Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe
-
Size
527KB
-
MD5
926666fd18c81444a3b0d9e74c34d004
-
SHA1
ed25dc9231a059041f8350bd3855714fc153bdc9
-
SHA256
88acc3ad4051f1e305e5c4951384548fefb76ed7969318d94ad0eedf545b5c86
-
SHA512
4b5aaba5d716b7b0f8f33366f52892b92b3c7a819f146369d05d91dd4f1e49c4e3f7314b7e83243a1eb2884a32624830328444b2529528736206622b13bc01a4
-
SSDEEP
12288:fU5rCOTeidDcuxOVBegv0eqaWRrzNddo69ZcDZu:fUQOJdwjeAWfddo69iDo
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 396 9C7E.tmp 892 9D0B.tmp 972 9DA7.tmp 3460 9E43.tmp 3140 9ED0.tmp 812 9F5D.tmp 4176 9FE9.tmp 5056 A057.tmp 4976 A0F3.tmp 1680 A151.tmp 628 A1BE.tmp 1524 A21C.tmp 1620 A299.tmp 1712 A325.tmp 2388 A3A2.tmp 1816 A400.tmp 1004 A45E.tmp 4576 A4CB.tmp 4164 A548.tmp 2432 A5A6.tmp 2248 A604.tmp 4972 A662.tmp 3012 A6DF.tmp 4240 A72D.tmp 760 A78A.tmp 3736 A7E8.tmp 4140 A856.tmp 3380 A8B3.tmp 3936 A930.tmp 2656 A9AD.tmp 3672 AA1B.tmp 2088 AA98.tmp 532 AB24.tmp 2304 AB82.tmp 2344 ABD0.tmp 2456 AC2E.tmp 2252 AC8C.tmp 3972 ACE9.tmp 5096 AD38.tmp 4376 AD86.tmp 4732 ADD4.tmp 1940 AE32.tmp 3592 AE8F.tmp 4840 AEED.tmp 1392 AF4B.tmp 60 AF99.tmp 3704 AFE7.tmp 748 B045.tmp 5060 B0B2.tmp 4880 B110.tmp 4664 B16E.tmp 3804 B1CB.tmp 4900 B229.tmp 3588 B287.tmp 3276 B2E5.tmp 3100 B352.tmp 1156 B3B0.tmp 3852 B41D.tmp 4312 B48B.tmp 1004 B4F8.tmp 2792 B556.tmp 1988 B5B3.tmp 4164 B621.tmp 5076 B67F.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CC68.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D62C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3F37.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70F5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73E3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87C9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC9F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E947.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B88D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E5BC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3718.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB6C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2F77.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67BE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75D7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD60.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65F8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D428.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F220.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9A76.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FA3A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4CE3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DE16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDE5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B0EC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DDB9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F807.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CBBC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1652.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B9EA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F97E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5C06.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6CBF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D8A8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17AA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B949.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D472.