmp 2424 61A0.tmp 2760 61DF.tmp 2748 621D.tmp 2680 626B.tmp 2688 62A9.tmp 2564 62E8.tmp 2656 6326.tmp 2824 6365.tmp 2644 63A3.tmp 2556 63F1.tmp 2720 643F.tmp 2560 648D.tmp -
Loads dropped DLL 64 IoCs
pid Process 2236 2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe 2684 4E5E.tmp 2836 4EAC.tmp 2888 4F39.tmp 2804 4FA6.tmp 2644 5013.tmp 2720 5071.tmp 2560 50BF.tmp 2628 511C.tmp 2816 5199.tmp 444 51F7.tmp 2252 5274.tmp 1208 52F0.tmp 2240 536D.tmp 2736 53FA.tmp 1952 5476.tmp 2060 54C4.tmp 2260 5532.tmp 2196 55BE.tmp 996 562B.tmp 2164 5698.tmp 968 5725.tmp 532 5792.tmp 1288 57FF.tmp 3036 584D.tmp 2088 588C.tmp 1840 58E9.tmp 1708 5928.tmp 1956 5976.tmp 3020 59B4.tmp 2428 5A02.tmp 2160 5A50.tmp 840 5B88.tmp 1508 5BD6.tmp 908 5C15.tmp 1052 5C63.tmp 2280 5CB1.tmp 2776 5CEF.tmp 2404 5D2D.tmp 1936 5D7B.tmp 2468 5DBA.tmp 1704 5DF8.tmp 2296 5E37.tmp 2472 5E75.tmp 844 5EB3.tmp 1428 5F01.tmp 1472 5F40.tmp 1948 601A.tmp 1292 6059.tmp 900 6097.tmp 304 60D5.tmp 1728 6114.tmp 1568 6162.tmp 2424 61A0.tmp 2760 61DF.tmp 2748 621D.tmp 2680 626B.tmp 2688 62A9.tmp 2564 62E8.tmp 2656 6326.tmp 2824 6365.tmp 2644 63A3.tmp 2556 63F1.tmp 2720 643F.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62A9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9608.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2B26.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AF14.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDE9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D24D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8334.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C33F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F2C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ED6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3FED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5EB3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82E6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8DAF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1842.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CA13.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D9FA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62E8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B490.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E2A2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77CF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8881.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF97.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F383.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2DF3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B67.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9425.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2AE7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AD30.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D8C2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20CA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B1D2.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2684 2236 2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe 30 PID 2236 wrote to memory of 2684 2236 2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe 30 PID 2236 wrote to memory of 2684 2236 2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe 30 PID 2236 wrote to memory of 2684 2236 2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe 30 PID 2684 wrote to memory of 2836 2684 4E5E.tmp 31 PID 2684 wrote to memory of 2836 2684 4E5E.tmp 31 PID 2684 wrote to memory of 2836 2684 4E5E.tmp 31 PID 2684 wrote to memory of 2836 2684 4E5E.tmp 31 PID 2836 wrote to memory of 2888 2836 4EAC.tmp 32 PID 2836 wrote to memory of 2888 2836 4EAC.tmp 32 PID 2836 wrote to memory of 2888 2836 4EAC.tmp 32 PID 2836 wrote to memory of 2888 2836 4EAC.tmp 32 PID 2888 wrote to memory of 2804 2888 4F39.tmp 33 PID 2888 wrote to memory of 2804 2888 4F39.tmp 33 PID 2888 wrote to memory of 2804 2888 4F39.tmp 33 PID 2888 wrote to memory of 2804 2888 4F39.tmp 33 PID 2804 wrote to memory of 2644 2804 4FA6.tmp 34 PID 2804 wrote to memory of 2644 2804 4FA6.tmp 34 PID 2804 wrote to memory of 2644 2804 4FA6.tmp 34 PID 2804 wrote to memory of 2644 2804 4FA6.tmp 34 PID 2644 wrote to memory of 2720 2644 5013.tmp 35 PID 2644 wrote to memory of 2720 2644 5013.tmp 35 PID 2644 wrote to memory of 2720 2644 5013.tmp 35 PID 2644 wrote to memory of 2720 2644 5013.tmp 35 PID 2720 wrote to memory of 2560 2720 5071.tmp 36 PID 2720 wrote to memory of 2560 2720 5071.tmp 36 PID 2720 wrote to memory of 2560 2720 5071.tmp 36 PID 2720 wrote to memory of 2560 2720 5071.tmp 36 PID 2560 wrote to memory of 2628 2560 50BF.tmp 37 PID 2560 wrote to memory of 2628 2560 50BF.tmp 37 PID 2560 wrote to memory of 2628 2560 50BF.tmp 37 PID 2560 wrote to memory of 2628 2560 50BF.tmp 37 PID 2628 wrote