Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe
Resource
win11-20250619-en
General
-
Target
2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe
-
Size
712KB
-
MD5
729ea0425fc484b90ee6baf29551b2c7
-
SHA1
bf45229adb2d63c31203fcf0cd3c77605ddf129e
-
SHA256
ad24fd5b98fbb81ae83b8157d5ce77f660feca62e858df2c6a3214a32282ee47
-
SHA512
b360096b29d85ea3d8f57f1f06d3df56d5df9b5304ceb9f53e86c64149228e8d92f9440c24317f640f46668820b981c53ec7dc02224656597e7c2593c3ceaa98
-
SSDEEP
12288:FU5rCOTeiDSyIfI2ddBDSQ4FLENZdCvq5TJLCvY90D8/LVBlVk736Y79GWzNbA:FUQOJDStteFLENnCvq5TJLCvY90D8/L5
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 5876 67AE.tmp 2108 681B.tmp 2780 68C7.tmp 536 6915.tmp 1364 69C1.tmp 3460 6A3E.tmp 3028 6ACB.tmp 3132 6B57.tmp 1244 6BF4.tmp 4936 6C71.tmp 5156 6CDE.tmp 4976 6D4B.tmp 4924 6DC8.tmp 5100 6E45.tmp 4184 6EC2.tmp 5112 6F3F.tmp 768 6FBC.tmp 4748 7049.tmp 4808 70B6.tmp 960 7114.tmp 4164 7172.tmp 2216 71D0.tmp 4760 724D.tmp 5212 72AA.tmp 5720 7327.tmp 3940 7385.tmp 4468 7412.tmp 5008 7470.tmp 772 74FC.tmp 5940 755A.tmp 2956 75A8.tmp 2804 7606.tmp 5324 76A2.tmp 5276 76F0.tmp 3452 773E.tmp 2012 779C.tmp 4948 77EA.tmp 2940 7838.tmp 2320 7886.tmp 2416 78E4.tmp 2848 7942.tmp 3380 79A0.tmp 3564 79EE.tmp 3272 7A3C.tmp 5552 7A9A.tmp 5708 7AF7.tmp 4272 7B55.tmp 3732 7BB3.tmp 5360 7C01.tmp 4368 7C5F.tmp 5408 7CAD.tmp 3448 7D0B.tmp 4848 7D68.tmp 1608 7DC6.tmp 5896 7E24.tmp 3936 7E82.tmp 5968 7ED0.tmp 1532 7F1E.tmp 2508 7F6C.tmp 2724 7FCA.tmp 1920 8018.tmp 4604 8076.tmp 5664 80D3.tmp 1612 8131.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 296.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4368.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4F7E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 554A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC87.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D27E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A592.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB8D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B08E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B716.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E5A8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66CE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABDB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74FC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9B51.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8807.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9323.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B1E6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6DC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3CC1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9C46.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52F8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BB8B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C01F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2C27.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A4A3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69C1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1B6E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3109.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A3E7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B14A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B34D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2F4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B339.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21D6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3D6D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B443.