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DA4E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3256 wrote to memory of 396 3256 2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe 84 PID 3256 wrote to memory of 396 3256 2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe 84 PID 3256 wrote to memory of 396 3256 2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe 84 PID 396 wrote to memory of 892 396 9C7E.tmp 85 PID 396 wrote to memory of 892 396 9C7E.tmp 85 PID 396 wrote to memory of 892 396 9C7E.tmp 85 PID 892 wrote to memory of 972 892 9D0B.tmp 86 PID 892 wrote to memory of 972 892 9D0B.tmp 86 PID 892 wrote to memory of 972 892 9D0B.tmp 86 PID 972 wrote to memory of 3460 972 9DA7.tmp 88 PID 972 wrote to memory of 3460 972 9DA7.tmp 88 PID 972 wrote to memory of 3460 972 9DA7.tmp 88 PID 3460 wrote to memory of 3140 3460 9E43.tmp 90 PID 3460 wrote to memory of 3140 3460 9E43.tmp 90 PID 3460 wrote to memory of 3140 3460 9E43.tmp 90 PID 3140 wrote to memory of 812 3140 9ED0.tmp 92 PID 3140 wrote to memory of 812 3140 9ED0.tmp 92 PID 3140 wrote to memory of 812 3140 9ED0.tmp 92 PID 812 wrote to memory of 4176 812 9F5D.tmp 93 PID 812 wrote to memory of 4176 812 9F5D.tmp 93 PID 812 wrote to memory of 4176 812 9F5D.tmp 93 PID 4176 wrote to memory of 5056 4176 9FE9.tmp 94 PID 4176 wrote to memory of 5056 4176 9FE9.tmp 94 PID 4176 wrote to memory of 5056 4176 9FE9.tmp 94 PID 5056 wrote to memory of 4976 5056 A057.tmp 95 PID 5056 wrote to memory of 4976 5056 A057.tmp 95 PID 5056 wrote to memory of 4976 5056 A057.tmp 95 PID 4976 wrote to memory of 1680 4976 A0F3.tmp 96 PID 4976 wrote to memory of 1680 4976 A0F3.tmp 96 PID 4976 wrote to memory of 1680 4976 A0F3.tmp 96 PID 1680 wrote to memory of 628 1680 A151.tmp 97 PID 1680 wrote to memory of 628 1680 A151.tmp 97 PID 1680 wrote to memory of 628 1680 A151.tmp 97 PID 628 wrote to memory of 1524 628 A1BE.tmp 98 PID 628 wrote to memory of 1524 628 A1BE.tmp 98 PID 628 wrote to memory of 1524 628 A1BE.tmp 98 PID 1524 wrote to memory of 1620 1524 A21C.tmp 99 PID 1524 wrote to memory of 1620 1524 A21C.tmp 99 PID 1524 wrote to memory of 1620 1524 A21C.tmp 99 PID 1620 wrote to memory of 1712 1620 A299.tmp 100 PID 1620 wrote to memory of 1712 1620 A299.tmp 100 PID 1620 wrote to memory of 1712 1620 A299.tmp 100 PID 1712 wrote to memory of 2388 1712 A325.tmp 101 PID 1712 wrote to memory of 2388 1712 A325.tmp 101 PID 1712 wrote to memory of 2388 1712 A325.tmp 101 PID 2388 wrote to memory of 1816 2388 A3A2.tmp 102 PID 2388 wrote to memory of 1816 2388 A3A2.tmp 102 PID 2388 wrote to memory of 1816 2388 A3A2.tmp 102 PID 1816 wrote to memory of 1004 1816 A400.tmp 103 PID 1816 wrote to memory of 1004 1816 A400.tmp 103 PID 1816 wrote to memory of 1004 1816 A400.tmp 103 PID 1004 wrote to memory of 4576 1004 A45E.tmp 104 PID 1004 wrote to memory of 4576 1004 A45E.tmp 104 PID 1004 wrote to memory of 4576 1004 A45E.tmp 104 PID 4576 wrote to memory of 4164 4576 A4CB.tmp 105 PID 4576 wrote to memory of 4164 4576 A4CB.tmp 105 PID 4576 wrote to memory of 4164 4576 A4CB.tmp 105 PID 4164 wrote to memory of 2432 4164 A548.tmp 106 PID 4164 wrote to memory of 2432 4164 A548.tmp 106 PID 4164 wrote to memory of 2432 4164 A548.tmp 106 PID 2432 wrote to memory of 2248 2432 A5A6.tmp 107 PID 2432 wrote to memory of 2248 2432 A5A6.tmp 107 PID 2432 wrote to memory of 2248 2432 A5A6.tmp 107 PID 2248 wrote to memory of 4972 2248 A604.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_926666fd18c81444a3b0d9e74c34d004_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\9DA7.tmp"C:\Users\Admin\AppData\Local\Temp\9DA7.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\9E43.tmp"C:\Users\Admin\AppData\Local\Temp\9E43.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\9ED0.tmp"C:\Users\Admin\AppData\Local\Temp\9ED0.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\9F5D.tmp"C:\Users\Admin\AppData\Local\Temp\9F5D.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\A057.tmp"C:\Users\Admin\AppData\Local\Temp\A057.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\A0F3.tmp"C:\Users\Admin\AppData\Local\Temp\A0F3.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\A151.tmp"C:\Users\Admin\AppData\Local\Temp\A151.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\A21C.tmp"C:\Users\Admin\AppData\Local\Temp\A21C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\A299.tmp"C:\Users\Admin\AppData\Local\Temp\A299.