Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe
-
Size
712KB
-
MD5
3873aa0890f2d9db9caa2589ed409a79
-
SHA1
8e530d7524136e7539609c675d5a5fa8f4ed8c86
-
SHA256
939579347c469905976dd61a26efa45d9de4faf1e11e393e665d71dc3859f892
-
SHA512
a0402724d03fbd4c267cfa8217461bc8fdb03210357f1d2099d3c4708df42bc527c7ef523dacc47abfe7b31eee39c2653b38d05334d34dc70c2a0c1f4eef36f2
-
SSDEEP
12288:FU5rCOTeiDp4WT3N93m2Vrg8TI2ZNZdCvq5TJLCvY90D8/LVBlVk736Y79GWzNbA:FUQOJDfd93m2VJIyNnCvq5TJLCvY90DA
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2792 66AF.tmp 2900 672C.tmp 2704 67B8.tmp 2604 6806.tmp 2592 6854.tmp 2796 6893.tmp 2636 691F.tmp 2628 698C.tmp 320 69CB.tmp 792 6A09.tmp 1096 6AC4.tmp 576 6B12.tmp 2320 6B8F.tmp 2460 6BCD.tmp 2348 6C0C.tmp 1996 6C5A.tmp 1320 6C98.tmp 1912 6CD7.tmp 1276 6D15.tmp 2632 6E0F.tmp 2016 6E5D.tmp 276 6E9B.tmp 2416 6EF9.tmp 2924 6F47.tmp 2844 6FA4.tmp 2208 6FE3.tmp 2456 7031.tmp 1944 706F.tmp 2148 70AD.tmp 2444 70EC.tmp 1752 712A.tmp 1488 7169.tmp 2904 71A7.tmp 1140 71E5.tmp 1716 7224.tmp 1000 7262.tmp 1596 72A1.tmp 2452 72DF.tmp 1860 731D.tmp 1380 735C.tmp 2652 738B.tmp 912 73C9.tmp 940 7407.tmp 1328 7436.tmp 2092 7475.tmp 2516 74B3.tmp 2872 74E2.tmp 1936 7520.tmp 3008 755F.tmp 900 759D.tmp 1628 75DB.tmp 2508 761A.tmp 1588 7658.tmp 2720 7697.tmp 2808 76D5.tmp 2724 7704.tmp 2900 7742.tmp 2704 7781.tmp 2708 77AF.tmp 2624 77DE.tmp 2592 781D.tmp 2744 785B.tmp 2404 7899.tmp 2976 78E7.tmp -
Loads dropped DLL 64 IoCs
pid Process 2060 2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe 2792 66AF.tmp 2900 672C.tmp 2704 67B8.tmp 2604 6806.tmp 2592 6854.tmp 2796 6893.tmp 2636 691F.tmp 2628 698C.tmp 320 69CB.tmp 792 6A09.tmp 1096 6AC4.tmp 576 6B12.tmp 2320 6B8F.tmp 2460 6BCD.tmp 2348 6C0C.tmp 1996 6C5A.tmp 1320 6C98.tmp 1912 6CD7.tmp 1276 6D15.tmp 2632 6E0F.tmp 2016 6E5D.tmp 276 6E9B.tmp 2416 6EF9.tmp 2924 6F47.tmp 2844 6FA4.tmp 2208 6FE3.tmp 2456 7031.tmp 1944 706F.tmp 2148 70AD.tmp 2444 70EC.tmp 1752 712A.tmp 1488 7169.tmp 2904 71A7.tmp 1140 71E5.tmp 1716 7224.tmp 1000 7262.tmp 1596 72A1.tmp 2452 72DF.tmp 1860 731D.tmp 1380 735C.tmp 2652 738B.tmp 912 73C9.tmp 940 7407.tmp 1328 7436.tmp 2092 7475.tmp 2516 74B3.tmp 2872 74E2.tmp 1936 7520.tmp 3008 755F.tmp 900 759D.tmp 1628 75DB.tmp 2508 761A.tmp 1588 7658.tmp 2720 7697.tmp 2808 76D5.tmp 2724 7704.tmp 2900 7742.tmp 2704 7781.tmp 2708 77AF.tmp 2624 77DE.tmp 2592 781D.tmp 2744 785B.tmp 2404 7899.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B367.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F27A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FF8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B70F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CE18.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 401C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D00B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FAC3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8AD2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBFB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDB0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1F15.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48E2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9379.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9859.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B78C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D93F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E43.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80B4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F622.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FF65.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77DE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CED3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E33E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4672.