Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe
-
Size
712KB
-
MD5
1406a422563c8434e4d281613c26cd81
-
SHA1
05f532cca3cbf6a59257346657b19c9fb74f6153
-
SHA256
7b714634f1a96eb263cdc5bcb2fec5e44a06772113b8991908be5091181a994d
-
SHA512
46b44d2d462e247f1f988c175cb5e23468e54f32686d17e0b61ed8684ee4db4083ad4f501dab129ad0f704dd17b0b657b9b6358645be92de3b126944270022d4
-
SSDEEP
12288:FU5rCOTeiD4AR25ghbtmLEEj2rNZdCvq5TJLCvY90D8/LVBlVk736Y79GWzNbA:FUQOJD4CiQtmoEj2rNnCvq5TJLCvY90E
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4676 82AD.tmp 4936 832A.tmp 4332 83B7.tmp 3892 8453.tmp 2224 84C0.tmp 2700 851E.tmp 4732 85AB.tmp 4512 8628.tmp 4536 8695.tmp 4964 8712.tmp 3060 8770.tmp 1596 87DD.tmp 3792 886A.tmp 2620 88C7.tmp 2880 8935.tmp 4188 89A2.tmp 2952 8A2F.tmp 4924 8AAC.tmp 3604 8B0A.tmp 440 8B67.tmp 4928 8BE4.tmp 3936 8C71.tmp 3068 8CBF.tmp 1332 8D1D.tmp 4752 8D8A.tmp 2928 8DD8.tmp 1888 8E55.tmp 4824 8EE2.tmp 776 8F6F.tmp 3184 8FEC.tmp 3988 9059.tmp 4680 90D6.tmp 2916 9153.tmp 4020 91B1.tmp 3952 91FF.tmp 3708 924D.tmp 3624 929B.tmp 3680 92E9.tmp 4072 9337.tmp 1900 9395.tmp 4972 93F3.tmp 920 9441.tmp 2256 948F.tmp 4336 94ED.tmp 4316 953B.tmp 2844 9589.tmp 3380 95D7.tmp 3876 9625.tmp 3532 9673.tmp 3916 96C2.tmp 2908 971F.tmp 4952 977D.tmp 3524 97DB.tmp 2764 9829.tmp 512 9887.tmp 4448 98D5.tmp 4616 9933.tmp 2184 9981.tmp 2564 99DE.tmp 4376 9A2D.tmp 1800 9A8A.tmp 4484 9AD8.tmp 4940 9B36.tmp 1880 9B94.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8EFC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7BB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75E7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D570.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 413A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C232.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 948F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EB3B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CE8B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B224.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CF37.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BE79.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8935.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9100.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8FB8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB20.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CBD7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6D4B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C3AE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BFD.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 500F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9A2D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9C3B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 243C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A690.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC1E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C7A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F81B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3D81.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6B19.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A5EF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9EE0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C00F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDDA.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 4676 4472 2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe 82 PID 4472 wrote to memory of 4676 4472 2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe 82 PID 4472 wrote to memory of 4676 4472 2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe 82 PID 4676 wrote to memory of 4936 4676 82AD.tmp 83 PID 4676 wrote to memory of 4936 4676 82AD.tmp 83 PID 4676 wrote to memory of 4936 4676 82AD.tmp 83 PID 4936 wrote to memory of 4332 4936 832A.tmp 84 PID 4936 wrote to memory of 4332 4936 832A.tmp 84 PID 4936 wrote to memory of 4332 4936 832A.tmp 84 PID 4332 wrote to memory of 3892 4332 83B7.tmp 85 PID 4332 wrote to memory of 3892 4332 83B7.tmp 85 PID 4332 wrote to memory of 3892 4332 83B7.tmp 85 PID 3892 wrote to memory of 2224 3892 8453.tmp 86 PID 3892 wrote to memory of 2224 3892 8453.tmp 86 PID 3892 wrote to memory of 2224 3892 8453.tmp 86 PID 2224 wrote to memory of 2700 2224 84C0.tmp 87 PID 2224 wrote to memory of 2700 2224 84C0.tmp 87 PID 2224 wrote to memory of 2700 2224 84C0.tmp 87 PID 2700 wrote to memory of 4732 2700 851E.tmp 88 PID 2700 wrote to memory of 4732 2700 851E.tmp 88 PID 2700 wrote to memory of 4732 2700 851E.tmp 88 PID 