Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
-
Size
520KB
-
MD5
83e94fe242dc79c6b768645d7a1b527e
-
SHA1
c4c685440e77014d0284c049f2f9d2f1227af352
-
SHA256
31b1e972a2520980be1f643a2910f7be190453dc8ce5caa21a12be334783d7b1
-
SHA512
d50d2b8c947aa1a058c26ef85e53ea4572ce09df5b0eaadbf63080f0b5f2abf6ffe3fcd9a7b272ca3f8966afc56f4d35d9ec899b5b7c066478e0b182d7c05eb6
-
SSDEEP
12288:roRXOQjmOytS7/ZL/SAf9dwF7lC+dqtmF9FNZ:rogQ9yG/RT1dKC+dJF9FN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2328 B57A.tmp 2788 B5D7.tmp 2936 B654.tmp 2132 B6D1.tmp 3068 B73E.tmp 1960 B7CB.tmp 2888 B847.tmp 2868 B8C4.tmp 2696 B903.tmp 2760 B960.tmp 872 B9AE.tmp 2764 BA1B.tmp 564 BA69.tmp 2028 BAE6.tmp 2680 BB34.tmp 2120 BB92.tmp 3012 BBE0.tmp 2148 BC1E.tmp 2628 BC8B.tmp 2084 BCCA.tmp 784 BD37.tmp 2892 BDC3.tmp 1248 BE02.tmp 1728 BE40.tmp 2216 BE7F.tmp 2236 BEBD.tmp 2556 BF0B.tmp 2480 BF49.tmp 2240 BF88.tmp 2252 BFC6.tmp 2208 C005.tmp 2380 C043.tmp 2036 C081.tmp 1552 C0CF.tmp 2588 C10E.tmp 1912 C14C.tmp 1768 C18B.tmp 1808 C1D9.tmp 1644 C217.tmp 1460 C255.tmp 760 C294.tmp 1928 C2D2.tmp 1744 C311.tmp 2672 C34F.tmp 1632 C38D.tmp 1020 C3CC.tmp 2368 C40A.tmp 2336 C449.tmp 2392 C487.tmp 2040 C4C5.tmp 1448 C504.tmp 3052 C542.tmp 1688 C581.tmp 2524 C5BF.tmp 2328 C5FD.tmp 2924 C63C.tmp 2968 C67A.tmp 2936 C6B9.tmp 2956 C6F7.tmp 2952 C735.tmp 2960 C774.tmp 3024 C7B2.tmp 2904 C7F1.tmp 2740 C82F.tmp -
Loads dropped DLL 64 IoCs
pid Process 1520 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 2328 B57A.tmp 2788 B5D7.tmp 2936 B654.tmp 2132 B6D1.tmp 3068 B73E.tmp 1960 B7CB.tmp 2888 B847.tmp 2868 B8C4.tmp 2696 B903.tmp 2760 B960.tmp 872 B9AE.tmp 2764 BA1B.tmp 564 BA69.tmp 2028 BAE6.tmp 2680 BB34.tmp 2120 BB92.tmp 3012 BBE0.tmp 2148 BC1E.tmp 2628 BC8B.tmp 2084 BCCA.tmp 784 BD37.tmp 2892 BDC3.tmp 1248 BE02.tmp 1728 BE40.tmp 2216 BE7F.tmp 2236 BEBD.tmp 2556 BF0B.tmp 2480 BF49.tmp 2240 BF88.tmp 2252 BFC6.tmp 2208 C005.tmp 2380 C043.tmp 2036 C081.tmp 1552 C0CF.tmp 2588 C10E.tmp 1912 C14C.tmp 1768 C18B.tmp 1808 C1D9.tmp 1644 C217.tmp 1460 C255.tmp 760 C294.tmp 1928 C2D2.tmp 1744 C311.tmp 2672 C34F.tmp 1632 C38D.tmp 1020 C3CC.tmp 2368 C40A.tmp 2336 C449.tmp 2392 C487.tmp 2040 C4C5.tmp 1448 C504.tmp 3052 C542.tmp 1688 C581.tmp 2524 C5BF.tmp 2328 C5FD.tmp 2924 C63C.tmp 2968 C67A.tmp 2936 C6B9.tmp 2956 C6F7.tmp 2952 C735.tmp 2960 C774.tmp 3024 C7B2.tmp 2904 C7F1.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 389D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9425.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6A57.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA34.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CA8F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32B4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 978E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBB6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F8B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDA9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D1E0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E4D3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1536.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3276.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9DB6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ED9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94E0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F4C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44FC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6A95.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AD21.