Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe
-
Size
712KB
-
MD5
b2f57b75ba53c29f6210b26fb4945f5c
-
SHA1
c9b125a9f783df585a2cf7af93125a8eb8ffd9b9
-
SHA256
eaa31be9359caf584b40ee82ffba8987d935109ec6cd4287447eeddc75755914
-
SHA512
04798cef00da944fedb5691beb8c80a382b3bcb190f4e498f4a70be0131324d61d9bf8eb3dbcf4e202226db5b5e0a6a0cabaa032dd362b49d0ef49ff38ff3816
-
SSDEEP
12288:FU5rCOTeiDKUTnjXu78VTD/m7/oMW7UW7NZdCvq5TJLCvY90D8/LVBlVk736Y79m:FUQOJDLTzu78V//m7/oMQUONnCvq5TJH
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4112 B508.tmp 1172 B594.tmp 3612 B611.tmp 3276 B68E.tmp 4500 B70B.tmp 4908 B788.tmp 1704 B7D6.tmp 636 B834.tmp 5116 B8A1.tmp 1648 B8F0.tmp 4412 B94D.tmp 3596 B9AB.tmp 516 BA28.tmp 2340 BA86.tmp 4720 BAE4.tmp 2836 BB32.tmp 3100 BB8F.tmp 3212 BBFD.tmp 2520 BC6A.tmp 2240 BCE7.tmp 3892 BD64.tmp 4956 BDC2.tmp 1932 BE10.tmp 2108 BE7D.tmp 3484 BEDB.tmp 5092 BF68.tmp 812 BFF4.tmp 4708 C052.tmp 1492 C091.tmp 1592 C0EE.tmp 2100 C13D.tmp 960 C18B.tmp 1652 C208.tmp 2824 C265.tmp 2408 C2B4.tmp 1308 C311.tmp 4800 C35F.tmp 1996 C3CD.tmp 4996 C42B.tmp 224 C488.tmp 1128 C544.tmp 5056 C592.tmp 728 C5E0.tmp 2252 C63E.tmp 4500 C69C.tmp 3112 C6F9.tmp 3120 C757.tmp 2380 C7C4.tmp 876 C822.tmp 3992 C880.tmp 2088 C8CE.tmp 3828 C92C.tmp 1040 C98A.tmp 5096 C9D8.tmp 5000 CA35.tmp 516 CA93.tmp 4436 CAF1.tmp 3600 CB4F.tmp 628 CBAC.tmp 3080 CBFB.tmp 688 CC58.tmp 2748 CCB6.tmp 4280 CD14.tmp 2436 CD72.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E0E5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51F3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDF5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D215.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AFB3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26EC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3E3D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45DE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D2A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C0EE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB28.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDD3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B594.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C109.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E1D4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D86E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92E4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3B20.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8C6C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8D66.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C06D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CA93.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F58B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7C7E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1D37.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30CF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9621.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BEDB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9FD5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7441.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FAE5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4B3D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55FB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D36D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E966.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C34B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1DB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C98A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5937.