4732 wrote to memory of 4512 4732 85AB.tmp 89 PID 4732 wrote to memory of 4512 4732 85AB.tmp 89 PID 4732 wrote to memory of 4512 4732 85AB.tmp 89 PID 4512 wrote to memory of 4536 4512 8628.tmp 90 PID 4512 wrote to memory of 4536 4512 8628.tmp 90 PID 4512 wrote to memory of 4536 4512 8628.tmp 90 PID 4536 wrote to memory of 4964 4536 8695.tmp 91 PID 4536 wrote to memory of 4964 4536 8695.tmp 91 PID 4536 wrote to memory of 4964 4536 8695.tmp 91 PID 4964 wrote to memory of 3060 4964 8712.tmp 92 PID 4964 wrote to memory of 3060 4964 8712.tmp 92 PID 4964 wrote to memory of 3060 4964 8712.tmp 92 PID 3060 wrote to memory of 1596 3060 8770.tmp 93 PID 3060 wrote to memory of 1596 3060 8770.tmp 93 PID 3060 wrote to memory of 1596 3060 8770.tmp 93 PID 1596 wrote to memory of 3792 1596 87DD.tmp 94 PID 1596 wrote to memory of 3792 1596 87DD.tmp 94 PID 1596 wrote to memory of 3792 1596 87DD.tmp 94 PID 3792 wrote to memory of 2620 3792 886A.tmp 95 PID 3792 wrote to memory of 2620 3792 886A.tmp 95 PID 3792 wrote to memory of 2620 3792 886A.tmp 95 PID 2620 wrote to memory of 2880 2620 88C7.tmp 96 PID 2620 wrote to memory of 2880 2620 88C7.tmp 96 PID 2620 wrote to memory of 2880 2620 88C7.tmp 96 PID 2880 wrote to memory of 4188 2880 8935.tmp 97 PID 2880 wrote to memory of 4188 2880 8935.tmp 97 PID 2880 wrote to memory of 4188 2880 8935.tmp 97 PID 4188 wrote to memory of 2952 4188 89A2.tmp 98 PID 4188 wrote to memory of 2952 4188 89A2.tmp 98 PID 4188 wrote to memory of 2952 4188 89A2.tmp 98 PID 2952 wrote to memory of 4924 2952 8A2F.tmp 99 PID 2952 wrote to memory of 4924 2952 8A2F.tmp 99 PID 2952 wrote to memory of 4924 2952 8A2F.tmp 99 PID 4924 wrote to memory of 3604 4924 8AAC.tmp 100 PID 4924 wrote to memory of 3604 4924 8AAC.tmp 100 PID 4924 wrote to memory of 3604 4924 8AAC.tmp 100 PID 3604 wrote to memory of 440 3604 8B0A.tmp 101 PID 3604 wrote to memory of 440 3604 8B0A.tmp 101 PID 3604 wrote to memory of 440 3604 8B0A.tmp 101 PID 440 wrote to memory of 4928 440 8B67.tmp 102 PID 440 wrote to memory of 4928 440 8B67.tmp 102 PID 440 wrote to memory of 4928 440 8B67.tmp 102 PID 4928 wrote to memory of 3936 4928 8BE4.tmp 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-19_1406a422563c8434e4d281613c26cd81_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\82AD.tmp"C:\Users\Admin\AppData\Local\Temp\82AD.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\832A.tmp"C:\Users\Admin\AppData\Local\Temp\832A.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\83B7.tmp"C:\Users\Admin\AppData\Local\Temp\83B7.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\8453.tmp"C:\Users\Admin\AppData\Local\Temp\8453.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\84C0.tmp"C:\Users\Admin\AppData\Local\Temp\84C0.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\851E.tmp"C:\Users\Admin\AppData\Local\Temp\851E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\85AB.tmp"C:\Users\Admin\AppData\Local\Temp\85AB.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\8628.tmp"C:\Users\Admin\AppData\Local\Temp\8628.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\8695.tmp"C:\Users\Admin\AppData\Local\Temp\8695.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\8712.tmp"C:\Users\Admin\AppData\Local\Temp\8712.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\8770.tmp"C:\Users\Admin\AppData\Local\Temp\8770.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\87DD.tmp"C:\Users\Admin\AppData\Local\Temp\87DD.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\886A.tmp"C:\Users\Admin\AppData\Local\Temp\886A.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\88C7.tmp"C:\Users\Admin\AppData\Local\Temp\88C7.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\8935.tmp"C:\Users\Admin\AppData\Local\Temp\8935.tmp"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\89A2.tmp"C:\Users\Admin\AppData\Local\Temp\89A2.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\8A2F.tmp"C:\Users\Admin\AppData\Local\Temp\8A2F.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\8B67.tmp"C:\Users\Admin\AppData\Local\Temp\8B67.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\8C71.tmp"C:\Users\Admin\AppData\Local\Temp\8C71.tmp"23⤵
- Executes dropped EXE
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\8CBF.tmp"C:\Users\Admin\AppData\Local\Temp\8CBF.tmp"24⤵
- Executes dropped EXE
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\8D1D.tmp"C:\Users\Admin\AppData\Local\Temp\8D1D.tmp"25⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"26⤵
- Executes dropped EXE