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2792 2060 2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe 30 PID 2060 wrote to memory of 2792 2060 2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe 30 PID 2060 wrote to memory of 2792 2060 2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe 30 PID 2060 wrote to memory of 2792 2060 2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe 30 PID 2792 wrote to memory of 2900 2792 66AF.tmp 31 PID 2792 wrote to memory of 2900 2792 66AF.tmp 31 PID 2792 wrote to memory of 2900 2792 66AF.tmp 31 PID 2792 wrote to memory of 2900 2792 66AF.tmp 31 PID 2900 wrote to memory of 2704 2900 672C.tmp 87 PID 2900 wrote to memory of 2704 2900 672C.tmp 87 PID 2900 wrote to memory of 2704 2900 672C.tmp 87 PID 2900 wrote to memory of 2704 2900 672C.tmp 87 PID 2704 wrote to memory of 2604 2704 67B8.tmp 33 PID 2704 wrote to memory of 2604 2704 67B8.tmp 33 PID 2704 wrote to memory of 2604 2704 67B8.tmp 33 PID 2704 wrote to memory of 2604 2704 67B8.tmp 33 PID 2604 wrote to memory of 2592 2604 6806.tmp 90 PID 2604 wrote to memory of 2592 2604 6806.tmp 90 PID 2604 wrote to memory of 2592 2604 6806.tmp 90 PID 2604 wrote to memory of 2592 2604 6806.tmp 90 PID 2592 wrote to memory of 2796 2592 6854.tmp 35 PID 2592 wrote to memory of 2796 2592 6854.tmp 35 PID 2592 wrote to memory of 2796 2592 6854.tmp 35 PID 2592 wrote to memory of 2796 2592 6854.tmp 35 PID 2796 wrote to memory of 2636 2796 6893.tmp 36 PID 2796 wrote to memory of 2636 2796 6893.tmp 36 PID 2796 wrote to memory of 2636 2796 6893.tmp 36 PID 2796 wrote to memory of 2636 2796 6893.tmp 36 PID 2636 wrote to memory of 2628 2636 691F.tmp 37 PID 2636 wrote to memory of 2628 2636 691F.tmp 37 PID 2636 wrote to memory of 2628 2636 691F.tmp 37 PID 2636 wrote to memory of 2628 2636 691F.tmp 37 PID 2628 wrote to memory of 320 2628 698C.tmp 38 PID 2628 wrote to memory of 320 2628 698C.tmp 38 PID 2628 wrote to memory of 320 2628 698C.tmp 38 PID 2628 wrote to memory of 320 2628 698C.tmp 38 PID 320 wrote to memory of 792 320 69CB.tmp 39 PID 320 wrote to memory of 792 320 69CB.tmp 39 PID 320 wrote to memory of 792 320 69CB.tmp 39 PID 320 wrote to memory of 792 320 69CB.tmp 39 PID 792 wrote to memory of 1096 792 6A09.tmp 40 PID 792 wrote to memory of 1096 792 6A09.tmp 40 PID 792 wrote to memory of 1096 792 6A09.tmp 40 PID 792 wrote to memory of 1096 792 6A09.tmp 40 PID 1096 wrote to memory of 576 1096 6AC4.tmp 41 PID 1096 wrote to memory of 576 1096 6AC4.tmp 41 PID 1096 wrote to memory of 576 1096 6AC4.tmp 41 PID 1096 wrote to memory of 576 1096 6AC4.tmp 41 PID 576 wrote to memory of 2320 576 6B12.tmp 42 PID 576 wrote to memory of 2320 576 6B12.tmp 42 PID 576 wrote to memory of 2320 576 6B12.tmp 42 PID 576 wrote to memory of 2320 576 6B12.tmp 42 PID 2320 wrote to memory of 2460 2320 6B8F.tmp 43 PID 2320 wrote to memory of 2460 2320 6B8F.tmp 43 PID 2320 wrote to memory of 2460 2320 6B8F.tmp 43 PID 2320 wrote to memory of 2460 2320 6B8F.tmp 43 PID 2460 wrote to memory of 2348 2460 6BCD.tmp 44 PID 2460 wrote to memory of 2348 2460 6BCD.tmp 44 PID 2460 wrote to memory of 2348 2460 6BCD.tmp 44 PID 2460 wrote to memory of 2348 2460 6BCD.tmp 44 PID 2348 wrote to memory of 1996 2348 6C0C.tmp 45 PID 2348 wrote to memory of 1996 2348 6C0C.tmp 45 PID 2348 wrote to memory of 1996 2348 6C0C.tmp 45 PID 2348 wrote to memory of 1996 2348 6C0C.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_3873aa0890f2d9db9caa2589ed409a79_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\66AF.tmp"C:\Users\Admin\AppData\Local\Temp\66AF.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\672C.tmp"C:\Users\Admin\AppData\Local\Temp\672C.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\67B8.tmp"C:\Users\Admin\AppData\Local\Temp\67B8.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\6806.tmp"C:\Users\Admin\AppData\Local\Temp\6806.