Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe
-
Size
520KB
-
MD5
8d3d530832566588512b06d79e1379a2
-
SHA1
aae02a4848d889c8bd98fc9201ec3c9c43b00d89
-
SHA256
730524ea61a579131ef1b5d74f78a6b82e390408f72b32343e32ee93fb1bb647
-
SHA512
ed8cffa48960cb7fb499bbb6c20d77615d2fa248e679279e3fd05399df428f8527420ff0ad32daf9375eb0d7dbea21fe1a911a8e3a8bd32735ada03e54b96dc8
-
SSDEEP
12288:roRXOQjmOyVaejlkRzjZwENkuHxmzjGgNZ:rogQ9ybCjZEGgN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4520 A77B.tmp 3488 A7D9.tmp 2312 A856.tmp 2888 A8E2.tmp 1444 A940.tmp 2636 A99E.tmp 4416 A9FB.tmp 3008 AA78.tmp 32 AAE6.tmp 4088 AB82.tmp 3992 AC0F.tmp 208 AC7C.tmp 2192 ACE9.tmp 2244 AD86.tmp 1788 ADE3.tmp 2708 AE41.tmp 3876 AEBE.tmp 372 AF3B.tmp 1344 AF99.tmp 4072 B026.tmp 3628 B0B2.tmp 4832 B120.tmp 3600 B19D.tmp 4996 B20A.tmp 4916 B297.tmp 2768 B333.tmp 3344 B391.tmp 1496 B3EE.tmp 4524 B47B.tmp 2516 B4F8.tmp 4928 B565.tmp 1280 B5C3.tmp 3752 B650.tmp 3956 B69E.tmp 1452 B6FC.tmp 3236 B74A.tmp 2896 B798.tmp 4508 B7F6.tmp 2880 B853.tmp 2372 B8C1.tmp 316 B91E.tmp 2016 B97C.tmp 3340 BA47.tmp 3760 BAA5.tmp 3604 BB12.tmp 3288 BB80.tmp 2492 BBED.tmp 2972 BC4B.tmp 2296 BCA9.tmp 3352 BD06.tmp 684 BD74.tmp 2536 BDE1.tmp 2424 BE3F.tmp 2052 BEAC.tmp 392 BF0A.tmp 2920 BF77.tmp 5064 BFD5.tmp 1504 C033.tmp 2936 C091.tmp 400 C0EE.tmp 4792 C14C.tmp 3020 C1AA.tmp 1492 C217.tmp 1564 C275.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4AB0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AF3B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D10B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BE2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42E0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3285.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C5CC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AF99.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A786.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFD5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2584.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D424.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EF61.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4A52.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59F2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A8ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38BE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6C13.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D9B1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9371.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9F7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E7C0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AF27.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BC46.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E29F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C2ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C851.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EF8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A94B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5B69.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B62C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6E26.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D0B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F01D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FC3D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2110.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C08.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57DF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EF6C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 243C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2A38.