Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe
-
Size
520KB
-
MD5
83e94fe242dc79c6b768645d7a1b527e
-
SHA1
c4c685440e77014d0284c049f2f9d2f1227af352
-
SHA256
31b1e972a2520980be1f643a2910f7be190453dc8ce5caa21a12be334783d7b1
-
SHA512
d50d2b8c947aa1a058c26ef85e53ea4572ce09df5b0eaadbf63080f0b5f2abf6ffe3fcd9a7b272ca3f8966afc56f4d35d9ec899b5b7c066478e0b182d7c05eb6
-
SSDEEP
12288:roRXOQjmOytS7/ZL/SAf9dwF7lC+dqtmF9FNZ:rogQ9yG/RT1dKC+dJF9FN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3288 73B9.tmp 2108 7436.tmp 2628 74A3.tmp 4692 753F.tmp 4060 759D.tmp 2768 760B.tmp 2760 7668.tmp 772 76B6.tmp 5044 7724.tmp 2072 7782.tmp 4932 77DF.tmp 960 785C.tmp 1244 78BA.tmp 428 7918.tmp 2100 7966.tmp 1988 79B4.tmp 2096 7A12.tmp 3276 7A60.tmp 848 7AAE.tmp 444 7B1B.tmp 384 7B79.tmp 2180 7BC7.tmp 1896 7C35.tmp 1892 7C83.tmp 812 7CD1.tmp 3112 7D1F.tmp 4092 7D6D.tmp 548 7DBB.tmp 2056 7E09.tmp 3360 7E58.tmp 2308 7EB5.tmp 4528 7F03.tmp 3452 7F52.tmp 5104 7FA0.tmp 2616 7FFD.tmp 4712 804C.tmp 116 809A.tmp 4208 80E8.tmp 2188 8194.tmp 3396 81E2.tmp 2728 8230.tmp 4752 827E.tmp 1828 82CC.tmp 1596 831A.tmp 4784 8368.tmp 2704 83B7.tmp 908 8405.tmp 2640 8453.tmp 1668 84A1.tmp 1460 84EF.tmp 2768 853D.tmp 4132 85AB.tmp 2176 8608.tmp 3736 86A5.tmp 1260 8722.tmp 4152 879F.tmp 716 87FC.tmp 4596 885A.tmp 1328 88D7.tmp 768 8983.tmp 5096 8A1F.tmp 4700 8ABB.tmp 1072 8B38.tmp 5084 8BA6.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8D8A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1F1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1C4D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2CD7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99EE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11BE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AFB3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BA14.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C90D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19FB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6B9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 344A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 998C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 603C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAE1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5E86.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BAFE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B229.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7C35.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C52F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B323.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B4E8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17AA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A8AF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A364.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 969E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C7C0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7C83.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2B80.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D33E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3B7D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9B12.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA88.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C69C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C985.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AF4B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 823B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9304.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D6D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7E58.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FB19.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 3288 1640 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 84 PID 1640 wrote to memory of 3288 1640 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 84 PID 1640 wrote to memory of 3288 1640 2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe 84 PID 3288 wrote to memory of 2108 3288 73B9.tmp 86 PID 3288 wrote to memory of 2108 3288 73B9.tmp 86 PID 3288 wrote to memory of 2108 3288 73B9.tmp 86 PID 2108 wrote to memory of 2628 2108 7436.tmp 87 PID 2108 wrote to memory of 2628 2108 7436.tmp 87 PID 2108 wrote to memory of 2628 2108 7436.tmp 87 PID 2628 wrote to memory of 4692 2628 74A3.tmp 89 PID 2628 wrote to memory of 4692 2628 74A3.tmp 89 PID 2628 wrote to memory of 4692 2628 74A3.tmp 89 PID 4692 wrote to memory of 4060 4692 753F.tmp 91 PID 4692 wrote to memory of 4060 4692 753F.tmp 91 PID 4692 wrote to memory of 4060 4692 753F.tmp 91 PID 4060 wrote to memory of 2768 4060 759D.tmp 92 PID 4060 wrote to