Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
-
Size
520KB
-
MD5
8d3d530832566588512b06d79e1379a2
-
SHA1
aae02a4848d889c8bd98fc9201ec3c9c43b00d89
-
SHA256
730524ea61a579131ef1b5d74f78a6b82e390408f72b32343e32ee93fb1bb647
-
SHA512
ed8cffa48960cb7fb499bbb6c20d77615d2fa248e679279e3fd05399df428f8527420ff0ad32daf9375eb0d7dbea21fe1a911a8e3a8bd32735ada03e54b96dc8
-
SSDEEP
12288:roRXOQjmOyVaejlkRzjZwENkuHxmzjGgNZ:rogQ9ybCjZEGgN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2492 B471.tmp 2072 B4DE.tmp 1968 B54B.tmp 2516 B5B8.tmp 1996 B635.tmp 2652 B6B2.tmp 2708 B70F.tmp 2808 B77D.tmp 2788 B7DA.tmp 2852 B838.tmp 2908 B895.tmp 3012 B8F3.tmp 2560 B951.tmp 2636 B9BE.tmp 1976 BA1B.tmp 1328 BA89.tmp 836 BAE6.tmp 2084 BB44.tmp 2312 BBA1.tmp 1320 BC0F.tmp 500 BC5D.tmp 1288 BCCA.tmp 1932 BD27.tmp 2872 BD75.tmp 2648 BDB4.tmp 2888 BDF2.tmp 2656 BE40.tmp 2144 BE8E.tmp 2156 BECD.tmp 2916 BF1B.tmp 1080 BF59.tmp 1016 BF97.tmp 1660 BFD6.tmp 448 C014.tmp 848 C053.tmp 1720 C0A1.tmp 1860 C0DF.tmp 1640 C11D.tmp 1064 C15C.tmp 2088 C1AA.tmp 1520 C1E8.tmp 920 C227.tmp 2260 C275.tmp 488 C2B3.tmp 2124 C2F1.tmp 2244 C330.tmp 2960 C37E.tmp 2448 C3BC.tmp 1492 C3FB.tmp 1508 C439.tmp 2252 C477.tmp 2296 C4B6.tmp 2484 C552.tmp 2320 C590.tmp 2512 C5CF.tmp 1228 C60D.tmp 2372 C64B.tmp 2056 C68A.tmp 2516 C6C8.tmp 2248 C707.tmp 2128 C745.tmp 1748 C793.tmp 2816 C7E1.tmp 2716 C81F.tmp -
Loads dropped DLL 64 IoCs
pid Process 2484 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 2492 B471.tmp 2072 B4DE.tmp 1968 B54B.tmp 2516 B5B8.tmp 1996 B635.tmp 2652 B6B2.tmp 2708 B70F.tmp 2808 B77D.tmp 2788 B7DA.tmp 2852 B838.tmp 2908 B895.tmp 3012 B8F3.tmp 2560 B951.tmp 2636 B9BE.tmp 1976 BA1B.tmp 1328 BA89.tmp 836 BAE6.tmp 2084 BB44.tmp 2312 BBA1.tmp 1320 BC0F.tmp 500 BC5D.tmp 1288 BCCA.tmp 1932 BD27.tmp 2872 BD75.tmp 2648 BDB4.tmp 2888 BDF2.tmp 2656 BE40.tmp 2144 BE8E.tmp 2156 BECD.tmp 2916 BF1B.tmp 1080 BF59.tmp 1016 BF97.tmp 1660 BFD6.tmp 448 C014.tmp 848 C053.tmp 1720 C0A1.tmp 1860 C0DF.tmp 1640 C11D.tmp 1064 C15C.tmp 2088 C1AA.tmp 1520 C1E8.tmp 920 C227.tmp 2260 C275.tmp 488 C2B3.tmp 2124 C2F1.tmp 2244 C330.tmp 2960 C37E.tmp 2448 C3BC.tmp 1492 C3FB.tmp 1508 C439.tmp 2252 C477.tmp 1604 C4F4.tmp 2484 C552.tmp 2320 C590.tmp 2512 C5CF.tmp 1228 C60D.tmp 2372 C64B.tmp 2056 C68A.tmp 2516 C6C8.tmp 2248 C707.tmp 2128 C745.tmp 1748 C793.tmp 2816 C7E1.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2923.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F863.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F344.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1381.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5B98.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BA1B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F43E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5A21.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6365.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C1E8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9DB6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5570.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 566A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DE3E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AAC0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7159.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D059.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D681.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD83.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EE4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6DA1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CC83.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23C6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8A17.