to memory of 2816 2628 511C.tmp 38 PID 2628 wrote to memory of 2816 2628 511C.tmp 38 PID 2628 wrote to memory of 2816 2628 511C.tmp 38 PID 2628 wrote to memory of 2816 2628 511C.tmp 38 PID 2816 wrote to memory of 444 2816 5199.tmp 39 PID 2816 wrote to memory of 444 2816 5199.tmp 39 PID 2816 wrote to memory of 444 2816 5199.tmp 39 PID 2816 wrote to memory of 444 2816 5199.tmp 39 PID 444 wrote to memory of 2252 444 51F7.tmp 40 PID 444 wrote to memory of 2252 444 51F7.tmp 40 PID 444 wrote to memory of 2252 444 51F7.tmp 40 PID 444 wrote to memory of 2252 444 51F7.tmp 40 PID 2252 wrote to memory of 1208 2252 5274.tmp 41 PID 2252 wrote to memory of 1208 2252 5274.tmp 41 PID 2252 wrote to memory of 1208 2252 5274.tmp 41 PID 2252 wrote to memory of 1208 2252 5274.tmp 41 PID 1208 wrote to memory of 2240 1208 52F0.tmp 42 PID 1208 wrote to memory of 2240 1208 52F0.tmp 42 PID 1208 wrote to memory of 2240 1208 52F0.tmp 42 PID 1208 wrote to memory of 2240 1208 52F0.tmp 42 PID 2240 wrote to memory of 2736 2240 536D.tmp 43 PID 2240 wrote to memory of 2736 2240 536D.tmp 43 PID 2240 wrote to memory of 2736 2240 536D.tmp 43 PID 2240 wrote to memory of 2736 2240 536D.tmp 43 PID 2736 wrote to memory of 1952 2736 53FA.tmp 44 PID 2736 wrote to memory of 1952 2736 53FA.tmp 44 PID 2736 wrote to memory of 1952 2736 53FA.tmp 44 PID 2736 wrote to memory of 1952 2736 53FA.tmp 44 PID 1952 wrote to memory of 2060 1952 5476.tmp 45 PID 1952 wrote to memory of 2060 1952 5476.tmp 45 PID 1952 wrote to memory of 2060 1952 5476.tmp 45 PID 1952 wrote to memory of 2060 1952 5476.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-09_c7f79a222a552345d263627d6ac89598_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\4F39.tmp"C:\Users\Admin\AppData\Local\Temp\4F39.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\5013.tmp"C:\Users\Admin\AppData\Local\Temp\5013.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\5071.tmp"C:\Users\Admin\AppData\Local\Temp\5071.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\50BF.tmp"C:\Users\Admin\AppData\Local\Temp\50BF.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\511C.tmp"C:\Users\Admin\AppData\Local\Temp\511C.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\5199.tmp"C:\Users\Admin\AppData\Local\Temp\5199.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\51F7.tmp"C:\Users\Admin\AppData\Local\Temp\51F7.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\5274.tmp"C:\Users\Admin\AppData\Local\Temp\5274.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\52F0.tmp"C:\Users\Admin\AppData\Local\Temp\52F0.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\536D.tmp"C:\Users\Admin\AppData\Local\Temp\536D.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\53FA.tmp"C:\Users\Admin\AppData\Local\Temp\53FA.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\5476.tmp"C:\Users\Admin\AppData\Local\Temp\5476.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\54C4.tmp"C:\Users\Admin\AppData\Local\Temp\54C4.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\5532.tmp"C:\Users\Admin\AppData\Local\Temp\5532.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\55BE.tmp"C:\Users\Admin\AppData\Local\Temp\55BE.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\562B.tmp"C:\Users\Admin\AppData\Local\Temp\562B.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Users\Admin\AppData\Local\Temp\5698.tmp"C:\Users\Admin\AppData\Local\Temp\5698.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\5725.tmp"C:\Users\Admin\AppData\Local\Temp\5725.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Users\Admin\AppData\Local\Temp\5792.tmp"C:\Users\Admin\AppData\Local\Temp\5792.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Users\Admin\AppData\Local\Temp\57FF.tmp"C:\Users\Admin\AppData\Local\Temp\57FF.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\584D.tmp"C:\Users\Admin\AppData\Local\Temp\584D.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\588C.tmp"C:\Users\Admin\AppData\Local\Temp\588C.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\58E9.tmp"C:\Users\Admin\AppData\Local\Temp\58E9.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\5928.tmp"C:\Users\Admin\AppData\Local\Temp\5928.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\5976.tmp"C:\Users\Admin\AppData\Local\Temp\5976.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\59B4.tmp"C:\Users\Admin\AppData\Local\Temp\59B4.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\5A02.tmp"C:\Users\Admin\AppData\Local\Temp\5A02.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\5A50.tmp"C:\Users\Admin\AppData\Local\Temp\5A50.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\5B88.tmp"C:\Users\Admin\AppData\Local\Temp\5B88.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Users\Admin\AppData\Local\Temp\5BD6.tmp"C:\Users\Admin\AppData\Local\Temp\5BD6.