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5396 wrote to memory of 5876 5396 2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe 78 PID 5396 wrote to memory of 5876 5396 2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe 78 PID 5396 wrote to memory of 5876 5396 2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe 78 PID 5876 wrote to memory of 2108 5876 67AE.tmp 79 PID 5876 wrote to memory of 2108 5876 67AE.tmp 79 PID 5876 wrote to memory of 2108 5876 67AE.tmp 79 PID 2108 wrote to memory of 2780 2108 681B.tmp 80 PID 2108 wrote to memory of 2780 2108 681B.tmp 80 PID 2108 wrote to memory of 2780 2108 681B.tmp 80 PID 2780 wrote to memory of 536 2780 68C7.tmp 81 PID 2780 wrote to memory of 536 2780 68C7.tmp 81 PID 2780 wrote to memory of 536 2780 68C7.tmp 81 PID 536 wrote to memory of 1364 536 6915.tmp 82 PID 536 wrote to memory of 1364 536 6915.tmp 82 PID 536 wrote to memory of 1364 536 6915.tmp 82 PID 1364 wrote to memory of 3460 1364 69C1.tmp 83 PID 1364 wrote to memory of 3460 1364 69C1.tmp 83 PID 1364 wrote to memory of 3460 1364 69C1.tmp 83 PID 3460 wrote to memory of 3028 3460 6A3E.tmp 84 PID 3460 wrote to memory of 3028 3460 6A3E.tmp 84 PID 3460 wrote to memory of 3028 3460 6A3E.tmp 84 PID 3028 wrote to memory of 3132 3028 6ACB.tmp 85 PID 3028 wrote to memory of 3132 3028 6ACB.tmp 85 PID 3028 wrote to memory of 3132 3028 6ACB.tmp 85 PID 3132 wrote to memory of 1244 3132 6B57.tmp 86 PID 3132 wrote to memory of 1244 3132 6B57.tmp 86 PID 3132 wrote to memory of 1244 3132 6B57.tmp 86 PID 1244 wrote to memory of 4936 1244 6BF4.tmp 87 PID 1244 wrote to memory of 4936 1244 6BF4.tmp 87 PID 1244 wrote to memory of 4936 1244 6BF4.tmp 87 PID 4936 wrote to memory of 5156 4936 6C71.tmp 88 PID 4936 wrote to memory of 5156 4936 6C71.tmp 88 PID 4936 wrote to memory of 5156 4936 6C71.tmp 88 PID 5156 wrote to memory of 4976 5156 6CDE.tmp 89 PID 5156 wrote to memory of 4976 5156 6CDE.tmp 89 PID 5156 wrote to memory of 4976 5156 6CDE.tmp 89 PID 4976 wrote to memory of 4924 4976 6D4B.tmp 90 PID 4976 wrote to memory of 4924 4976 6D4B.tmp 90 PID 4976 wrote to memory of 4924 4976 6D4B.tmp 90 PID 4924 wrote to memory of 5100 4924 6DC8.tmp 91 PID 4924 wrote to memory of 5100 4924 6DC8.tmp 91 PID 4924 wrote to memory of 5100 4924 6DC8.tmp 91 PID 5100 wrote to memory of 4184 5100 6E45.tmp 92 PID 5100 wrote to memory of 4184 5100 6E45.tmp 92 PID 5100 wrote to memory of 4184 5100 6E45.tmp 92 PID 4184 wrote to memory of 5112 4184 6EC2.tmp 93 PID 4184 wrote to memory of 5112 4184 6EC2.tmp 93 PID 4184 wrote to memory of 5112 4184 6EC2.tmp 93 PID 5112 wrote to memory of 768 5112 6F3F.tmp 94 PID 5112 wrote to memory of 768 5112 6F3F.tmp 94 PID 5112 wrote to memory of 768 5112 6F3F.tmp 94 PID 768 wrote to memory of 4748 768 6FBC.tmp 95 PID 768 wrote to memory of 4748 768 6FBC.tmp 95 PID 768 wrote to memory of 4748 768 6FBC.tmp 95 PID 4748 wrote to memory of 4808 4748 7049.tmp 96 PID 4748 wrote to memory of 4808 4748 7049.tmp 96 PID 4748 wrote to memory of 4808 4748 7049.tmp 96 PID 4808 wrote to memory of 960 4808 70B6.tmp 97 PID 4808 wrote to memory of 960 4808 70B6.tmp 97 PID 4808 wrote to memory of 960 4808 70B6.tmp 97 PID 960 wrote to memory of 4164 960 7114.tmp 98 PID 960 wrote to memory of 4164 960 7114.tmp 98 PID 960 wrote to memory of 4164 960 7114.tmp 98 PID 4164 wrote to memory of 2216 4164 7172.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_729ea0425fc484b90ee6baf29551b2c7_elex_mafia_stealc_tofsee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\67AE.tmp"C:\Users\Admin\AppData\Local\Temp\67AE.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\681B.tmp"C:\Users\Admin\AppData\Local\Temp\681B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\68C7.tmp"C:\Users\Admin\AppData\Local\Temp\68C7.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\6915.tmp"C:\Users\Admin\AppData\Local\Temp\6915.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\69C1.tmp"C:\Users\Admin\AppData\Local\Temp\69C1.tmp"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\6A3E.tmp"C:\Users\Admin\AppData\Local\Temp\6A3E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\6ACB.tmp"C:\Users\Admin\AppData\Local\Temp\6ACB.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\6B57.tmp"C:\Users\Admin\AppData\Local\Temp\6B57.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\6BF4.tmp"C:\Users\Admin\AppData\Local\Temp\6BF4.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\6C71.tmp"C:\Users\Admin\AppData\Local\Temp\6C71.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\6CDE.tmp"C:\Users\Admin\AppData\Local\Temp\6CDE.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\6D4B.tmp"C:\Users\Admin\AppData\Local\Temp\6D4B.