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6DE0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A6DA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2492 2484 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 30 PID 2484 wrote to memory of 2492 2484 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 30 PID 2484 wrote to memory of 2492 2484 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 30 PID 2484 wrote to memory of 2492 2484 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 30 PID 2492 wrote to memory of 2072 2492 B471.tmp 31 PID 2492 wrote to memory of 2072 2492 B471.tmp 31 PID 2492 wrote to memory of 2072 2492 B471.tmp 31 PID 2492 wrote to memory of 2072 2492 B471.tmp 31 PID 2072 wrote to memory of 1968 2072 B4DE.tmp 32 PID 2072 wrote to memory of 1968 2072 B4DE.tmp 32 PID 2072 wrote to memory of 1968 2072 B4DE.tmp 32 PID 2072 wrote to memory of 1968 2072 B4DE.tmp 32 PID 1968 wrote to memory of 2516 1968 B54B.tmp 33 PID 1968 wrote to memory of 2516 1968 B54B.tmp 33 PID 1968 wrote to memory of 2516 1968 B54B.tmp 33 PID 1968 wrote to memory of 2516 1968 B54B.tmp 33 PID 2516 wrote to memory of 1996 2516 B5B8.tmp 34 PID 2516 wrote to memory of 1996 2516 B5B8.tmp 34 PID 2516 wrote to memory of 1996 2516 B5B8.tmp 34 PID 2516 wrote to memory of 1996 2516 B5B8.tmp 34 PID 1996 wrote to memory of 2652 1996 B635.tmp 35 PID 1996 wrote to memory of 2652 1996 B635.tmp 35 PID 1996 wrote to memory of 2652 1996 B635.tmp 35 PID 1996 wrote to memory of 2652 1996 B635.tmp 35 PID 2652 wrote to memory of 2708 2652 B6B2.tmp 36 PID 2652 wrote to memory of 2708 2652 B6B2.tmp 36 PID 2652 wrote to memory of 2708 2652 B6B2.tmp 36 PID 2652 wrote to memory of 2708 2652 B6B2.tmp 36 PID 2708 wrote to memory of 2808 2708 B70F.tmp 37 PID 2708 wrote to memory of 2808 2708 B70F.tmp 37 PID 2708 wrote to memory of 2808 2708 B70F.tmp 37 PID 2708 wrote to memory of 2808 2708 B70F.tmp 37 PID 2808 wrote to memory of 2788 2808 B77D.tmp 38 PID 2808 wrote to memory of 2788 2808 B77D.tmp 38 PID 2808 wrote to memory of 2788 2808 B77D.tmp 38 PID 2808 wrote to memory of 2788 2808 B77D.tmp 38 PID 2788 wrote to memory of 2852 2788 B7DA.tmp 39 PID 2788 wrote to memory of 2852 2788 B7DA.tmp 39 PID 2788 wrote to memory of 2852 2788 B7DA.tmp 39 PID 2788 wrote to memory of 2852 2788 B7DA.tmp 39 PID 2852 wrote to memory of 2908 2852 B838.tmp 40 PID 2852 wrote to memory of 2908 2852 B838.tmp 40 PID 2852 wrote to memory of 2908 2852 B838.tmp 40 PID 2852 wrote to memory of 2908 2852 B838.tmp 40 PID 2908 wrote to memory of 3012 2908 B895.tmp 41 PID 2908 wrote to memory of 3012 2908 B895.tmp 41 PID 2908 wrote to memory of 3012 2908 B895.tmp 41 PID 2908 wrote to memory of 3012 2908 B895.tmp 41 PID 3012 wrote to memory of 2560 3012 B8F3.tmp 42 PID 3012 wrote to memory of 2560 3012 B8F3.tmp 42 PID 3012 wrote to memory of 2560 3012 B8F3.tmp 42 PID 3012 wrote to memory of 2560 3012 B8F3.tmp 42 PID 2560 wrote to memory of 2636 2560 B951.tmp 43 PID 2560 wrote to memory of 2636 2560 B951.tmp 43 PID 2560 wrote to memory of 2636 2560 B951.tmp 43 PID 2560 wrote to memory of 2636 2560 B951.tmp 43 PID 2636 wrote to memory of 1976 2636 B9BE.tmp 44 PID 2636 wrote to memory of 1976 2636 B9BE.tmp 44 PID 2636 wrote to memory of 1976 2636 B9BE.tmp 44 PID 2636 wrote to memory of 1976 2636 B9BE.tmp 44 PID 1976 wrote to memory of 1328 1976 BA1B.tmp 45 PID 1976 wrote to memory of 1328 1976 BA1B.tmp 45 PID 1976 wrote to memory of 1328 1976 BA1B.tmp 45 PID 1976 wrote to memory of 1328 1976 BA1B.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\B471.tmp"C:\Users\Admin\AppData\Local\Temp\B471.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\B4DE.tmp"C:\Users\Admin\AppData\Local\Temp\B4DE.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\B54B.tmp"C:\Users\Admin\AppData\Local\Temp\B54B.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\B5B8.tmp"C:\Users\Admin\AppData\Local\Temp\B5B8.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\B635.tmp"C:\Users\Admin\AppData\Local\Temp\B635.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\B6B2.tmp"C:\Users\Admin\AppData\Local\Temp\B6B2.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\B70F.tmp"C:\Users\Admin\AppData\Local\Temp\B70F.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\B77D.tmp"C:\Users\Admin\AppData\Local\Temp\B77D.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\B7DA.tmp"C:\Users\Admin\AppData\Local\Temp\B7DA.