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4520 1620 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 83 PID 1620 wrote to memory of 4520 1620 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 83 PID 1620 wrote to memory of 4520 1620 2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe 83 PID 4520 wrote to memory of 3488 4520 A77B.tmp 84 PID 4520 wrote to memory of 3488 4520 A77B.tmp 84 PID 4520 wrote to memory of 3488 4520 A77B.tmp 84 PID 3488 wrote to memory of 2312 3488 A7D9.tmp 85 PID 3488 wrote to memory of 2312 3488 A7D9.tmp 85 PID 3488 wrote to memory of 2312 3488 A7D9.tmp 85 PID 2312 wrote to memory of 2888 2312 A856.tmp 87 PID 2312 wrote to memory of 2888 2312 A856.tmp 87 PID 2312 wrote to memory of 2888 2312 A856.tmp 87 PID 2888 wrote to memory of 1444 2888 A8E2.tmp 88 PID 2888 wrote to memory of 1444 2888 A8E2.tmp 88 PID 2888 wrote to memory of 1444 2888 A8E2.tmp 88 PID 1444 wrote to memory of 2636 1444 A940.tmp 90 PID 1444 wrote to memory of 2636 1444 A940.tmp 90 PID 1444 wrote to memory of 2636 1444 A940.tmp 90 PID 2636 wrote to memory of 4416 2636 A99E.tmp 91 PID 2636 wrote to memory of 4416 2636 A99E.tmp 91 PID 2636 wrote to memory of 4416 2636 A99E.tmp 91 PID 4416 wrote to memory of 3008 4416 A9FB.tmp 93 PID 4416 wrote to memory of 3008 4416 A9FB.tmp 93 PID 4416 wrote to memory of 3008 4416 A9FB.tmp 93 PID 3008 wrote to memory of 32 3008 AA78.tmp 94 PID 3008 wrote to memory of 32 3008 AA78.tmp 94 PID 3008 wrote to memory of 32 3008 AA78.tmp 94 PID 32 wrote to memory of 4088 32 AAE6.tmp 95 PID 32 wrote to memory of 4088 32 AAE6.tmp 95 PID 32 wrote to memory of 4088 32 AAE6.tmp 95 PID 4088 wrote to memory of 3992 4088 AB82.tmp 96 PID 4088 wrote to memory of 3992 4088 AB82.tmp 96 PID 4088 wrote to memory of 3992 4088 AB82.tmp 96 PID 3992 wrote to memory of 208 3992 AC0F.tmp 97 PID 3992 wrote to memory of 208 3992 AC0F.tmp 97 PID 3992 wrote to memory of 208 3992 AC0F.tmp 97 PID 208 wrote to memory of 2192 208 AC7C.tmp 98 PID 208 wrote to memory of 2192 208 AC7C.tmp 98 PID 208 wrote to memory of 2192 208 AC7C.tmp 98 PID 2192 wrote to memory of 2244 2192 ACE9.tmp 99 PID 2192 wrote to memory of 2244 2192 ACE9.tmp 99 PID 2192 wrote to memory of 2244 2192 ACE9.tmp 99 PID 2244 wrote to memory of 1788 2244 AD86.tmp 100 PID 2244 wrote to memory of 1788 2244 AD86.tmp 100 PID 2244 wrote to memory of 1788 2244 AD86.tmp 100 PID 1788 wrote to memory of 2708 1788 ADE3.tmp 101 PID 1788 wrote to memory of 2708 1788 ADE3.tmp 101 PID 1788 wrote to memory of 2708 1788 ADE3.tmp 101 PID 2708 wrote to memory of 3876 2708 AE41.tmp 102 PID 2708 wrote to memory of 3876 2708 AE41.tmp 102 PID 2708 wrote to memory of 3876 2708 AE41.tmp 102 PID 3876 wrote to memory of 372 3876 AEBE.tmp 103 PID 3876 wrote to memory of 372 3876 AEBE.tmp 103 PID 3876 wrote to memory of 372 3876 AEBE.tmp 103 PID 372 wrote to memory of 1344 372 AF3B.tmp 104 PID 372 wrote to memory of 1344 372 AF3B.tmp 104 PID 372 wrote to memory of 1344 372 AF3B.tmp 104 PID 1344 wrote to memory of 4072 1344 AF99.tmp 105 PID 1344 wrote to memory of 4072 1344 AF99.tmp 105 PID 1344 wrote to memory of 4072 1344 AF99.tmp 105 PID 4072 wrote to memory of 3628 4072 B026.tmp 106 PID 4072 wrote to memory of 3628 4072 B026.tmp 106 PID 4072 wrote to memory of 3628 4072 B026.tmp 106 PID 3628 wrote to memory of 4832 3628 B0B2.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_8d3d530832566588512b06d79e1379a2_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\A77B.tmp"C:\Users\Admin\AppData\Local\Temp\A77B.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\A7D9.tmp"C:\Users\Admin\AppData\Local\Temp\A7D9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\A856.tmp"C:\Users\Admin\AppData\Local\Temp\A856.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\A940.tmp"C:\Users\Admin\AppData\Local\Temp\A940.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\A99E.tmp"C:\Users\Admin\AppData\Local\Temp\A99E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\A9FB.tmp"C:\Users\Admin\AppData\Local\Temp\A9FB.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\AA78.tmp"C:\Users\Admin\AppData\Local\Temp\AA78.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\AAE6.tmp"C:\Users\Admin\AppData\Local\Temp\AAE6.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Users\Admin\AppData\Local\Temp\AB82.tmp"C:\Users\Admin\AppData\Local\Temp\AB82.