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\6DC8.tmp"C:\Users\Admin\AppData\Local\Temp\6DC8.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\6E45.tmp"C:\Users\Admin\AppData\Local\Temp\6E45.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\6EC2.tmp"C:\Users\Admin\AppData\Local\Temp\6EC2.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\6F3F.tmp"C:\Users\Admin\AppData\Local\Temp\6F3F.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\6FBC.tmp"C:\Users\Admin\AppData\Local\Temp\6FBC.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\7049.tmp"C:\Users\Admin\AppData\Local\Temp\7049.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\70B6.tmp"C:\Users\Admin\AppData\Local\Temp\70B6.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\7114.tmp"C:\Users\Admin\AppData\Local\Temp\7114.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\7172.tmp"C:\Users\Admin\AppData\Local\Temp\7172.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\71D0.tmp"C:\Users\Admin\AppData\Local\Temp\71D0.tmp"23⤵
- Executes dropped EXE
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\724D.tmp"C:\Users\Admin\AppData\Local\Temp\724D.tmp"24⤵
- Executes dropped EXE
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\72AA.tmp"C:\Users\Admin\AppData\Local\Temp\72AA.tmp"25⤵
- Executes dropped EXE
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\7327.tmp"C:\Users\Admin\AppData\Local\Temp\7327.tmp"26⤵
- Executes dropped EXE
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\7385.tmp"C:\Users\Admin\AppData\Local\Temp\7385.tmp"27⤵
- Executes dropped EXE
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\7412.tmp"C:\Users\Admin\AppData\Local\Temp\7412.tmp"28⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\7470.tmp"C:\Users\Admin\AppData\Local\Temp\7470.tmp"29⤵
- Executes dropped EXE
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\74FC.tmp"C:\Users\Admin\AppData\Local\Temp\74FC.tmp"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\755A.tmp"C:\Users\Admin\AppData\Local\Temp\755A.tmp"31⤵
- Executes dropped EXE
PID:5940 -
C:\Users\Admin\AppData\Local\Temp\75A8.tmp"C:\Users\Admin\AppData\Local\Temp\75A8.tmp"32⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\7606.tmp"C:\Users\Admin\AppData\Local\Temp\7606.tmp"33⤵
- Executes dropped EXE
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\76A2.tmp"C:\Users\Admin\AppData\Local\Temp\76A2.tmp"34⤵
- Executes dropped EXE
PID:5324 -
C:\Users\Admin\AppData\Local\Temp\76F0.tmp"C:\Users\Admin\AppData\Local\Temp\76F0.tmp"35⤵
- Executes dropped EXE
PID:5276 -
C:\Users\Admin\AppData\Local\Temp\773E.tmp"C:\Users\Admin\AppData\Local\Temp\773E.tmp"36⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\779C.tmp"C:\Users\Admin\AppData\Local\Temp\779C.tmp"37⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\77EA.tmp"C:\Users\Admin\AppData\Local\Temp\77EA.tmp"38⤵
- Executes dropped EXE
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\7838.tmp"C:\Users\Admin\AppData\Local\Temp\7838.tmp"39⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\7886.tmp"C:\Users\Admin\AppData\Local\Temp\7886.tmp"40⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\78E4.tmp"C:\Users\Admin\AppData\Local\Temp\78E4.tmp"41⤵
- Executes dropped EXE
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\7942.tmp"C:\Users\Admin\AppData\Local\Temp\7942.tmp"42⤵
- Executes dropped EXE
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\79A0.tmp"C:\Users\Admin\AppData\Local\Temp\79A0.tmp"43⤵
- Executes dropped EXE
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\79EE.tmp"C:\Users\Admin\AppData\Local\Temp\79EE.tmp"44⤵
- Executes dropped EXE
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\7A3C.tmp"C:\Users\Admin\AppData\Local\Temp\7A3C.tmp"45⤵
- Executes dropped EXE
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\7A9A.tmp"C:\Users\Admin\AppData\Local\Temp\7A9A.tmp"46⤵
- Executes dropped EXE
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\7AF7.tmp"C:\Users\Admin\AppData\Local\Temp\7AF7.tmp"47⤵
- Executes dropped EXE
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\7B55.tmp"C:\Users\Admin\AppData\Local\Temp\7B55.tmp"48⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\7BB3.tmp"C:\Users\Admin\AppData\Local\Temp\7BB3.tmp"49⤵