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4112 2168 2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe 85 PID 2168 wrote to memory of 4112 2168 2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe 85 PID 2168 wrote to memory of 4112 2168 2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe 85 PID 4112 wrote to memory of 1172 4112 B508.tmp 87 PID 4112 wrote to memory of 1172 4112 B508.tmp 87 PID 4112 wrote to memory of 1172 4112 B508.tmp 87 PID 1172 wrote to memory of 3612 1172 B594.tmp 89 PID 1172 wrote to memory of 3612 1172 B594.tmp 89 PID 1172 wrote to memory of 3612 1172 B594.tmp 89 PID 3612 wrote to memory of 3276 3612 B611.tmp 91 PID 3612 wrote to memory of 3276 3612 B611.tmp 91 PID 3612 wrote to memory of 3276 3612 B611.tmp 91 PID 3276 wrote to memory of 4500 3276 B68E.tmp 92 PID 3276 wrote to memory of 4500 3276 B68E.tmp 92 PID 3276 wrote to memory of 4500 3276 B68E.tmp 92 PID 4500 wrote to memory of 4908 4500 B70B.tmp 93 PID 4500 wrote to memory of 4908 4500 B70B.tmp 93 PID 4500 wrote to memory of 4908 4500 B70B.tmp 93 PID 4908 wrote to memory of 1704 4908 B788.tmp 94 PID 4908 wrote to memory of 1704 4908 B788.tmp 94 PID 4908 wrote to memory of 1704 4908 B788.tmp 94 PID 1704 wrote to memory of 636 1704 B7D6.tmp 95 PID 1704 wrote to memory of 636 1704 B7D6.tmp 95 PID 1704 wrote to memory of 636 1704 B7D6.tmp 95 PID 636 wrote to memory of 5116 636 B834.tmp 96 PID 636 wrote to memory of 5116 636 B834.tmp 96 PID 636 wrote to memory of 5116 636 B834.tmp 96 PID 5116 wrote to memory of 1648 5116 B8A1.tmp 97 PID 5116 wrote to memory of 1648 5116 B8A1.tmp 97 PID 5116 wrote to memory of 1648 5116 B8A1.tmp 97 PID 1648 wrote to memory of 4412 1648 B8F0.tmp 98 PID 1648 wrote to memory of 4412 1648 B8F0.tmp 98 PID 1648 wrote to memory of 4412 1648 B8F0.tmp 98 PID 4412 wrote to memory of 3596 4412 B94D.tmp 99 PID 4412 wrote to memory of 3596 4412 B94D.tmp 99 PID 4412 wrote to memory of 3596 4412 B94D.tmp 99 PID 3596 wrote to memory of 516 3596 B9AB.tmp 100 PID 3596 wrote to memory of 516 3596 B9AB.tmp 100 PID 3596 wrote to memory of 516 3596 B9AB.tmp 100 PID 516 wrote to memory of 2340 516 BA28.tmp 101 PID 516 wrote to memory of 2340 516 BA28.tmp 101 PID 516 wrote to memory of 2340 516 BA28.tmp 101 PID 2340 wrote to memory of 4720 2340 BA86.tmp 102 PID 2340 wrote to memory of 4720 2340 BA86.tmp 102 PID 2340 wrote to memory of 4720 2340 BA86.tmp 102 PID 4720 wrote to memory of 2836 4720 BAE4.tmp 103 PID 4720 wrote to memory of 2836 4720 BAE4.tmp 103 PID 4720 wrote to memory of 2836 4720 BAE4.tmp 103 PID 2836 wrote to memory of 3100 2836 BB32.tmp 104 PID 2836 wrote to memory of 3100 2836 BB32.tmp 104 PID 2836 wrote to memory of 3100 2836 BB32.tmp 104 PID 3100 wrote to memory of 3212 3100 BB8F.tmp 105 PID 3100 wrote to memory of 3212 3100 BB8F.tmp 105 PID 3100 wrote to memory of 3212 3100 BB8F.tmp 105 PID 3212 wrote to memory of 2520 3212 BBFD.tmp 106 PID 3212 wrote to memory of 2520 3212 BBFD.tmp 106 PID 3212 wrote to memory of 2520 3212 BBFD.tmp 106 PID 2520 wrote to memory of 2240 2520 BC6A.tmp 108 PID 2520 wrote to memory of 2240 2520 BC6A.tmp 108 PID 2520 wrote to memory of 2240 2520 BC6A.tmp 108 PID 2240 wrote to memory of 3892 2240 BCE7.tmp 109 PID 2240 wrote to memory of 3892 2240 BCE7.tmp 109 PID 2240 wrote to memory of 3892 2240 BCE7.tmp 109 PID 3892 wrote to memory of 4956 3892 BD64.tmp 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-06_b2f57b75ba53c29f6210b26fb4945f5c_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\B508.tmp"C:\Users\Admin\AppData\Local\Temp\B508.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\B594.tmp"C:\Users\Admin\AppData\Local\Temp\B594.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\B611.tmp"C:\Users\Admin\AppData\Local\Temp\B611.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\B68E.tmp"C:\Users\Admin\AppData\Local\Temp\B68E.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\B70B.tmp"C:\Users\Admin\AppData\Local\Temp\B70B.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\B788.tmp"C:\Users\Admin\AppData\Local\Temp\B788.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\B7D6.tmp"C:\Users\Admin\AppData\Local\Temp\B7D6.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\B834.tmp"C:\Users\Admin\AppData\Local\Temp\B834.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\B8A1.tmp"C:\Users\Admin\AppData\Local\Temp\B8A1.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\B8F0.tmp"C:\Users\Admin\AppData\Local\Temp\B8F0.