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\6854.tmp"C:\Users\Admin\AppData\Local\Temp\6854.tmp"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\6893.tmp"C:\Users\Admin\AppData\Local\Temp\6893.tmp"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\691F.tmp"C:\Users\Admin\AppData\Local\Temp\691F.tmp"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\698C.tmp"C:\Users\Admin\AppData\Local\Temp\698C.tmp"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\69CB.tmp"C:\Users\Admin\AppData\Local\Temp\69CB.tmp"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\6A09.tmp"C:\Users\Admin\AppData\Local\Temp\6A09.tmp"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\6AC4.tmp"C:\Users\Admin\AppData\Local\Temp\6AC4.tmp"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\6B12.tmp"C:\Users\Admin\AppData\Local\Temp\6B12.tmp"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\6B8F.tmp"C:\Users\Admin\AppData\Local\Temp\6B8F.tmp"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\6BCD.tmp"C:\Users\Admin\AppData\Local\Temp\6BCD.tmp"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\6C0C.tmp"C:\Users\Admin\AppData\Local\Temp\6C0C.tmp"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\6C5A.tmp"C:\Users\Admin\AppData\Local\Temp\6C5A.tmp"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\6C98.tmp"C:\Users\Admin\AppData\Local\Temp\6C98.tmp"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\6CD7.tmp"C:\Users\Admin\AppData\Local\Temp\6CD7.tmp"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\6D15.tmp"C:\Users\Admin\AppData\Local\Temp\6D15.tmp"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\6E0F.tmp"C:\Users\Admin\AppData\Local\Temp\6E0F.tmp"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"C:\Users\Admin\AppData\Local\Temp\6E5D.tmp"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\6E9B.tmp"C:\Users\Admin\AppData\Local\Temp\6E9B.tmp"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Users\Admin\AppData\Local\Temp\6EF9.tmp"C:\Users\Admin\AppData\Local\Temp\6EF9.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\6F47.tmp"C:\Users\Admin\AppData\Local\Temp\6F47.tmp"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\6FA4.tmp"C:\Users\Admin\AppData\Local\Temp\6FA4.tmp"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\6FE3.tmp"C:\Users\Admin\AppData\Local\Temp\6FE3.tmp"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\7031.tmp"C:\Users\Admin\AppData\Local\Temp\7031.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\706F.tmp"C:\Users\Admin\AppData\Local\Temp\706F.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\70AD.tmp"C:\Users\Admin\AppData\Local\Temp\70AD.tmp"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\70EC.tmp"C:\Users\Admin\AppData\Local\Temp\70EC.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\712A.tmp"C:\Users\Admin\AppData\Local\Temp\712A.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\7169.tmp"C:\Users\Admin\AppData\Local\Temp\7169.tmp"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\71A7.tmp"C:\Users\Admin\AppData\Local\Temp\71A7.tmp"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\71E5.tmp"C:\Users\Admin\AppData\Local\Temp\71E5.tmp"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\7224.tmp"C:\Users\Admin\AppData\Local\Temp\7224.tmp"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\7262.tmp"C:\Users\Admin\AppData\Local\Temp\7262.tmp"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\72A1.tmp"C:\Users\Admin\AppData\Local\Temp\72A1.tmp"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\72DF.tmp"C:\Users\Admin\AppData\Local\Temp\72DF.tmp"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\731D.tmp"C:\Users\Admin\AppData\Local\Temp\731D.tmp"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\735C.tmp"C:\Users\Admin\AppData\Local\Temp\735C.tmp"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\738B.tmp"C:\Users\Admin\AppData\Local\Temp\738B.tmp"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\73C9.tmp"C:\Users\Admin\AppData\Local\Temp\73C9.tmp"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Users\Admin\AppData\Local\Temp\7407.tmp"C:\Users\Admin\AppData\Local\Temp\7407.tmp"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\7475.tmp"C:\Users\Admin\AppData\Local\Temp\7475.tmp"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\74B3.tmp"C:\Users\Admin\AppData\Local\Temp\74B3.tmp"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\74E2.tmp