- Executes dropped EXE
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\7C01.tmp"C:\Users\Admin\AppData\Local\Temp\7C01.tmp"50⤵
- Executes dropped EXE
PID:5360 -
C:\Users\Admin\AppData\Local\Temp\7C5F.tmp"C:\Users\Admin\AppData\Local\Temp\7C5F.tmp"51⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\7CAD.tmp"C:\Users\Admin\AppData\Local\Temp\7CAD.tmp"52⤵
- Executes dropped EXE
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\7D0B.tmp"C:\Users\Admin\AppData\Local\Temp\7D0B.tmp"53⤵
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\7D68.tmp"C:\Users\Admin\AppData\Local\Temp\7D68.tmp"54⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\7DC6.tmp"C:\Users\Admin\AppData\Local\Temp\7DC6.tmp"55⤵
- Executes dropped EXE
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\7E24.tmp"C:\Users\Admin\AppData\Local\Temp\7E24.tmp"56⤵
- Executes dropped EXE
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\7E82.tmp"C:\Users\Admin\AppData\Local\Temp\7E82.tmp"57⤵
- Executes dropped EXE
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\7ED0.tmp"C:\Users\Admin\AppData\Local\Temp\7ED0.tmp"58⤵
- Executes dropped EXE
PID:5968 -
C:\Users\Admin\AppData\Local\Temp\7F1E.tmp"C:\Users\Admin\AppData\Local\Temp\7F1E.tmp"59⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7F6C.tmp"C:\Users\Admin\AppData\Local\Temp\7F6C.tmp"60⤵
- Executes dropped EXE
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\7FCA.tmp"C:\Users\Admin\AppData\Local\Temp\7FCA.tmp"61⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\8018.tmp"C:\Users\Admin\AppData\Local\Temp\8018.tmp"62⤵
- Executes dropped EXE
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\8076.tmp"C:\Users\Admin\AppData\Local\Temp\8076.tmp"63⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\80D3.tmp"C:\Users\Admin\AppData\Local\Temp\80D3.tmp"64⤵
- Executes dropped EXE
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\8131.tmp"C:\Users\Admin\AppData\Local\Temp\8131.tmp"65⤵
- Executes dropped EXE
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\818F.tmp"C:\Users\Admin\AppData\Local\Temp\818F.tmp"66⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\81DD.tmp"C:\Users\Admin\AppData\Local\Temp\81DD.tmp"67⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\823B.tmp"C:\Users\Admin\AppData\Local\Temp\823B.tmp"68⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\8289.tmp"C:\Users\Admin\AppData\Local\Temp\8289.tmp"69⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\82D7.tmp"C:\Users\Admin\AppData\Local\Temp\82D7.tmp"70⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\8335.tmp"C:\Users\Admin\AppData\Local\Temp\8335.tmp"71⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\8393.tmp"C:\Users\Admin\AppData\Local\Temp\8393.tmp"72⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\83E1.tmp"C:\Users\Admin\AppData\Local\Temp\83E1.tmp"73⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\842F.tmp"C:\Users\Admin\AppData\Local\Temp\842F.tmp"74⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\847D.tmp"C:\Users\Admin\AppData\Local\Temp\847D.tmp"75⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\84CB.tmp"C:\Users\Admin\AppData\Local\Temp\84CB.tmp"76⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\8519.tmp"C:\Users\Admin\AppData\Local\Temp\8519.tmp"77⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\8567.tmp"C:\Users\Admin\AppData\Local\Temp\8567.tmp"78⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\85B5.tmp"C:\Users\Admin\AppData\Local\Temp\85B5.tmp"79⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\8613.tmp"C:\Users\Admin\AppData\Local\Temp\8613.tmp"80⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\8671.tmp"C:\Users\Admin\AppData\Local\Temp\8671.tmp"81⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\86BF.tmp"C:\Users\Admin\AppData\Local\Temp\86BF.tmp"82⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\870D.tmp"C:\Users\Admin\AppData\Local\Temp\870D.tmp"83⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\875B.tmp"C:\Users\Admin\AppData\Local\Temp\875B.tmp"84⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