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\B94D.tmp"C:\Users\Admin\AppData\Local\Temp\B94D.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\B9AB.tmp"C:\Users\Admin\AppData\Local\Temp\B9AB.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\BA28.tmp"C:\Users\Admin\AppData\Local\Temp\BA28.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\BA86.tmp"C:\Users\Admin\AppData\Local\Temp\BA86.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\BAE4.tmp"C:\Users\Admin\AppData\Local\Temp\BAE4.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\BB32.tmp"C:\Users\Admin\AppData\Local\Temp\BB32.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\BB8F.tmp"C:\Users\Admin\AppData\Local\Temp\BB8F.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\BC6A.tmp"C:\Users\Admin\AppData\Local\Temp\BC6A.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\BCE7.tmp"C:\Users\Admin\AppData\Local\Temp\BCE7.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\BD64.tmp"C:\Users\Admin\AppData\Local\Temp\BD64.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\BDC2.tmp"C:\Users\Admin\AppData\Local\Temp\BDC2.tmp"23⤵
- Executes dropped EXE
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\BE10.tmp"C:\Users\Admin\AppData\Local\Temp\BE10.tmp"24⤵
- Executes dropped EXE
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\BE7D.tmp"C:\Users\Admin\AppData\Local\Temp\BE7D.tmp"25⤵
- Executes dropped EXE
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\BEDB.tmp"C:\Users\Admin\AppData\Local\Temp\BEDB.tmp"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\BF68.tmp"C:\Users\Admin\AppData\Local\Temp\BF68.tmp"27⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"28⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\C052.tmp"C:\Users\Admin\AppData\Local\Temp\C052.tmp"29⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\C091.tmp"C:\Users\Admin\AppData\Local\Temp\C091.tmp"30⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\C13D.tmp"C:\Users\Admin\AppData\Local\Temp\C13D.tmp"32⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\C18B.tmp"C:\Users\Admin\AppData\Local\Temp\C18B.tmp"33⤵
- Executes dropped EXE
PID:960 -
C:\Users\Admin\AppData\Local\Temp\C208.tmp"C:\Users\Admin\AppData\Local\Temp\C208.tmp"34⤵
- Executes dropped EXE
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\C265.tmp"C:\Users\Admin\AppData\Local\Temp\C265.tmp"35⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"36⤵
- Executes dropped EXE
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\C311.tmp"C:\Users\Admin\AppData\Local\Temp\C311.tmp"37⤵
- Executes dropped EXE
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\C35F.tmp"C:\Users\Admin\AppData\Local\Temp\C35F.tmp"38⤵
- Executes dropped EXE
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"39⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\C42B.tmp"C:\Users\Admin\AppData\Local\Temp\C42B.tmp"40⤵
- Executes dropped EXE
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\C488.tmp"C:\Users\Admin\AppData\Local\Temp\C488.tmp"41⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"42⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\C544.tmp"C:\Users\Admin\AppData\Local\Temp\C544.tmp"43⤵
- Executes dropped EXE
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\C592.tmp"C:\Users\Admin\AppData\Local\Temp\C592.tmp"44⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\C5E0.tmp"C:\Users\Admin\AppData\Local\Temp\C5E0.tmp"45⤵
- Executes dropped EXE
PID:728 -
C:\Users\Admin\AppData\Local\Temp\C63E.tmp"C:\Users\Admin\AppData\Local\Temp\C63E.tmp"46⤵
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\C69C.tmp"C:\Users\Admin\AppData\Local\Temp\C69C.tmp"47⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\C6F9.tmp"C:\Users\Admin\AppData\Local\Temp\C6F9.tmp"48⤵
- Executes dropped EXE
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\C757.tmp"C:\Users\Admin\AppData\Local\Temp\C757.tmp"49⤵
- Executes dropped EXE
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\C7C4.tmp"C:\Users\Admin\AppData\Local\Temp\C7C4.tmp"50⤵