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\B838.tmp"C:\Users\Admin\AppData\Local\Temp\B838.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\B895.tmp"C:\Users\Admin\AppData\Local\Temp\B895.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\B8F3.tmp"C:\Users\Admin\AppData\Local\Temp\B8F3.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\B951.tmp"C:\Users\Admin\AppData\Local\Temp\B951.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\B9BE.tmp"C:\Users\Admin\AppData\Local\Temp\B9BE.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\BA1B.tmp"C:\Users\Admin\AppData\Local\Temp\BA1B.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\BA89.tmp"C:\Users\Admin\AppData\Local\Temp\BA89.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\BAE6.tmp"C:\Users\Admin\AppData\Local\Temp\BAE6.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Users\Admin\AppData\Local\Temp\BB44.tmp"C:\Users\Admin\AppData\Local\Temp\BB44.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\BBA1.tmp"C:\Users\Admin\AppData\Local\Temp\BBA1.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\BC0F.tmp"C:\Users\Admin\AppData\Local\Temp\BC0F.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\BC5D.tmp"C:\Users\Admin\AppData\Local\Temp\BC5D.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:500 -
C:\Users\Admin\AppData\Local\Temp\BCCA.tmp"C:\Users\Admin\AppData\Local\Temp\BCCA.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\BD27.tmp"C:\Users\Admin\AppData\Local\Temp\BD27.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\BD75.tmp"C:\Users\Admin\AppData\Local\Temp\BD75.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\BDB4.tmp"C:\Users\Admin\AppData\Local\Temp\BDB4.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\BDF2.tmp"C:\Users\Admin\AppData\Local\Temp\BDF2.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\BE40.tmp"C:\Users\Admin\AppData\Local\Temp\BE40.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\BE8E.tmp"C:\Users\Admin\AppData\Local\Temp\BE8E.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\BECD.tmp"C:\Users\Admin\AppData\Local\Temp\BECD.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\BF1B.tmp"C:\Users\Admin\AppData\Local\Temp\BF1B.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\BF59.tmp"C:\Users\Admin\AppData\Local\Temp\BF59.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\BF97.tmp"C:\Users\Admin\AppData\Local\Temp\BF97.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\BFD6.tmp"C:\Users\Admin\AppData\Local\Temp\BFD6.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\C014.tmp"C:\Users\Admin\AppData\Local\Temp\C014.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Users\Admin\AppData\Local\Temp\C053.tmp"C:\Users\Admin\AppData\Local\Temp\C053.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Users\Admin\AppData\Local\Temp\C0A1.tmp"C:\Users\Admin\AppData\Local\Temp\C0A1.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\C0DF.tmp"C:\Users\Admin\AppData\Local\Temp\C0DF.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\C11D.tmp"C:\Users\Admin\AppData\Local\Temp\C11D.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\C15C.tmp"C:\Users\Admin\AppData\Local\Temp\C15C.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\C1AA.tmp"C:\Users\Admin\AppData\Local\Temp\C1AA.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\C1E8.tmp"C:\Users\Admin\AppData\Local\Temp\C1E8.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\C227.tmp"C:\Users\Admin\AppData\Local\Temp\C227.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Users\Admin\AppData\Local\Temp\C275.tmp"C:\Users\Admin\AppData\Local\Temp\C275.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\C2B3.tmp"C:\Users\Admin\AppData\Local\Temp\C2B3.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Users\Admin\AppData\Local\Temp\C2F1.tmp"C:\Users\Admin\AppData\Local\Temp\C2F1.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\C330.tmp"C:\Users\Admin\AppData\Local\Temp\C330.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\C37E.tmp"C:\Users\Admin\AppData\Local\Temp\C37E.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\C3BC.tmp"C:\Users\Admin\AppData\Local\Temp\C3BC.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\C3FB.tmp"C:\Users\Admin\AppData\Local\Temp\C3FB.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\C439.tmp"C:\Users\Admin\AppData\Local\Temp\C439.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\C477.tmp"C:\Users\Admin\AppData\Local\Temp\C477.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\C4B6.tmp"C:\Users\Admin\AppData\Local\Temp\C4B6.tmp"53⤵