\87B9.tmp"C:\Users\Admin\AppData\Local\Temp\87B9.tmp"85⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\8807.tmp"C:\Users\Admin\AppData\Local\Temp\8807.tmp"86⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\8865.tmp"C:\Users\Admin\AppData\Local\Temp\8865.tmp"87⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\88B3.tmp"C:\Users\Admin\AppData\Local\Temp\88B3.tmp"88⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\8901.tmp"C:\Users\Admin\AppData\Local\Temp\8901.tmp"89⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\894F.tmp"C:\Users\Admin\AppData\Local\Temp\894F.tmp"90⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\89AD.tmp"C:\Users\Admin\AppData\Local\Temp\89AD.tmp"91⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp"C:\Users\Admin\AppData\Local\Temp\8A0B.tmp"92⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\8A69.tmp"C:\Users\Admin\AppData\Local\Temp\8A69.tmp"93⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\8AB7.tmp"C:\Users\Admin\AppData\Local\Temp\8AB7.tmp"94⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\8B05.tmp"C:\Users\Admin\AppData\Local\Temp\8B05.tmp"95⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\8B63.tmp"C:\Users\Admin\AppData\Local\Temp\8B63.tmp"96⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\8BC0.tmp"C:\Users\Admin\AppData\Local\Temp\8BC0.tmp"97⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\8C1E.tmp"C:\Users\Admin\AppData\Local\Temp\8C1E.tmp"98⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\8C6C.tmp"C:\Users\Admin\AppData\Local\Temp\8C6C.tmp"99⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\8CCA.tmp"C:\Users\Admin\AppData\Local\Temp\8CCA.tmp"100⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\8D28.tmp"C:\Users\Admin\AppData\Local\Temp\8D28.tmp"101⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\8D85.tmp"C:\Users\Admin\AppData\Local\Temp\8D85.tmp"102⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\8DD4.tmp"C:\Users\Admin\AppData\Local\Temp\8DD4.tmp"103⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\8E31.tmp"C:\Users\Admin\AppData\Local\Temp\8E31.tmp"104⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\8E7F.tmp"C:\Users\Admin\AppData\Local\Temp\8E7F.tmp"105⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\8ECE.tmp"C:\Users\Admin\AppData\Local\Temp\8ECE.tmp"106⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\8F2B.tmp"C:\Users\Admin\AppData\Local\Temp\8F2B.tmp"107⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\8F79.tmp"C:\Users\Admin\AppData\Local\Temp\8F79.tmp"108⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\8FC8.tmp"C:\Users\Admin\AppData\Local\Temp\8FC8.tmp"109⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\9025.tmp"C:\Users\Admin\AppData\Local\Temp\9025.tmp"110⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\9083.tmp"C:\Users\Admin\AppData\Local\Temp\9083.tmp"111⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\90D1.tmp"C:\Users\Admin\AppData\Local\Temp\90D1.tmp"112⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\913F.tmp"C:\Users\Admin\AppData\Local\Temp\913F.tmp"113⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\918D.tmp"C:\Users\Admin\AppData\Local\Temp\918D.tmp"114⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\91DB.tmp"C:\Users\Admin\AppData\Local\Temp\91DB.tmp"115⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\9229.tmp"C:\Users\Admin\AppData\Local\Temp\9229.tmp"116⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\9287.tmp"C:\Users\Admin\AppData\Local\Temp\9287.tmp"117⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\92D5.tmp"C:\Users\Admin\AppData\Local\Temp\92D5.tmp"118⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\9323.tmp"C:\Users\Admin\AppData\Local\Temp\9323.tmp"119⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\9381.tmp"C:\Users\Admin\AppData\Local\Temp\9381.tmp"120⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\93DE.tmp"C:\Users\Admin\AppData\Local\Temp\93DE.tmp"121⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\942D.tmp"C:\Users\Admin\AppData\Local\Temp\942D.tmp"122⤵PID:3104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-