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 780D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5CB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6E8B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2328 1520 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 30 PID 1520 wrote to memory of 2328 1520 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 30 PID 1520 wrote to memory of 2328 1520 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 30 PID 1520 wrote to memory of 2328 1520 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 30 PID 2328 wrote to memory of 2788 2328 B57A.tmp 31 PID 2328 wrote to memory of 2788 2328 B57A.tmp 31 PID 2328 wrote to memory of 2788 2328 B57A.tmp 31 PID 2328 wrote to memory of 2788 2328 B57A.tmp 31 PID 2788 wrote to memory of 2936 2788 B5D7.tmp 32 PID 2788 wrote to memory of 2936 2788 B5D7.tmp 32 PID 2788 wrote to memory of 2936 2788 B5D7.tmp 32 PID 2788 wrote to memory of 2936 2788 B5D7.tmp 32 PID 2936 wrote to memory of 2132 2936 B654.tmp 33 PID 2936 wrote to memory of 2132 2936 B654.tmp 33 PID 2936 wrote to memory of 2132 2936 B654.tmp 33 PID 2936 wrote to memory of 2132 2936 B654.tmp 33 PID 2132 wrote to memory of 3068 2132 B6D1.tmp 34 PID 2132 wrote to memory of 3068 2132 B6D1.tmp 34 PID 2132 wrote to memory of 3068 2132 B6D1.tmp 34 PID 2132 wrote to memory of 3068 2132 B6D1.tmp 34 PID 3068 wrote to memory of 1960 3068 B73E.tmp 35 PID 3068 wrote to memory of 1960 3068 B73E.tmp 35 PID 3068 wrote to memory of 1960 3068 B73E.tmp 35 PID 3068 wrote to memory of 1960 3068 B73E.tmp 35 PID 1960 wrote to memory of 2888 1960 B7CB.tmp 36 PID 1960 wrote to memory of 2888 1960 B7CB.tmp 36 PID 1960 wrote to memory of 2888 1960 B7CB.tmp 36 PID 1960 wrote to memory of 2888 1960 B7CB.tmp 36 PID 2888 wrote to memory of 2868 2888 B847.tmp 37 PID 2888 wrote to memory of 2868 2888 B847.tmp 37 PID 2888 wrote to memory of 2868 2888 B847.tmp 37 PID 2888 wrote to memory of 2868 2888 B847.tmp 37 PID 2868 wrote to memory of 2696 2868 B8C4.tmp 38 PID 2868 wrote to memory of 2696 2868 B8C4.tmp 38 PID 2868 wrote to memory of 2696 2868 B8C4.tmp 38 PID 2868 wrote to memory of 2696 2868 B8C4.tmp 38 PID 2696 wrote to memory of 2760 2696 B903.tmp 39 PID 2696 wrote to memory of 2760 2696 B903.tmp 39 PID 2696 wrote to memory of 2760 2696 B903.tmp 39 PID 2696 wrote to memory of 2760 2696 B903.tmp 39 PID 2760 wrote to memory of 872 2760 B960.tmp 40 PID 2760 wrote to memory of 872 2760 B960.tmp 40 PID 2760 wrote to memory of 872 2760 B960.tmp 40 PID 2760 wrote to memory of 872 2760 B960.tmp 40 PID 872 wrote to memory of 2764 872 B9AE.tmp 41 PID 872 wrote to memory of 2764 872 B9AE.tmp 41 PID 872 wrote to memory of 2764 872 B9AE.tmp 41 PID 872 wrote to memory of 2764 872 B9AE.tmp 41 PID 2764 wrote to memory of 564 2764 BA1B.tmp 42 PID 2764 wrote to memory of 564 2764 BA1B.tmp 42 PID 2764 wrote to memory of 564 2764 BA1B.tmp 42 PID 2764 wrote to memory of 564 2764 BA1B.tmp 42 PID 564 wrote to memory of 2028 564 BA69.tmp 43 PID 564 wrote to memory of 2028 564 BA69.tmp 43 PID 564 wrote to memory of 2028 564 BA69.tmp 43 PID 564 wrote to memory of 2028 564 BA69.tmp 43 PID 2028 wrote to memory of 2680 2028 BAE6.tmp 44 PID 2028 wrote to memory of 2680 2028 BAE6.tmp 44 PID 2028 wrote to memory of 2680 2028 BAE6.tmp 44 PID 2028 wrote to memory of 2680 2028 BAE6.tmp 44 PID 2680 wrote to memory of 2120 2680 BB34.tmp 45 PID 2680 wrote to memory of 2120 2680 BB34.tmp 45 PID 2680 wrote to memory of 2120 2680 BB34.tmp 45 PID 2680 wrote to memory of 2120 2680 BB34.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\B57A.tmp"C:\Users\Admin\AppData\Local\Temp\B57A.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\B5D7.tmp"C:\Users\Admin\AppData\Local\Temp\B5D7.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\B654.tmp"C:\Users\Admin\AppData\Local\Temp\B654.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\B6D1.tmp"C:\Users\Admin\AppData\Local\Temp\B6D1.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\B73E.tmp"C:\Users\Admin\AppData\Local\Temp\B73E.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\B7CB.tmp"C:\Users\Admin\AppData\Local\Temp\B7CB.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\B847.tmp"C:\Users\Admin\AppData\Local\Temp\B847.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\B8C4.tmp"C:\Users\Admin\AppData\Local\Temp\B8C4.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\B903.tmp"C:\Users\Admin\AppData\Local\Temp\B903.