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\A325.tmp"C:\Users\Admin\AppData\Local\Temp\A325.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\A3A2.tmp"C:\Users\Admin\AppData\Local\Temp\A3A2.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\A400.tmp"C:\Users\Admin\AppData\Local\Temp\A400.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\A45E.tmp"C:\Users\Admin\AppData\Local\Temp\A45E.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\A548.tmp"C:\Users\Admin\AppData\Local\Temp\A548.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\A5A6.tmp"C:\Users\Admin\AppData\Local\Temp\A5A6.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\A604.tmp"C:\Users\Admin\AppData\Local\Temp\A604.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\A662.tmp"C:\Users\Admin\AppData\Local\Temp\A662.tmp"23⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"24⤵
- Executes dropped EXE
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\A72D.tmp"C:\Users\Admin\AppData\Local\Temp\A72D.tmp"25⤵
- Executes dropped EXE
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\A78A.tmp"C:\Users\Admin\AppData\Local\Temp\A78A.tmp"26⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\A7E8.tmp"C:\Users\Admin\AppData\Local\Temp\A7E8.tmp"27⤵
- Executes dropped EXE
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\A856.tmp"C:\Users\Admin\AppData\Local\Temp\A856.tmp"28⤵
- Executes dropped EXE
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\A8B3.tmp"C:\Users\Admin\AppData\Local\Temp\A8B3.tmp"29⤵
- Executes dropped EXE
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\A930.tmp"C:\Users\Admin\AppData\Local\Temp\A930.tmp"30⤵
- Executes dropped EXE
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"31⤵
- Executes dropped EXE
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\AA1B.tmp"C:\Users\Admin\AppData\Local\Temp\AA1B.tmp"32⤵
- Executes dropped EXE
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\AA98.tmp"C:\Users\Admin\AppData\Local\Temp\AA98.tmp"33⤵
- Executes dropped EXE
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\AB24.tmp"C:\Users\Admin\AppData\Local\Temp\AB24.tmp"34⤵
- Executes dropped EXE
PID:532 -
C:\Users\Admin\AppData\Local\Temp\AB82.tmp"C:\Users\Admin\AppData\Local\Temp\AB82.tmp"35⤵
- Executes dropped EXE
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\ABD0.tmp"C:\Users\Admin\AppData\Local\Temp\ABD0.tmp"36⤵
- Executes dropped EXE
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\AC2E.tmp"C:\Users\Admin\AppData\Local\Temp\AC2E.tmp"37⤵
- Executes dropped EXE
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\AC8C.tmp"C:\Users\Admin\AppData\Local\Temp\AC8C.tmp"38⤵
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"39⤵
- Executes dropped EXE
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\AD38.tmp"C:\Users\Admin\AppData\Local\Temp\AD38.tmp"40⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\AD86.tmp"C:\Users\Admin\AppData\Local\Temp\AD86.tmp"41⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\ADD4.tmp"C:\Users\Admin\AppData\Local\Temp\ADD4.tmp"42⤵
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\AE32.tmp"C:\Users\Admin\AppData\Local\Temp\AE32.tmp"43⤵
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"44⤵
- Executes dropped EXE
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\AEED.tmp"C:\Users\Admin\AppData\Local\Temp\AEED.tmp"45⤵
- Executes dropped EXE
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\AF4B.tmp"C:\Users\Admin\AppData\Local\Temp\AF4B.tmp"46⤵
- Executes dropped EXE
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\AF99.tmp"C:\Users\Admin\AppData\Local\Temp\AF99.tmp"47⤵
- Executes dropped EXE
PID:60 -
C:\Users\Admin\AppData\Local\Temp\AFE7.tmp"C:\Users\Admin\AppData\Local\Temp\AFE7.tmp"48⤵
- Executes dropped EXE
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\B045.tmp"C:\Users\Admin\AppData\Local\Temp\B045.tmp"49⤵
- Executes dropped EXE
PID:748 -