- Executes dropped EXE
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\C822.tmp"C:\Users\Admin\AppData\Local\Temp\C822.tmp"51⤵
- Executes dropped EXE
PID:876 -
C:\Users\Admin\AppData\Local\Temp\C880.tmp"C:\Users\Admin\AppData\Local\Temp\C880.tmp"52⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\C8CE.tmp"C:\Users\Admin\AppData\Local\Temp\C8CE.tmp"53⤵
- Executes dropped EXE
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\C92C.tmp"C:\Users\Admin\AppData\Local\Temp\C92C.tmp"54⤵
- Executes dropped EXE
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\C98A.tmp"C:\Users\Admin\AppData\Local\Temp\C98A.tmp"55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\C9D8.tmp"C:\Users\Admin\AppData\Local\Temp\C9D8.tmp"56⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\CA35.tmp"C:\Users\Admin\AppData\Local\Temp\CA35.tmp"57⤵
- Executes dropped EXE
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\CA93.tmp"C:\Users\Admin\AppData\Local\Temp\CA93.tmp"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516 -
C:\Users\Admin\AppData\Local\Temp\CAF1.tmp"C:\Users\Admin\AppData\Local\Temp\CAF1.tmp"59⤵
- Executes dropped EXE
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\CB4F.tmp"C:\Users\Admin\AppData\Local\Temp\CB4F.tmp"60⤵
- Executes dropped EXE
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\CBAC.tmp"C:\Users\Admin\AppData\Local\Temp\CBAC.tmp"61⤵
- Executes dropped EXE
PID:628 -
C:\Users\Admin\AppData\Local\Temp\CBFB.tmp"C:\Users\Admin\AppData\Local\Temp\CBFB.tmp"62⤵
- Executes dropped EXE
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\CC58.tmp"C:\Users\Admin\AppData\Local\Temp\CC58.tmp"63⤵
- Executes dropped EXE
PID:688 -
C:\Users\Admin\AppData\Local\Temp\CCB6.tmp"C:\Users\Admin\AppData\Local\Temp\CCB6.tmp"64⤵
- Executes dropped EXE
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\CD14.tmp"C:\Users\Admin\AppData\Local\Temp\CD14.tmp"65⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\CD72.tmp"C:\Users\Admin\AppData\Local\Temp\CD72.tmp"66⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\CDCF.tmp"C:\Users\Admin\AppData\Local\Temp\CDCF.tmp"67⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\CE2D.tmp"C:\Users\Admin\AppData\Local\Temp\CE2D.tmp"68⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\CE8B.tmp"C:\Users\Admin\AppData\Local\Temp\CE8B.tmp"69⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\CEE9.tmp"C:\Users\Admin\AppData\Local\Temp\CEE9.tmp"70⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\CF46.tmp"C:\Users\Admin\AppData\Local\Temp\CF46.tmp"71⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\CF94.tmp"C:\Users\Admin\AppData\Local\Temp\CF94.tmp"72⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\CFF2.tmp"C:\Users\Admin\AppData\Local\Temp\CFF2.tmp"73⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\D050.tmp"C:\Users\Admin\AppData\Local\Temp\D050.tmp"74⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\D0AE.tmp"C:\Users\Admin\AppData\Local\Temp\D0AE.tmp"75⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\D0FC.tmp"C:\Users\Admin\AppData\Local\Temp\D0FC.tmp"76⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\D15A.tmp"C:\Users\Admin\AppData\Local\Temp\D15A.tmp"77⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\D1B7.tmp"C:\Users\Admin\AppData\Local\Temp\D1B7.tmp"78⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\D215.tmp"C:\Users\Admin\AppData\Local\Temp\D215.tmp"79⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\D273.tmp"C:\Users\Admin\AppData\Local\Temp\D273.tmp"80⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\D2C1.tmp"C:\Users\Admin\AppData\Local\Temp\D2C1.tmp"81⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\D31F.tmp"C:\Users\Admin\AppData\Local\Temp\D31F.tmp"82⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\D36D.tmp"C:\Users\Admin\AppData\Local\Temp\D36D.tmp"83⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"84⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\D419.tmp"C:\Users\Admin\AppData\Local\Temp\D419.tmp"85⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