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\5C15.tmp"C:\Users\Admin\AppData\Local\Temp\5C15.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Users\Admin\AppData\Local\Temp\5C63.tmp"C:\Users\Admin\AppData\Local\Temp\5C63.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\5CB1.tmp"C:\Users\Admin\AppData\Local\Temp\5CB1.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\5CEF.tmp"C:\Users\Admin\AppData\Local\Temp\5CEF.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\5D2D.tmp"C:\Users\Admin\AppData\Local\Temp\5D2D.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\5D7B.tmp"C:\Users\Admin\AppData\Local\Temp\5D7B.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\5DBA.tmp"C:\Users\Admin\AppData\Local\Temp\5DBA.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\5DF8.tmp"C:\Users\Admin\AppData\Local\Temp\5DF8.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\5E37.tmp"C:\Users\Admin\AppData\Local\Temp\5E37.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\5E75.tmp"C:\Users\Admin\AppData\Local\Temp\5E75.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\5EB3.tmp"C:\Users\Admin\AppData\Local\Temp\5EB3.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\5F01.tmp"C:\Users\Admin\AppData\Local\Temp\5F01.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\5F40.tmp"C:\Users\Admin\AppData\Local\Temp\5F40.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\601A.tmp"C:\Users\Admin\AppData\Local\Temp\601A.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\6059.tmp"C:\Users\Admin\AppData\Local\Temp\6059.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\6097.tmp"C:\Users\Admin\AppData\Local\Temp\6097.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Users\Admin\AppData\Local\Temp\60D5.tmp"C:\Users\Admin\AppData\Local\Temp\60D5.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Users\Admin\AppData\Local\Temp\6114.tmp"C:\Users\Admin\AppData\Local\Temp\6114.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\6162.tmp"C:\Users\Admin\AppData\Local\Temp\6162.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\61A0.tmp"C:\Users\Admin\AppData\Local\Temp\61A0.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\61DF.tmp"C:\Users\Admin\AppData\Local\Temp\61DF.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\621D.tmp"C:\Users\Admin\AppData\Local\Temp\621D.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\626B.tmp"C:\Users\Admin\AppData\Local\Temp\626B.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\62A9.tmp"C:\Users\Admin\AppData\Local\Temp\62A9.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\62E8.tmp"C:\Users\Admin\AppData\Local\Temp\62E8.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\6326.tmp"C:\Users\Admin\AppData\Local\Temp\6326.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\6365.tmp"C:\Users\Admin\AppData\Local\Temp\6365.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\63A3.tmp"C:\Users\Admin\AppData\Local\Temp\63A3.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\63F1.tmp"C:\Users\Admin\AppData\Local\Temp\63F1.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\643F.tmp"C:\Users\Admin\AppData\Local\Temp\643F.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\648D.tmp"C:\Users\Admin\AppData\Local\Temp\648D.tmp"65⤵
- Executes dropped EXE
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\64DB.tmp"C:\Users\Admin\AppData\Local\Temp\64DB.tmp"66⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\6519.tmp"C:\Users\Admin\AppData\Local\Temp\6519.tmp"67⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\6567.tmp"C:\Users\Admin\AppData\Local\Temp\6567.tmp"68⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\65A6.tmp"C:\Users\Admin\AppData\Local\Temp\65A6.tmp"69⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\65E4.tmp"C:\Users\Admin\AppData\Local\Temp\65E4.tmp"70⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\6623.tmp"C:\Users\Admin\AppData\Local\Temp\6623.tmp"71⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\6671.tmp"C:\Users\Admin\AppData\Local\Temp\6671.tmp"72⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\66BF.tmp"C:\Users\Admin\AppData\Local\Temp\66BF.tmp"73⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\670D.tmp"C:\Users\Admin\AppData\Local\Temp\670D.tmp"74⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\674B.tmp"C:\Users\Admin\AppData\Local\Temp\674B.tmp"75⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\6789.tmp"C:\Users\Admin\AppData\Local\Temp\6789.tmp"76⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\67C8.tmp"C:\Users\Admin\AppData\Local\Temp\67C8.tmp"77⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\6816.tmp"C:\Users\Admin\AppData\Local\Temp\6816.tmp"78⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\6864.tmp"C