- Executes dropped EXE
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\C4F4.tmp"C:\Users\Admin\AppData\Local\Temp\C4F4.tmp"54⤵
- Loads dropped DLL
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\C552.tmp"C:\Users\Admin\AppData\Local\Temp\C552.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\C590.tmp"C:\Users\Admin\AppData\Local\Temp\C590.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\C5CF.tmp"C:\Users\Admin\AppData\Local\Temp\C5CF.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\C60D.tmp"C:\Users\Admin\AppData\Local\Temp\C60D.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\C64B.tmp"C:\Users\Admin\AppData\Local\Temp\C64B.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\C68A.tmp"C:\Users\Admin\AppData\Local\Temp\C68A.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\C6C8.tmp"C:\Users\Admin\AppData\Local\Temp\C6C8.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\C707.tmp"C:\Users\Admin\AppData\Local\Temp\C707.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\C745.tmp"C:\Users\Admin\AppData\Local\Temp\C745.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\C793.tmp"C:\Users\Admin\AppData\Local\Temp\C793.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\C7E1.tmp"C:\Users\Admin\AppData\Local\Temp\C7E1.tmp"65⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\C81F.tmp"C:\Users\Admin\AppData\Local\Temp\C81F.tmp"66⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\C85E.tmp"C:\Users\Admin\AppData\Local\Temp\C85E.tmp"67⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\C89C.tmp"C:\Users\Admin\AppData\Local\Temp\C89C.tmp"68⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\C8EA.tmp"C:\Users\Admin\AppData\Local\Temp\C8EA.tmp"69⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\C938.tmp"C:\Users\Admin\AppData\Local\Temp\C938.tmp"70⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\C977.tmp"C:\Users\Admin\AppData\Local\Temp\C977.tmp"71⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp"C:\Users\Admin\AppData\Local\Temp\C9B5.tmp"72⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\CA03.tmp"C:\Users\Admin\AppData\Local\Temp\CA03.tmp"73⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\CA41.tmp"C:\Users\Admin\AppData\Local\Temp\CA41.tmp"74⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\CA8F.tmp"C:\Users\Admin\AppData\Local\Temp\CA8F.tmp"75⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\CACE.tmp"C:\Users\Admin\AppData\Local\Temp\CACE.tmp"76⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\CB0C.tmp"C:\Users\Admin\AppData\Local\Temp\CB0C.tmp"77⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\CB4B.tmp"C:\Users\Admin\AppData\Local\Temp\CB4B.tmp"78⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\CB89.tmp"C:\Users\Admin\AppData\Local\Temp\CB89.tmp"79⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\CBC7.tmp"C:\Users\Admin\AppData\Local\Temp\CBC7.tmp"80⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\CC06.tmp"C:\Users\Admin\AppData\Local\Temp\CC06.tmp"81⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\CC44.tmp"C:\Users\Admin\AppData\Local\Temp\CC44.tmp"82⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\CC83.tmp"C:\Users\Admin\AppData\Local\Temp\CC83.tmp"83⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\CCC1.tmp"C:\Users\Admin\AppData\Local\Temp\CCC1.tmp"84⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\CD0F.tmp"C:\Users\Admin\AppData\Local\Temp\CD0F.tmp"85⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