"C:\Users\Admin\AppData\Local\Temp\74E2.tmp"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\7520.tmp"C:\Users\Admin\AppData\Local\Temp\7520.tmp"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\755F.tmp"C:\Users\Admin\AppData\Local\Temp\755F.tmp"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Users\Admin\AppData\Local\Temp\75DB.tmp"C:\Users\Admin\AppData\Local\Temp\75DB.tmp"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\761A.tmp"C:\Users\Admin\AppData\Local\Temp\761A.tmp"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\7658.tmp"C:\Users\Admin\AppData\Local\Temp\7658.tmp"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\7697.tmp"C:\Users\Admin\AppData\Local\Temp\7697.tmp"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\76D5.tmp"C:\Users\Admin\AppData\Local\Temp\76D5.tmp"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\7704.tmp"C:\Users\Admin\AppData\Local\Temp\7704.tmp"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\7742.tmp"C:\Users\Admin\AppData\Local\Temp\7742.tmp"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\7781.tmp"C:\Users\Admin\AppData\Local\Temp\7781.tmp"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\77AF.tmp"C:\Users\Admin\AppData\Local\Temp\77AF.tmp"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\77DE.tmp"C:\Users\Admin\AppData\Local\Temp\77DE.tmp"61⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\781D.tmp"C:\Users\Admin\AppData\Local\Temp\781D.tmp"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\785B.tmp"C:\Users\Admin\AppData\Local\Temp\785B.tmp"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\7899.tmp"C:\Users\Admin\AppData\Local\Temp\7899.tmp"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\78E7.tmp"C:\Users\Admin\AppData\Local\Temp\78E7.tmp"65⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\7935.tmp"C:\Users\Admin\AppData\Local\Temp\7935.tmp"66⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\7983.tmp"C:\Users\Admin\AppData\Local\Temp\7983.tmp"67⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\79F1.tmp"C:\Users\Admin\AppData\Local\Temp\79F1.tmp"68⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\7A3F.tmp"C:\Users\Admin\AppData\Local\Temp\7A3F.tmp"69⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\7A8D.tmp"C:\Users\Admin\AppData\Local\Temp\7A8D.tmp"70⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\7B09.tmp"C:\Users\Admin\AppData\Local\Temp\7B09.tmp"71⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\7B57.tmp"C:\Users\Admin\AppData\Local\Temp\7B57.tmp"72⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\7BB5.tmp"C:\Users\Admin\AppData\Local\Temp\7BB5.tmp"73⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"C:\Users\Admin\AppData\Local\Temp\7BF3.tmp"74⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\7C41.tmp"C:\Users\Admin\AppData\Local\Temp\7C41.tmp"75⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\7C80.tmp"C:\Users\Admin\AppData\Local\Temp\7C80.tmp"76⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\7CDD.tmp"C:\Users\Admin\AppData\Local\Temp\7CDD.tmp"77⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\7D1C.tmp"C:\Users\Admin\AppData\Local\Temp\7D1C.tmp"78⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\7D79.tmp"C:\Users\Admin\AppData\Local\Temp\7D79.tmp"79⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7DB8.tmp"C:\Users\Admin\AppData\Local\Temp\7DB8.tmp"80⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\7DF6.tmp"C:\Users\Admin\AppData\Local\Temp\7DF6.tmp"81⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\7E35.tmp"C:\Users\Admin\AppData\Local\Temp\7E35.tmp"82⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\7E73.tmp"C:\Users\Admin\AppData\Local\Temp\7E73.tmp"83⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\7EB1.tmp"C:\Users\Admin\AppData\Local\Temp\7EB1.tmp"84⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\7EF0.tmp"C:\Users\Admin\AppData\Local\Temp\7EF0.tmp"85⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp"C:\Users\Admin\AppData\Local\Temp\7F2E.tmp