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\B960.tmp"C:\Users\Admin\AppData\Local\Temp\B960.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\B9AE.tmp"C:\Users\Admin\AppData\Local\Temp\B9AE.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\BA1B.tmp"C:\Users\Admin\AppData\Local\Temp\BA1B.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\BA69.tmp"C:\Users\Admin\AppData\Local\Temp\BA69.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\BAE6.tmp"C:\Users\Admin\AppData\Local\Temp\BAE6.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\BB34.tmp"C:\Users\Admin\AppData\Local\Temp\BB34.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\BB92.tmp"C:\Users\Admin\AppData\Local\Temp\BB92.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\BBE0.tmp"C:\Users\Admin\AppData\Local\Temp\BBE0.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\BC1E.tmp"C:\Users\Admin\AppData\Local\Temp\BC1E.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\BC8B.tmp"C:\Users\Admin\AppData\Local\Temp\BC8B.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\BCCA.tmp"C:\Users\Admin\AppData\Local\Temp\BCCA.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\BD37.tmp"C:\Users\Admin\AppData\Local\Temp\BD37.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\BDC3.tmp"C:\Users\Admin\AppData\Local\Temp\BDC3.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\BE02.tmp"C:\Users\Admin\AppData\Local\Temp\BE02.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\BE40.tmp"C:\Users\Admin\AppData\Local\Temp\BE40.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\BE7F.tmp"C:\Users\Admin\AppData\Local\Temp\BE7F.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\BEBD.tmp"C:\Users\Admin\AppData\Local\Temp\BEBD.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\BF0B.tmp"C:\Users\Admin\AppData\Local\Temp\BF0B.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\BF49.tmp"C:\Users\Admin\AppData\Local\Temp\BF49.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\BF88.tmp"C:\Users\Admin\AppData\Local\Temp\BF88.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\BFC6.tmp"C:\Users\Admin\AppData\Local\Temp\BFC6.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\C005.tmp"C:\Users\Admin\AppData\Local\Temp\C005.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\C043.tmp"C:\Users\Admin\AppData\Local\Temp\C043.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\C081.tmp"C:\Users\Admin\AppData\Local\Temp\C081.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\C0CF.tmp"C:\Users\Admin\AppData\Local\Temp\C0CF.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\C10E.tmp"C:\Users\Admin\AppData\Local\Temp\C10E.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\C14C.tmp"C:\Users\Admin\AppData\Local\Temp\C14C.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\C18B.tmp"C:\Users\Admin\AppData\Local\Temp\C18B.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\C1D9.tmp"C:\Users\Admin\AppData\Local\Temp\C1D9.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\C217.tmp"C:\Users\Admin\AppData\Local\Temp\C217.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\C255.tmp"C:\Users\Admin\AppData\Local\Temp\C255.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\C294.tmp"C:\Users\Admin\AppData\Local\Temp\C294.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Users\Admin\AppData\Local\Temp\C2D2.tmp"C:\Users\Admin\AppData\Local\Temp\C2D2.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\C311.tmp"C:\Users\Admin\AppData\Local\Temp\C311.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\C34F.tmp"C:\Users\Admin\AppData\Local\Temp\C34F.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\C38D.tmp"C:\Users\Admin\AppData\Local\Temp\C38D.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\C3CC.tmp"C:\Users\Admin\AppData\Local\Temp\C3CC.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\C40A.tmp"C:\Users\Admin\AppData\Local\Temp\C40A.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\C449.tmp"C:\Users\Admin\AppData\Local\Temp\C449.