memory of 2768 4060 759D.tmp 92 PID 4060 wrote to memory of 2768 4060 759D.tmp 92 PID 2768 wrote to memory of 2760 2768 760B.tmp 93 PID 2768 wrote to memory of 2760 2768 760B.tmp 93 PID 2768 wrote to memory of 2760 2768 760B.tmp 93 PID 2760 wrote to memory of 772 2760 7668.tmp 94 PID 2760 wrote to memory of 772 2760 7668.tmp 94 PID 2760 wrote to memory of 772 2760 7668.tmp 94 PID 772 wrote to memory of 5044 772 76B6.tmp 95 PID 772 wrote to memory of 5044 772 76B6.tmp 95 PID 772 wrote to memory of 5044 772 76B6.tmp 95 PID 5044 wrote to memory of 2072 5044 7724.tmp 96 PID 5044 wrote to memory of 2072 5044 7724.tmp 96 PID 5044 wrote to memory of 2072 5044 7724.tmp 96 PID 2072 wrote to memory of 4932 2072 7782.tmp 97 PID 2072 wrote to memory of 4932 2072 7782.tmp 97 PID 2072 wrote to memory of 4932 2072 7782.tmp 97 PID 4932 wrote to memory of 960 4932 77DF.tmp 98 PID 4932 wrote to memory of 960 4932 77DF.tmp 98 PID 4932 wrote to memory of 960 4932 77DF.tmp 98 PID 960 wrote to memory of 1244 960 785C.tmp 99 PID 960 wrote to memory of 1244 960 785C.tmp 99 PID 960 wrote to memory of 1244 960 785C.tmp 99 PID 1244 wrote to memory of 428 1244 78BA.tmp 100 PID 1244 wrote to memory of 428 1244 78BA.tmp 100 PID 1244 wrote to memory of 428 1244 78BA.tmp 100 PID 428 wrote to memory of 2100 428 7918.tmp 101 PID 428 wrote to memory of 2100 428 7918.tmp 101 PID 428 wrote to memory of 2100 428 7918.tmp 101 PID 2100 wrote to memory of 1988 2100 7966.tmp 102 PID 2100 wrote to memory of 1988 2100 7966.tmp 102 PID 2100 wrote to memory of 1988 2100 7966.tmp 102 PID 1988 wrote to memory of 2096 1988 79B4.tmp 103 PID 1988 wrote to memory of 2096 1988 79B4.tmp 103 PID 1988 wrote to memory of 2096 1988 79B4.tmp 103 PID 2096 wrote to memory of 3276 2096 7A12.tmp 104 PID 2096 wrote to memory of 3276 2096 7A12.tmp 104 PID 2096 wrote to memory of 3276 2096 7A12.tmp 104 PID 3276 wrote to memory of 848 3276 7A60.tmp 105 PID 3276 wrote to memory of 848 3276 7A60.tmp 105 PID 3276 wrote to memory of 848 3276 7A60.tmp 105 PID 848 wrote to memory of 444 848 7AAE.tmp 106 PID 848 wrote to memory of 444 848 7AAE.tmp 106 PID 848 wrote to memory of 444 848 7AAE.tmp 106 PID 444 wrote to memory of 384 444 7B1B.tmp 107 PID 444 wrote to memory of 384 444 7B1B.tmp 107 PID 444 wrote to memory of 384 444 7B1B.tmp 107 PID 384 wrote to memory of 2180 384 7B79.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_83e94fe242dc79c6b768645d7a1b527e_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\73B9.tmp"C:\Users\Admin\AppData\Local\Temp\73B9.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\74A3.tmp"C:\Users\Admin\AppData\Local\Temp\74A3.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\753F.tmp"C:\Users\Admin\AppData\Local\Temp\753F.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\760B.tmp"C:\Users\Admin\AppData\Local\Temp\760B.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\7668.tmp"C:\Users\Admin\AppData\Local\Temp\7668.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\7724.tmp"C:\Users\Admin\AppData\Local\Temp\7724.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\7782.tmp"C:\Users\Admin\AppData\Local\Temp\7782.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\77DF.tmp"C:\Users\Admin\AppData\Local\Temp\77DF.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\785C.tmp"C:\Users\Admin\AppData\Local\Temp\785C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\78BA.tmp"C:\Users\Admin\AppData\Local\Temp\78BA.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\7918.tmp"C:\Users\Admin\AppData\Local\Temp\7918.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\7966.tmp"C:\Users\Admin\AppData\Local\Temp\7966.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\7A12.tmp"C:\Users\Admin\AppData\Local\Temp\7A12.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\7A60.tmp"C:\Users\Admin\AppData\Local\Temp\7A60.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\7B79.tmp"C:\Users\Admin\AppData\Local\Temp\7B79.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"23⤵
- Executes dropped EXE
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\7C83.tmp"C:\Users\Admin\AppData\Local\Temp\7C83.tmp"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"26⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"27⤵
- Executes dropped EXE
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"29⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Local\Temp\7E09.tmp"C:\Users\Admin\AppData\Local\Temp\7E09.tmp"30⤵
- Executes dropped EXE
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\7E58.tmp"C:\Users\Admin\AppData\Local\Temp\7E58.tmp"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"32⤵
- Executes dropped EXE