\CD4D.tmp"C:\Users\Admin\AppData\Local\Temp\CD4D.tmp"86⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\CD8C.tmp"C:\Users\Admin\AppData\Local\Temp\CD8C.tmp"87⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\CDCA.tmp"C:\Users\Admin\AppData\Local\Temp\CDCA.tmp"88⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\CE09.tmp"C:\Users\Admin\AppData\Local\Temp\CE09.tmp"89⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\CE47.tmp"C:\Users\Admin\AppData\Local\Temp\CE47.tmp"90⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\CE85.tmp"C:\Users\Admin\AppData\Local\Temp\CE85.tmp"91⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\CEC4.tmp"C:\Users\Admin\AppData\Local\Temp\CEC4.tmp"92⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\CF02.tmp"C:\Users\Admin\AppData\Local\Temp\CF02.tmp"93⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\CF41.tmp"C:\Users\Admin\AppData\Local\Temp\CF41.tmp"94⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\CF8F.tmp"C:\Users\Admin\AppData\Local\Temp\CF8F.tmp"95⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\CFCD.tmp"C:\Users\Admin\AppData\Local\Temp\CFCD.tmp"96⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\D00B.tmp"C:\Users\Admin\AppData\Local\Temp\D00B.tmp"97⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\D059.tmp"C:\Users\Admin\AppData\Local\Temp\D059.tmp"98⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\D098.tmp"C:\Users\Admin\AppData\Local\Temp\D098.tmp"99⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\D0E6.tmp"C:\Users\Admin\AppData\Local\Temp\D0E6.tmp"100⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\D124.tmp"C:\Users\Admin\AppData\Local\Temp\D124.tmp"101⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\D163.tmp"C:\Users\Admin\AppData\Local\Temp\D163.tmp"102⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\D1A1.tmp"C:\Users\Admin\AppData\Local\Temp\D1A1.tmp"103⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\D1DF.tmp"C:\Users\Admin\AppData\Local\Temp\D1DF.tmp"104⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\D21E.tmp"C:\Users\Admin\AppData\Local\Temp\D21E.tmp"105⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\D25C.tmp"C:\Users\Admin\AppData\Local\Temp\D25C.tmp"106⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\D2AA.tmp"C:\Users\Admin\AppData\Local\Temp\D2AA.tmp"107⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\D2E9.tmp"C:\Users\Admin\AppData\Local\Temp\D2E9.tmp"108⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\D327.tmp"C:\Users\Admin\AppData\Local\Temp\D327.tmp"109⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\D365.tmp"C:\Users\Admin\AppData\Local\Temp\D365.tmp"110⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\D3B3.tmp"C:\Users\Admin\AppData\Local\Temp\D3B3.tmp"111⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\D401.tmp"C:\Users\Admin\AppData\Local\Temp\D401.tmp"112⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\D440.tmp"C:\Users\Admin\AppData\Local\Temp\D440.tmp"113⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\D47E.tmp"C:\Users\Admin\AppData\Local\Temp\D47E.tmp"114⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\D4CC.tmp"C:\Users\Admin\AppData\Local\Temp\D4CC.tmp"115⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\D4FB.tmp"C:\Users\Admin\AppData\Local\Temp\D4FB.tmp"116⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\D539.tmp"C:\Users\Admin\AppData\Local\Temp\D539.tmp"117⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\D578.tmp"C:\Users\Admin\AppData\Local\Temp\D578.tmp"118⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\D5B6.tmp"C:\Users\Admin\AppData\Local\Temp\D5B6.tmp"119⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\D604.tmp"C:\Users\Admin\AppData\Local\Temp\D604.tmp"120⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\D643.tmp"C:\Users\Admin\AppData\Local\Temp\D643.tmp"121⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\D681.tmp"C:\Users\Admin\AppData\Local\Temp\D681.tmp"122⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-