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\C487.tmp"C:\Users\Admin\AppData\Local\Temp\C487.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\C4C5.tmp"C:\Users\Admin\AppData\Local\Temp\C4C5.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\C504.tmp"C:\Users\Admin\AppData\Local\Temp\C504.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\C542.tmp"C:\Users\Admin\AppData\Local\Temp\C542.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\C581.tmp"C:\Users\Admin\AppData\Local\Temp\C581.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\C5BF.tmp"C:\Users\Admin\AppData\Local\Temp\C5BF.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\C5FD.tmp"C:\Users\Admin\AppData\Local\Temp\C5FD.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\C63C.tmp"C:\Users\Admin\AppData\Local\Temp\C63C.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\C67A.tmp"C:\Users\Admin\AppData\Local\Temp\C67A.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\C6B9.tmp"C:\Users\Admin\AppData\Local\Temp\C6B9.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\C6F7.tmp"C:\Users\Admin\AppData\Local\Temp\C6F7.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\C735.tmp"C:\Users\Admin\AppData\Local\Temp\C735.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\C774.tmp"C:\Users\Admin\AppData\Local\Temp\C774.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\C7B2.tmp"C:\Users\Admin\AppData\Local\Temp\C7B2.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\C7F1.tmp"C:\Users\Admin\AppData\Local\Temp\C7F1.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\C82F.tmp"C:\Users\Admin\AppData\Local\Temp\C82F.tmp"65⤵
- Executes dropped EXE
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\C87D.tmp"C:\Users\Admin\AppData\Local\Temp\C87D.tmp"66⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\C8BB.tmp"C:\Users\Admin\AppData\Local\Temp\C8BB.tmp"67⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\C8FA.tmp"C:\Users\Admin\AppData\Local\Temp\C8FA.tmp"68⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\C957.tmp"C:\Users\Admin\AppData\Local\Temp\C957.tmp"69⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\C9D4.tmp"C:\Users\Admin\AppData\Local\Temp\C9D4.tmp"70⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\CA32.tmp"C:\Users\Admin\AppData\Local\Temp\CA32.tmp"71⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\CA8F.tmp"C:\Users\Admin\AppData\Local\Temp\CA8F.tmp"72⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\CAFD.tmp"C:\Users\Admin\AppData\Local\Temp\CAFD.tmp"73⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\CB5A.tmp"C:\Users\Admin\AppData\Local\Temp\CB5A.tmp"74⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\CBB8.tmp"C:\Users\Admin\AppData\Local\Temp\CBB8.tmp"75⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\CBF6.tmp"C:\Users\Admin\AppData\Local\Temp\CBF6.tmp"76⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\CC73.tmp"C:\Users\Admin\AppData\Local\Temp\CC73.tmp"77⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\CCD1.tmp"C:\Users\Admin\AppData\Local\Temp\CCD1.tmp"78⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\CD1F.tmp"C:\Users\Admin\AppData\Local\Temp\CD1F.tmp"79⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\CD7C.tmp"C:\Users\Admin\AppData\Local\Temp\CD7C.tmp"80⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\CDE9.tmp"C:\Users\Admin\AppData\Local\Temp\CDE9.tmp"81⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\CE47.tmp"C:\Users\Admin\AppData\Local\Temp\CE47.tmp"82⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\CE95.tmp"C:\Users\Admin\AppData\Local\Temp\CE95.tmp"83⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\CED3.tmp"C:\Users\Admin\AppData\Local\Temp\CED3.tmp"84⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\CF21.tmp"C:\Users\Admin\AppData\Local\Temp\CF21.tmp"85⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\CF60.tmp"C:\Users\Admin\AppData\Local\Temp\CF60.tmp"86⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