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\7F03.tmp"C:\Users\Admin\AppData\Local\Temp\7F03.tmp"33⤵
- Executes dropped EXE
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"34⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"35⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"36⤵
- Executes dropped EXE
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\804C.tmp"C:\Users\Admin\AppData\Local\Temp\804C.tmp"37⤵
- Executes dropped EXE
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\809A.tmp"C:\Users\Admin\AppData\Local\Temp\809A.tmp"38⤵
- Executes dropped EXE
PID:116 -
C:\Users\Admin\AppData\Local\Temp\80E8.tmp"C:\Users\Admin\AppData\Local\Temp\80E8.tmp"39⤵
- Executes dropped EXE
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\8136.tmp"C:\Users\Admin\AppData\Local\Temp\8136.tmp"40⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\8194.tmp"C:\Users\Admin\AppData\Local\Temp\8194.tmp"41⤵
- Executes dropped EXE
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\81E2.tmp"C:\Users\Admin\AppData\Local\Temp\81E2.tmp"42⤵
- Executes dropped EXE
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\8230.tmp"C:\Users\Admin\AppData\Local\Temp\8230.tmp"43⤵
- Executes dropped EXE
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\827E.tmp"C:\Users\Admin\AppData\Local\Temp\827E.tmp"44⤵
- Executes dropped EXE
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\82CC.tmp"C:\Users\Admin\AppData\Local\Temp\82CC.tmp"45⤵
- Executes dropped EXE
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"46⤵
- Executes dropped EXE
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\8368.tmp"C:\Users\Admin\AppData\Local\Temp\8368.tmp"47⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\83B7.tmp"C:\Users\Admin\AppData\Local\Temp\83B7.tmp"48⤵
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\8405.tmp"C:\Users\Admin\AppData\Local\Temp\8405.tmp"49⤵
- Executes dropped EXE
PID:908 -
C:\Users\Admin\AppData\Local\Temp\8453.tmp"C:\Users\Admin\AppData\Local\Temp\8453.tmp"50⤵
- Executes dropped EXE
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\84A1.tmp"C:\Users\Admin\AppData\Local\Temp\84A1.tmp"51⤵
- Executes dropped EXE
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\84EF.tmp"C:\Users\Admin\AppData\Local\Temp\84EF.tmp"52⤵
- Executes dropped EXE
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\853D.tmp"C:\Users\Admin\AppData\Local\Temp\853D.tmp"53⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\85AB.tmp"C:\Users\Admin\AppData\Local\Temp\85AB.tmp"54⤵
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\8608.tmp"C:\Users\Admin\AppData\Local\Temp\8608.tmp"55⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\86A5.tmp"C:\Users\Admin\AppData\Local\Temp\86A5.tmp"56⤵
- Executes dropped EXE
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\8722.tmp"C:\Users\Admin\AppData\Local\Temp\8722.tmp"57⤵
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\879F.tmp"C:\Users\Admin\AppData\Local\Temp\879F.tmp"58⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\87FC.tmp"C:\Users\Admin\AppData\Local\Temp\87FC.tmp"59⤵
- Executes dropped EXE
PID:716 -
C:\Users\Admin\AppData\Local\Temp\885A.tmp"C:\Users\Admin\AppData\Local\Temp\885A.tmp"60⤵
- Executes dropped EXE
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\88D7.tmp"C:\Users\Admin\AppData\Local\Temp\88D7.tmp"61⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\8983.tmp"C:\Users\Admin\AppData\Local\Temp\8983.tmp"62⤵
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"63⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"64⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\8B38.tmp"C:\Users\Admin\AppData\Local\Temp\8B38.tmp"65⤵
- Executes dropped EXE
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"66⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\8C23.tmp"C:\Users\Admin\AppData\Local\Temp\8C23.tmp"67⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\8C81.tmp"C:\Users\Admin\AppData\Local\Temp\8C81.tmp"68⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\8CDE.tmp"C:\Users\Admin\AppData\Local\Temp\8CDE.tmp"69⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"70⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"71⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"72⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\8E26.tmp"C:\Users\Admin\AppData\Local\Temp\8E26.tmp"73⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\8E94.tmp"C:\Users\Admin\AppData\Local\Temp\8E94.tmp"74⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\8EF2.tmp"C:\Users\Admin\AppData\Local\Temp\8EF2.tmp"75⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\8F4F.tmp"C:\Users\Admin\AppData\Local\Temp\8F4F.tmp"76⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