:\Users\Admin\AppData\Local\Temp\6864.tmp"79⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\68A2.tmp"C:\Users\Admin\AppData\Local\Temp\68A2.tmp"80⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\68E1.tmp"C:\Users\Admin\AppData\Local\Temp\68E1.tmp"81⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\691F.tmp"C:\Users\Admin\AppData\Local\Temp\691F.tmp"82⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\695D.tmp"C:\Users\Admin\AppData\Local\Temp\695D.tmp"83⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\69AB.tmp"C:\Users\Admin\AppData\Local\Temp\69AB.tmp"84⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\69EA.tmp"C:\Users\Admin\AppData\Local\Temp\69EA.tmp"85⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\6A38.tmp"C:\Users\Admin\AppData\Local\Temp\6A38.tmp"86⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\6A86.tmp"C:\Users\Admin\AppData\Local\Temp\6A86.tmp"87⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\6AC4.tmp"C:\Users\Admin\AppData\Local\Temp\6AC4.tmp"88⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\6B03.tmp"C:\Users\Admin\AppData\Local\Temp\6B03.tmp"89⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\6B51.tmp"C:\Users\Admin\AppData\Local\Temp\6B51.tmp"90⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\6B8F.tmp"C:\Users\Admin\AppData\Local\Temp\6B8F.tmp"91⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\6BCD.tmp"C:\Users\Admin\AppData\Local\Temp\6BCD.tmp"92⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\6C0C.tmp"C:\Users\Admin\AppData\Local\Temp\6C0C.tmp"93⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\6C4A.tmp"C:\Users\Admin\AppData\Local\Temp\6C4A.tmp"94⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\6C89.tmp"C:\Users\Admin\AppData\Local\Temp\6C89.tmp"95⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\6CD7.tmp"C:\Users\Admin\AppData\Local\Temp\6CD7.tmp"96⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\6D15.tmp"C:\Users\Admin\AppData\Local\Temp\6D15.tmp"97⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\6D53.tmp"C:\Users\Admin\AppData\Local\Temp\6D53.tmp"98⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\6D92.tmp"C:\Users\Admin\AppData\Local\Temp\6D92.tmp"99⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\6DD0.tmp"C:\Users\Admin\AppData\Local\Temp\6DD0.tmp"100⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\6E0F.tmp"C:\Users\Admin\AppData\Local\Temp\6E0F.tmp"101⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\6E4D.tmp"C:\Users\Admin\AppData\Local\Temp\6E4D.tmp"102⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp"C:\Users\Admin\AppData\Local\Temp\6E8B.tmp"103⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\6ECA.tmp"C:\Users\Admin\AppData\Local\Temp\6ECA.tmp"104⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\6F08.tmp"C:\Users\Admin\AppData\Local\Temp\6F08.tmp"105⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\6F47.tmp"C:\Users\Admin\AppData\Local\Temp\6F47.tmp"106⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\6F85.tmp"C:\Users\Admin\AppData\Local\Temp\6F85.tmp"107⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\6FC3.tmp"C:\Users\Admin\AppData\Local\Temp\6FC3.tmp"108⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\6FF2.tmp"C:\Users\Admin\AppData\Local\Temp\6FF2.tmp"109⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\7031.tmp"C:\Users\Admin\AppData\Local\Temp\7031.tmp"110⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\707F.tmp"C:\Users\Admin\AppData\Local\Temp\707F.tmp"111⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\70BD.tmp"C:\Users\Admin\AppData\Local\Temp\70BD.tmp"112⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\70FB.tmp"C:\Users\Admin\AppData\Local\Temp\70FB.tmp"113⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\713A.tmp"C:\Users\Admin\AppData\Local\Temp\713A.tmp"114⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\7188.tmp"C:\Users\Admin\AppData\Local\Temp\7188.tmp"115⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\71C6.tmp"C:\Users\Admin\AppData\Local\Temp\71C6.tmp"116⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\7214.tmp"C:\Users\Admin\AppData\Local\Temp\7214.tmp"117⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\7253.tmp"C:\Users\Admin\AppData\Local\Temp\7253.tmp"118⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\72A1.tmp"C:\Users\Admin\AppData\Local\Temp\72A1.tmp"119⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\72DF.tmp"C:\Users\Admin\AppData\Local\Temp\72DF.tmp"120⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\732D.tmp"C:\Users\Admin\AppData\Local\Temp\732D.tmp"121⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\737B.tmp"C:\Users\Admin\AppData\Local\Temp\737B.tmp"122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-