\CFAE.tmp"C:\Users\Admin\AppData\Local\Temp\CFAE.tmp"87⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\CFEC.tmp"C:\Users\Admin\AppData\Local\Temp\CFEC.tmp"88⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\D02B.tmp"C:\Users\Admin\AppData\Local\Temp\D02B.tmp"89⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\D069.tmp"C:\Users\Admin\AppData\Local\Temp\D069.tmp"90⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\D0A7.tmp"C:\Users\Admin\AppData\Local\Temp\D0A7.tmp"91⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\D0E6.tmp"C:\Users\Admin\AppData\Local\Temp\D0E6.tmp"92⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\D124.tmp"C:\Users\Admin\AppData\Local\Temp\D124.tmp"93⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\D163.tmp"C:\Users\Admin\AppData\Local\Temp\D163.tmp"94⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\D1A1.tmp"C:\Users\Admin\AppData\Local\Temp\D1A1.tmp"95⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\D1E0.tmp"C:\Users\Admin\AppData\Local\Temp\D1E0.tmp"96⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\D21E.tmp"C:\Users\Admin\AppData\Local\Temp\D21E.tmp"97⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\D25C.tmp"C:\Users\Admin\AppData\Local\Temp\D25C.tmp"98⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\D2AA.tmp"C:\Users\Admin\AppData\Local\Temp\D2AA.tmp"99⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\D2E9.tmp"C:\Users\Admin\AppData\Local\Temp\D2E9.tmp"100⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\D327.tmp"C:\Users\Admin\AppData\Local\Temp\D327.tmp"101⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\D366.tmp"C:\Users\Admin\AppData\Local\Temp\D366.tmp"102⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\D3B4.tmp"C:\Users\Admin\AppData\Local\Temp\D3B4.tmp"103⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\D402.tmp"C:\Users\Admin\AppData\Local\Temp\D402.tmp"104⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\D440.tmp"C:\Users\Admin\AppData\Local\Temp\D440.tmp"105⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\D47E.tmp"C:\Users\Admin\AppData\Local\Temp\D47E.tmp"106⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\D4BD.tmp"C:\Users\Admin\AppData\Local\Temp\D4BD.tmp"107⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\D50B.tmp"C:\Users\Admin\AppData\Local\Temp\D50B.tmp"108⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\D549.tmp"C:\Users\Admin\AppData\Local\Temp\D549.tmp"109⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\D588.tmp"C:\Users\Admin\AppData\Local\Temp\D588.tmp"110⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\D5C6.tmp"C:\Users\Admin\AppData\Local\Temp\D5C6.tmp"111⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\D614.tmp"C:\Users\Admin\AppData\Local\Temp\D614.tmp"112⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\D652.tmp"C:\Users\Admin\AppData\Local\Temp\D652.tmp"113⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\D691.tmp"C:\Users\Admin\AppData\Local\Temp\D691.tmp"114⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\D6CF.tmp"C:\Users\Admin\AppData\Local\Temp\D6CF.tmp"115⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\D70E.tmp"C:\Users\Admin\AppData\Local\Temp\D70E.tmp"116⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\D74C.tmp"C:\Users\Admin\AppData\Local\Temp\D74C.tmp"117⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\D78A.tmp"C:\Users\Admin\AppData\Local\Temp\D78A.tmp"118⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\D7D8.tmp"C:\Users\Admin\AppData\Local\Temp\D7D8.tmp"119⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\D817.tmp"C:\Users\Admin\AppData\Local\Temp\D817.tmp"120⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\D855.tmp"C:\Users\Admin\AppData\Local\Temp\D855.tmp"121⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\D894.tmp"C:\Users\Admin\AppData\Local\Temp\D894.tmp"122⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-