C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"50⤵
- Executes dropped EXE
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\B110.tmp"C:\Users\Admin\AppData\Local\Temp\B110.tmp"51⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\B16E.tmp"C:\Users\Admin\AppData\Local\Temp\B16E.tmp"52⤵
- Executes dropped EXE
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\B1CB.tmp"C:\Users\Admin\AppData\Local\Temp\B1CB.tmp"53⤵
- Executes dropped EXE
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\B229.tmp"C:\Users\Admin\AppData\Local\Temp\B229.tmp"54⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\B287.tmp"C:\Users\Admin\AppData\Local\Temp\B287.tmp"55⤵
- Executes dropped EXE
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\B2E5.tmp"C:\Users\Admin\AppData\Local\Temp\B2E5.tmp"56⤵
- Executes dropped EXE
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\B352.tmp"C:\Users\Admin\AppData\Local\Temp\B352.tmp"57⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\B3B0.tmp"C:\Users\Admin\AppData\Local\Temp\B3B0.tmp"58⤵
- Executes dropped EXE
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\B41D.tmp"C:\Users\Admin\AppData\Local\Temp\B41D.tmp"59⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\B48B.tmp"C:\Users\Admin\AppData\Local\Temp\B48B.tmp"60⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"61⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\B556.tmp"C:\Users\Admin\AppData\Local\Temp\B556.tmp"62⤵
- Executes dropped EXE
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\B5B3.tmp"C:\Users\Admin\AppData\Local\Temp\B5B3.tmp"63⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\B621.tmp"C:\Users\Admin\AppData\Local\Temp\B621.tmp"64⤵
- Executes dropped EXE
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\B67F.tmp"C:\Users\Admin\AppData\Local\Temp\B67F.tmp"65⤵
- Executes dropped EXE
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\B6EC.tmp"C:\Users\Admin\AppData\Local\Temp\B6EC.tmp"66⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\B74A.tmp"C:\Users\Admin\AppData\Local\Temp\B74A.tmp"67⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\B7A7.tmp"C:\Users\Admin\AppData\Local\Temp\B7A7.tmp"68⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\B815.tmp"C:\Users\Admin\AppData\Local\Temp\B815.tmp"69⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\B873.tmp"C:\Users\Admin\AppData\Local\Temp\B873.tmp"70⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\B8D0.tmp"C:\Users\Admin\AppData\Local\Temp\B8D0.tmp"71⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\B92E.tmp"C:\Users\Admin\AppData\Local\Temp\B92E.tmp"72⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\B99B.tmp"C:\Users\Admin\AppData\Local\Temp\B99B.tmp"73⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\B9EA.tmp"C:\Users\Admin\AppData\Local\Temp\B9EA.tmp"74⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\BA47.tmp"C:\Users\Admin\AppData\Local\Temp\BA47.tmp"75⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\BAB5.tmp"C:\Users\Admin\AppData\Local\Temp\BAB5.tmp"76⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\BB22.tmp"C:\Users\Admin\AppData\Local\Temp\BB22.tmp"77⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\BB8F.tmp"C:\Users\Admin\AppData\Local\Temp\BB8F.tmp"78⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"79⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\BC6A.tmp"C:\Users\Admin\AppData\Local\Temp\BC6A.tmp"80⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"81⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\BD26.tmp"C:\Users\Admin\AppData\Local\Temp\BD26.tmp"82⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\BD83.tmp"C:\Users\Admin\AppData\Local\Temp\BD83.tmp"83⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\BDF1.tmp"C:\Users\Admin\AppData\Local\Temp\BDF1.tmp"84⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\BE4F.tmp"C:\Users\Admin\AppData\Local\Temp\BE4F.tmp"85⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