"86⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\7F6D.tmp"C:\Users\Admin\AppData\Local\Temp\7F6D.tmp"87⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\7FAB.tmp"C:\Users\Admin\AppData\Local\Temp\7FAB.tmp"88⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\7FE9.tmp"C:\Users\Admin\AppData\Local\Temp\7FE9.tmp"89⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\8028.tmp"C:\Users\Admin\AppData\Local\Temp\8028.tmp"90⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\8076.tmp"C:\Users\Admin\AppData\Local\Temp\8076.tmp"91⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\80B4.tmp"C:\Users\Admin\AppData\Local\Temp\80B4.tmp"92⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\80F3.tmp"C:\Users\Admin\AppData\Local\Temp\80F3.tmp"93⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\8131.tmp"C:\Users\Admin\AppData\Local\Temp\8131.tmp"94⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\816F.tmp"C:\Users\Admin\AppData\Local\Temp\816F.tmp"95⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\81AE.tmp"C:\Users\Admin\AppData\Local\Temp\81AE.tmp"96⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\81EC.tmp"C:\Users\Admin\AppData\Local\Temp\81EC.tmp"97⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\822B.tmp"C:\Users\Admin\AppData\Local\Temp\822B.tmp"98⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\8269.tmp"C:\Users\Admin\AppData\Local\Temp\8269.tmp"99⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\82A7.tmp"C:\Users\Admin\AppData\Local\Temp\82A7.tmp"100⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\82E6.tmp"C:\Users\Admin\AppData\Local\Temp\82E6.tmp"101⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\8324.tmp"C:\Users\Admin\AppData\Local\Temp\8324.tmp"102⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\8363.tmp"C:\Users\Admin\AppData\Local\Temp\8363.tmp"103⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\83A1.tmp"C:\Users\Admin\AppData\Local\Temp\83A1.tmp"104⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\83DF.tmp"C:\Users\Admin\AppData\Local\Temp\83DF.tmp"105⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\841E.tmp"C:\Users\Admin\AppData\Local\Temp\841E.tmp"106⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\845C.tmp"C:\Users\Admin\AppData\Local\Temp\845C.tmp"107⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\849B.tmp"C:\Users\Admin\AppData\Local\Temp\849B.tmp"108⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\84D9.tmp"C:\Users\Admin\AppData\Local\Temp\84D9.tmp"109⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\8517.tmp"C:\Users\Admin\AppData\Local\Temp\8517.tmp"110⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\8556.tmp"C:\Users\Admin\AppData\Local\Temp\8556.tmp"111⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\8594.tmp"C:\Users\Admin\AppData\Local\Temp\8594.tmp"112⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\85D3.tmp"C:\Users\Admin\AppData\Local\Temp\85D3.tmp"113⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\8611.tmp"C:\Users\Admin\AppData\Local\Temp\8611.tmp"114⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\864F.tmp"C:\Users\Admin\AppData\Local\Temp\864F.tmp"115⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\868E.tmp"C:\Users\Admin\AppData\Local\Temp\868E.tmp"116⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Users\Admin\AppData\Local\Temp\86CC.tmp"C:\Users\Admin\AppData\Local\Temp\86CC.tmp"117⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\870B.tmp"C:\Users\Admin\AppData\Local\Temp\870B.tmp"118⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\8749.tmp"C:\Users\Admin\AppData\Local\Temp\8749.tmp"119⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\8787.tmp"C:\Users\Admin\AppData\Local\Temp\8787.tmp"120⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\87C6.tmp"C:\Users\Admin\AppData\Local\Temp\87C6.tmp"121⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\8804.tmp"C:\Users\Admin\AppData\Local\Temp\8804.tmp"122⤵PID:2596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-