\D467.tmp"C:\Users\Admin\AppData\Local\Temp\D467.tmp"86⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\D4B5.tmp"C:\Users\Admin\AppData\Local\Temp\D4B5.tmp"87⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\D503.tmp"C:\Users\Admin\AppData\Local\Temp\D503.tmp"88⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\D561.tmp"C:\Users\Admin\AppData\Local\Temp\D561.tmp"89⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\D5AF.tmp"C:\Users\Admin\AppData\Local\Temp\D5AF.tmp"90⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\D60D.tmp"C:\Users\Admin\AppData\Local\Temp\D60D.tmp"91⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\D66A.tmp"C:\Users\Admin\AppData\Local\Temp\D66A.tmp"92⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\D6B9.tmp"C:\Users\Admin\AppData\Local\Temp\D6B9.tmp"93⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\D716.tmp"C:\Users\Admin\AppData\Local\Temp\D716.tmp"94⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\D764.tmp"C:\Users\Admin\AppData\Local\Temp\D764.tmp"95⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\D7B3.tmp"C:\Users\Admin\AppData\Local\Temp\D7B3.tmp"96⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\D810.tmp"C:\Users\Admin\AppData\Local\Temp\D810.tmp"97⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\D86E.tmp"C:\Users\Admin\AppData\Local\Temp\D86E.tmp"98⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\D8BC.tmp"C:\Users\Admin\AppData\Local\Temp\D8BC.tmp"99⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\D91A.tmp"C:\Users\Admin\AppData\Local\Temp\D91A.tmp"100⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\D968.tmp"C:\Users\Admin\AppData\Local\Temp\D968.tmp"101⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\D9C6.tmp"C:\Users\Admin\AppData\Local\Temp\D9C6.tmp"102⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\DA24.tmp"C:\Users\Admin\AppData\Local\Temp\DA24.tmp"103⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\DA81.tmp"C:\Users\Admin\AppData\Local\Temp\DA81.tmp"104⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\DACF.tmp"C:\Users\Admin\AppData\Local\Temp\DACF.tmp"105⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\DB1E.tmp"C:\Users\Admin\AppData\Local\Temp\DB1E.tmp"106⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\DB6C.tmp"C:\Users\Admin\AppData\Local\Temp\DB6C.tmp"107⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\DBBA.tmp"C:\Users\Admin\AppData\Local\Temp\DBBA.tmp"108⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\DC18.tmp"C:\Users\Admin\AppData\Local\Temp\DC18.tmp"109⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\DC66.tmp"C:\Users\Admin\AppData\Local\Temp\DC66.tmp"110⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\DCB4.tmp"C:\Users\Admin\AppData\Local\Temp\DCB4.tmp"111⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\DD02.tmp"C:\Users\Admin\AppData\Local\Temp\DD02.tmp"112⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\DD50.tmp"C:\Users\Admin\AppData\Local\Temp\DD50.tmp"113⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"114⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\DDEC.tmp"C:\Users\Admin\AppData\Local\Temp\DDEC.tmp"115⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\DE4A.tmp"C:\Users\Admin\AppData\Local\Temp\DE4A.tmp"116⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\DEA8.tmp"C:\Users\Admin\AppData\Local\Temp\DEA8.tmp"117⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\DF06.tmp"C:\Users\Admin\AppData\Local\Temp\DF06.tmp"118⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\DF63.tmp"C:\Users\Admin\AppData\Local\Temp\DF63.tmp"119⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\DFB1.tmp"C:\Users\Admin\AppData\Local\Temp\DFB1.tmp"120⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\E000.tmp"C:\Users\Admin\AppData\Local\Temp\E000.tmp"121⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\E04E.tmp"C:\Users\Admin\AppData\Local\Temp\E04E.tmp"122⤵PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-