\BEAC.tmp"C:\Users\Admin\AppData\Local\Temp\BEAC.tmp"86⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"87⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\BF68.tmp"C:\Users\Admin\AppData\Local\Temp\BF68.tmp"88⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\BFB6.tmp"C:\Users\Admin\AppData\Local\Temp\BFB6.tmp"89⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\C014.tmp"C:\Users\Admin\AppData\Local\Temp\C014.tmp"90⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\C062.tmp"C:\Users\Admin\AppData\Local\Temp\C062.tmp"91⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\C0C0.tmp"C:\Users\Admin\AppData\Local\Temp\C0C0.tmp"92⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\C11D.tmp"C:\Users\Admin\AppData\Local\Temp\C11D.tmp"93⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\C18B.tmp"C:\Users\Admin\AppData\Local\Temp\C18B.tmp"94⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\C1E8.tmp"C:\Users\Admin\AppData\Local\Temp\C1E8.tmp"95⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\C256.tmp"C:\Users\Admin\AppData\Local\Temp\C256.tmp"96⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"97⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\C321.tmp"C:\Users\Admin\AppData\Local\Temp\C321.tmp"98⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\C37F.tmp"C:\Users\Admin\AppData\Local\Temp\C37F.tmp"99⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\C3DC.tmp"C:\Users\Admin\AppData\Local\Temp\C3DC.tmp"100⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\C42B.tmp"C:\Users\Admin\AppData\Local\Temp\C42B.tmp"101⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\C488.tmp"C:\Users\Admin\AppData\Local\Temp\C488.tmp"102⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\C4D6.tmp"C:\Users\Admin\AppData\Local\Temp\C4D6.tmp"103⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\C534.tmp"C:\Users\Admin\AppData\Local\Temp\C534.tmp"104⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\C582.tmp"C:\Users\Admin\AppData\Local\Temp\C582.tmp"105⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\C5F0.tmp"C:\Users\Admin\AppData\Local\Temp\C5F0.tmp"106⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\C64D.tmp"C:\Users\Admin\AppData\Local\Temp\C64D.tmp"107⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\C6AB.tmp"C:\Users\Admin\AppData\Local\Temp\C6AB.tmp"108⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\C709.tmp"C:\Users\Admin\AppData\Local\Temp\C709.tmp"109⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\C767.tmp"C:\Users\Admin\AppData\Local\Temp\C767.tmp"110⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\C7B5.tmp"C:\Users\Admin\AppData\Local\Temp\C7B5.tmp"111⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\C813.tmp"C:\Users\Admin\AppData\Local\Temp\C813.tmp"112⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\C870.tmp"C:\Users\Admin\AppData\Local\Temp\C870.tmp"113⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\C8CE.tmp"C:\Users\Admin\AppData\Local\Temp\C8CE.tmp"114⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\C93B.tmp"C:\Users\Admin\AppData\Local\Temp\C93B.tmp"115⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\C98A.tmp"C:\Users\Admin\AppData\Local\Temp\C98A.tmp"116⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\C9E7.tmp"C:\Users\Admin\AppData\Local\Temp\C9E7.tmp"117⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\CA45.tmp"C:\Users\Admin\AppData\Local\Temp\CA45.tmp"118⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\CAA3.tmp"C:\Users\Admin\AppData\Local\Temp\CAA3.tmp"119⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\CB01.tmp"C:\Users\Admin\AppData\Local\Temp\CB01.tmp"120⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\CB5E.tmp"C:\Users\Admin\AppData\Local\Temp\CB5E.tmp"121⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\CBBC.tmp"C:\Users\Admin\AppData\Local\Temp\CBBC.tmp"122⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-