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\AC0F.tmp"C:\Users\Admin\AppData\Local\Temp\AC0F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\AD86.tmp"C:\Users\Admin\AppData\Local\Temp\AD86.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\ADE3.tmp"C:\Users\Admin\AppData\Local\Temp\ADE3.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\AE41.tmp"C:\Users\Admin\AppData\Local\Temp\AE41.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\AEBE.tmp"C:\Users\Admin\AppData\Local\Temp\AEBE.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\AF3B.tmp"C:\Users\Admin\AppData\Local\Temp\AF3B.tmp"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\AF99.tmp"C:\Users\Admin\AppData\Local\Temp\AF99.tmp"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\B026.tmp"C:\Users\Admin\AppData\Local\Temp\B026.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\B120.tmp"C:\Users\Admin\AppData\Local\Temp\B120.tmp"23⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\B19D.tmp"C:\Users\Admin\AppData\Local\Temp\B19D.tmp"24⤵
- Executes dropped EXE
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\B20A.tmp"C:\Users\Admin\AppData\Local\Temp\B20A.tmp"25⤵
- Executes dropped EXE
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\B297.tmp"C:\Users\Admin\AppData\Local\Temp\B297.tmp"26⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\B333.tmp"C:\Users\Admin\AppData\Local\Temp\B333.tmp"27⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\B391.tmp"C:\Users\Admin\AppData\Local\Temp\B391.tmp"28⤵
- Executes dropped EXE
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"29⤵
- Executes dropped EXE
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\B47B.tmp"C:\Users\Admin\AppData\Local\Temp\B47B.tmp"30⤵
- Executes dropped EXE
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"31⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\B565.tmp"C:\Users\Admin\AppData\Local\Temp\B565.tmp"32⤵
- Executes dropped EXE
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\B5C3.tmp"C:\Users\Admin\AppData\Local\Temp\B5C3.tmp"33⤵
- Executes dropped EXE
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\B650.tmp"C:\Users\Admin\AppData\Local\Temp\B650.tmp"34⤵
- Executes dropped EXE
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\B69E.tmp"C:\Users\Admin\AppData\Local\Temp\B69E.tmp"35⤵
- Executes dropped EXE
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"36⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\B74A.tmp"C:\Users\Admin\AppData\Local\Temp\B74A.tmp"37⤵
- Executes dropped EXE
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\B798.tmp"C:\Users\Admin\AppData\Local\Temp\B798.tmp"38⤵
- Executes dropped EXE
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\B7F6.tmp"C:\Users\Admin\AppData\Local\Temp\B7F6.tmp"39⤵
- Executes dropped EXE
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\B853.tmp"C:\Users\Admin\AppData\Local\Temp\B853.tmp"40⤵
- Executes dropped EXE
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\B8C1.tmp"C:\Users\Admin\AppData\Local\Temp\B8C1.tmp"41⤵
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\B91E.tmp"C:\Users\Admin\AppData\Local\Temp\B91E.tmp"42⤵
- Executes dropped EXE
PID:316 -
C:\Users\Admin\AppData\Local\Temp\B97C.tmp"C:\Users\Admin\AppData\Local\Temp\B97C.tmp"43⤵
- Executes dropped EXE
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\B9DA.tmp"C:\Users\Admin\AppData\Local\Temp\B9DA.tmp"44⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\BA47.tmp"C:\Users\Admin\AppData\Local\Temp\BA47.tmp"45⤵
- Executes dropped EXE
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"46⤵
- Executes dropped EXE
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\BB12.tmp"C:\Users\Admin\AppData\Local\Temp\BB12.tmp"47⤵
- Executes dropped EXE
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\BB80.tmp"C:\Users\Admin\AppData\Local\Temp\BB80.tmp"48⤵
- Executes dropped EXE
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\BBED.tmp"C:\Users\Admin\AppData\Local\Temp\BBED.tmp"49⤵
- Executes dropped EXE