\8F9D.tmp"C:\Users\Admin\AppData\Local\Temp\8F9D.tmp"77⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"78⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\9049.tmp"C:\Users\Admin\AppData\Local\Temp\9049.tmp"79⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\90A7.tmp"C:\Users\Admin\AppData\Local\Temp\90A7.tmp"80⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\90F5.tmp"C:\Users\Admin\AppData\Local\Temp\90F5.tmp"81⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\9143.tmp"C:\Users\Admin\AppData\Local\Temp\9143.tmp"82⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\9191.tmp"C:\Users\Admin\AppData\Local\Temp\9191.tmp"83⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\91E0.tmp"C:\Users\Admin\AppData\Local\Temp\91E0.tmp"84⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\924D.tmp"C:\Users\Admin\AppData\Local\Temp\924D.tmp"85⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\929B.tmp"C:\Users\Admin\AppData\Local\Temp\929B.tmp"86⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\92E9.tmp"C:\Users\Admin\AppData\Local\Temp\92E9.tmp"87⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"88⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp"89⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\9402.tmp"C:\Users\Admin\AppData\Local\Temp\9402.tmp"90⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\9451.tmp"C:\Users\Admin\AppData\Local\Temp\9451.tmp"91⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\94AE.tmp"C:\Users\Admin\AppData\Local\Temp\94AE.tmp"92⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\94FC.tmp"C:\Users\Admin\AppData\Local\Temp\94FC.tmp"93⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\955A.tmp"C:\Users\Admin\AppData\Local\Temp\955A.tmp"94⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\95B8.tmp"C:\Users\Admin\AppData\Local\Temp\95B8.tmp"95⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\9616.tmp"C:\Users\Admin\AppData\Local\Temp\9616.tmp"96⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\9664.tmp"C:\Users\Admin\AppData\Local\Temp\9664.tmp"97⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\96B2.tmp"C:\Users\Admin\AppData\Local\Temp\96B2.tmp"98⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\9700.tmp"C:\Users\Admin\AppData\Local\Temp\9700.tmp"99⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\975E.tmp"C:\Users\Admin\AppData\Local\Temp\975E.tmp"100⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\97AC.tmp"C:\Users\Admin\AppData\Local\Temp\97AC.tmp"101⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\97FA.tmp"C:\Users\Admin\AppData\Local\Temp\97FA.tmp"102⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\9848.tmp"C:\Users\Admin\AppData\Local\Temp\9848.tmp"103⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\98A6.tmp"C:\Users\Admin\AppData\Local\Temp\98A6.tmp"104⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\98F4.tmp"C:\Users\Admin\AppData\Local\Temp\98F4.tmp"105⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\9942.tmp"C:\Users\Admin\AppData\Local\Temp\9942.tmp"106⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\99A0.tmp"C:\Users\Admin\AppData\Local\Temp\99A0.tmp"107⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\99EE.tmp"C:\Users\Admin\AppData\Local\Temp\99EE.tmp"108⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\9A4C.tmp"C:\Users\Admin\AppData\Local\Temp\9A4C.tmp"109⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\9AAA.tmp"C:\Users\Admin\AppData\Local\Temp\9AAA.tmp"110⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\9AF8.tmp"C:\Users\Admin\AppData\Local\Temp\9AF8.tmp"111⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\9B46.tmp"C:\Users\Admin\AppData\Local\Temp\9B46.tmp"112⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\9B94.tmp"C:\Users\Admin\AppData\Local\Temp\9B94.tmp"113⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\9BE2.tmp"C:\Users\Admin\AppData\Local\Temp\9BE2.tmp"114⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\9C30.tmp"C:\Users\Admin\AppData\Local\Temp\9C30.tmp"115⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"116⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"117⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\9D49.tmp"C:\Users\Admin\AppData\Local\Temp\9D49.tmp"118⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\9D98.tmp"C:\Users\Admin\AppData\Local\Temp\9D98.tmp"119⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"120⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\9E43.tmp"C:\Users\Admin\AppData\Local\Temp\9E43.tmp"121⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"122⤵PID:4052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-