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"50⤵
- Executes dropped EXE
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\BCA9.tmp"C:\Users\Admin\AppData\Local\Temp\BCA9.tmp"51⤵
- Executes dropped EXE
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\BD06.tmp"C:\Users\Admin\AppData\Local\Temp\BD06.tmp"52⤵
- Executes dropped EXE
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\BD74.tmp"C:\Users\Admin\AppData\Local\Temp\BD74.tmp"53⤵
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\BDE1.tmp"C:\Users\Admin\AppData\Local\Temp\BDE1.tmp"54⤵
- Executes dropped EXE
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\BE3F.tmp"C:\Users\Admin\AppData\Local\Temp\BE3F.tmp"55⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\BEAC.tmp"C:\Users\Admin\AppData\Local\Temp\BEAC.tmp"56⤵
- Executes dropped EXE
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"57⤵
- Executes dropped EXE
PID:392 -
C:\Users\Admin\AppData\Local\Temp\BF77.tmp"C:\Users\Admin\AppData\Local\Temp\BF77.tmp"58⤵
- Executes dropped EXE
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\BFD5.tmp"C:\Users\Admin\AppData\Local\Temp\BFD5.tmp"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\C033.tmp"C:\Users\Admin\AppData\Local\Temp\C033.tmp"60⤵
- Executes dropped EXE
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\C091.tmp"C:\Users\Admin\AppData\Local\Temp\C091.tmp"61⤵
- Executes dropped EXE
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"62⤵
- Executes dropped EXE
PID:400 -
C:\Users\Admin\AppData\Local\Temp\C14C.tmp"C:\Users\Admin\AppData\Local\Temp\C14C.tmp"63⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\C1AA.tmp"C:\Users\Admin\AppData\Local\Temp\C1AA.tmp"64⤵
- Executes dropped EXE
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\C217.tmp"C:\Users\Admin\AppData\Local\Temp\C217.tmp"65⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\C275.tmp"C:\Users\Admin\AppData\Local\Temp\C275.tmp"66⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\C2D3.tmp"C:\Users\Admin\AppData\Local\Temp\C2D3.tmp"67⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\C331.tmp"C:\Users\Admin\AppData\Local\Temp\C331.tmp"68⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\C38E.tmp"C:\Users\Admin\AppData\Local\Temp\C38E.tmp"69⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\C3FC.tmp"C:\Users\Admin\AppData\Local\Temp\C3FC.tmp"70⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\C459.tmp"C:\Users\Admin\AppData\Local\Temp\C459.tmp"71⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\C4B7.tmp"C:\Users\Admin\AppData\Local\Temp\C4B7.tmp"72⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\C505.tmp"C:\Users\Admin\AppData\Local\Temp\C505.tmp"73⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\C563.tmp"C:\Users\Admin\AppData\Local\Temp\C563.tmp"74⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\C5C1.tmp"C:\Users\Admin\AppData\Local\Temp\C5C1.tmp"75⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\C61F.tmp"C:\Users\Admin\AppData\Local\Temp\C61F.tmp"76⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\C68C.tmp"C:\Users\Admin\AppData\Local\Temp\C68C.tmp"77⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\C6EA.tmp"C:\Users\Admin\AppData\Local\Temp\C6EA.tmp"78⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\C757.tmp"C:\Users\Admin\AppData\Local\Temp\C757.tmp"79⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\C7B5.tmp"C:\Users\Admin\AppData\Local\Temp\C7B5.tmp"80⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\C803.tmp"C:\Users\Admin\AppData\Local\Temp\C803.tmp"81⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\C851.tmp"C:\Users\Admin\AppData\Local\Temp\C851.tmp"82⤵
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\C8BE.tmp"C:\Users\Admin\AppData\Local\Temp\C8BE.tmp"83⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\C91C.tmp"C:\Users\Admin\AppData\Local\Temp\C91C.tmp"84⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\C97A.tmp"C:\Users\Admin\AppData\Local\Temp\C97A.tmp"85⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\C9D8.tmp"C:\Users\Admin\AppData\Local\Temp\C9D8.tmp"86⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\CA35.tmp"C:\Users\Admin\AppData\Local\Temp\CA35.tmp"87⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\CAA3.tmp"C:\Users\Admin\AppData\Local\Temp\CAA3.tmp"88⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\CB01.tmp"C:\Users\Admin\AppData\Local\Temp\CB01.tmp"89⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\CB4F.tmp"C:\Users\Admin\AppData\Local\Temp\CB4F.tmp"90⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\CBAC.tmp"C:\Users\Admin\AppData\Local\Temp\CBAC.tmp"91⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\CC0A.tmp"C:\Users\Admin\AppData\Local\Temp\CC0A.tmp"92⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\CC68.tmp"C:\Users\Admin\AppData\Local\Temp\CC68.tmp"93⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\CCC6.tmp"C:\Users\Admin\AppData\Local\Temp\CCC6.tmp"94⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\CD14.tmp"C:\Users\Admin\AppData\Local\Temp\CD14.tmp"95⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\CD72.tmp"C:\Users\Admin\AppData\Local\Temp\CD72.tmp"96⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\CDC0.tmp"C:\Users\Admin\AppData\Local\Temp\CDC0.tmp"97⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\CE0E.tmp"C:\Users\Admin\AppData\Local\Temp\CE0E.tmp"98⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\CE5C.tmp"C:\Users\Admin\AppData\Local\Temp\CE5C.tmp"99⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\CEAA.tmp"C:\Users\Admin\AppData\Local\Temp\CEAA.tmp"100⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\CF08.tmp"C:\Users\Admin\AppData\Local\Temp\CF08.tmp"101⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\CF56.tmp"C:\Users\Admin\AppData\Local\Temp\CF56.tmp"102⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\CFA4.tmp"C:\Users\Admin\AppData\Local\Temp\CFA4.tmp"103⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\D002.tmp"C:\Users\Admin\AppData\Local\Temp\D002.tmp"104⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\D060.tmp"C:\Users\Admin\AppData\Local\Temp\D060.tmp"105⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\D0BD.tmp"C:\Users\Admin\AppData\Local\Temp\D0BD.tmp"106⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\D10B.tmp"C:\Users\Admin\AppData\Local\Temp\D10B.tmp"107⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\D15A.tmp"C:\Users\Admin\AppData\Local\Temp\D15A.tmp"108⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\D1B7.tmp"C:\Users\Admin\AppData\Local\Temp\D1B7.tmp"109⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\D215.tmp"C:\Users\Admin\AppData\Local\Temp\D215.tmp"110⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\D273.tmp"C:\Users\Admin\AppData\Local\Temp\D273.tmp"111⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\D2C1.tmp"C:\Users\Admin\AppData\Local\Temp\D2C1.tmp"112⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\D32E.tmp"C:\Users\Admin\AppData\Local\Temp\D32E.tmp"113⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\D38C.tmp"C:\Users\Admin\AppData\Local\Temp\D38C.tmp"114⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp"C:\Users\Admin\AppData\Local\Temp\D3EA.tmp"115⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\D438.tmp"C:\Users\Admin\AppData\Local\Temp\D438.tmp"116⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\D496.tmp"C:\Users\Admin\AppData\Local\Temp\D496.tmp"117⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\D4E4.tmp"C:\Users\Admin\AppData\Local\Temp\D4E4.tmp"118⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\D542.tmp"C:\Users\Admin\AppData\Local\Temp\D542.tmp"119⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\D590.tmp"C:\Users\Admin\AppData\Local\Temp\D590.tmp"120⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\D5DE.tmp"C:\Users\Admin\AppData\Local\Temp\D5DE.tmp"121⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\D62C.tmp"C:\Users\Admin\AppData\Local\Temp\D62C.tmp"122⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-