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"27⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\8E55.tmp"C:\Users\Admin\AppData\Local\Temp\8E55.tmp"28⤵
- Executes dropped EXE
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"29⤵
- Executes dropped EXE
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"30⤵
- Executes dropped EXE
PID:776 -
C:\Users\Admin\AppData\Local\Temp\8FEC.tmp"C:\Users\Admin\AppData\Local\Temp\8FEC.tmp"31⤵
- Executes dropped EXE
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\9059.tmp"C:\Users\Admin\AppData\Local\Temp\9059.tmp"32⤵
- Executes dropped EXE
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\90D6.tmp"C:\Users\Admin\AppData\Local\Temp\90D6.tmp"33⤵
- Executes dropped EXE
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\9153.tmp"C:\Users\Admin\AppData\Local\Temp\9153.tmp"34⤵
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\91B1.tmp"C:\Users\Admin\AppData\Local\Temp\91B1.tmp"35⤵
- Executes dropped EXE
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\91FF.tmp"C:\Users\Admin\AppData\Local\Temp\91FF.tmp"36⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\924D.tmp"C:\Users\Admin\AppData\Local\Temp\924D.tmp"37⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\929B.tmp"C:\Users\Admin\AppData\Local\Temp\929B.tmp"38⤵
- Executes dropped EXE
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\92E9.tmp"C:\Users\Admin\AppData\Local\Temp\92E9.tmp"39⤵
- Executes dropped EXE
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"40⤵
- Executes dropped EXE
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\9395.tmp"C:\Users\Admin\AppData\Local\Temp\9395.tmp"41⤵
- Executes dropped EXE
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\93F3.tmp"C:\Users\Admin\AppData\Local\Temp\93F3.tmp"42⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\9441.tmp"C:\Users\Admin\AppData\Local\Temp\9441.tmp"43⤵
- Executes dropped EXE
PID:920 -
C:\Users\Admin\AppData\Local\Temp\948F.tmp"C:\Users\Admin\AppData\Local\Temp\948F.tmp"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\94ED.tmp"C:\Users\Admin\AppData\Local\Temp\94ED.tmp"45⤵
- Executes dropped EXE
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\953B.tmp"C:\Users\Admin\AppData\Local\Temp\953B.tmp"46⤵
- Executes dropped EXE
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\9589.tmp"C:\Users\Admin\AppData\Local\Temp\9589.tmp"47⤵
- Executes dropped EXE
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\95D7.tmp"C:\Users\Admin\AppData\Local\Temp\95D7.tmp"48⤵
- Executes dropped EXE
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\9625.tmp"C:\Users\Admin\AppData\Local\Temp\9625.tmp"49⤵
- Executes dropped EXE
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\9673.tmp"C:\Users\Admin\AppData\Local\Temp\9673.tmp"50⤵
- Executes dropped EXE
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\96C2.tmp"C:\Users\Admin\AppData\Local\Temp\96C2.tmp"51⤵
- Executes dropped EXE
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\971F.tmp"C:\Users\Admin\AppData\Local\Temp\971F.tmp"52⤵
- Executes dropped EXE
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\977D.tmp"C:\Users\Admin\AppData\Local\Temp\977D.tmp"53⤵
- Executes dropped EXE
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\97DB.tmp"C:\Users\Admin\AppData\Local\Temp\97DB.tmp"54⤵
- Executes dropped EXE
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\9829.tmp"C:\Users\Admin\AppData\Local\Temp\9829.tmp"55⤵
- Executes dropped EXE
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\9887.tmp"C:\Users\Admin\AppData\Local\Temp\9887.tmp"56⤵
- Executes dropped EXE
PID:512 -
C:\Users\Admin\AppData\Local\Temp\98D5.tmp"C:\Users\Admin\AppData\Local\Temp\98D5.tmp"57⤵
- Executes dropped EXE
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\9933.tmp"C:\Users\Admin\AppData\Local\Temp\9933.tmp"58⤵
- Executes dropped EXE
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\9981.tmp"C:\Users\Admin\AppData\Local\Temp\9981.tmp"59⤵
- Executes dropped EXE
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\99DE.tmp"C:\Users\Admin\AppData\Local\Temp\99DE.tmp"60⤵
- Executes dropped EXE
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"62⤵
- Executes dropped EXE
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\9AD8.tmp"C:\Users\Admin\AppData\Local\Temp\9AD8.tmp"63⤵
- Executes dropped EXE
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\9B36.tmp"C:\Users\Admin\AppData\Local\Temp\9B36.tmp"64⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\9B94.tmp"C:\Users\Admin\AppData\Local\Temp\9B94.tmp"65⤵
- Executes dropped EXE
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"66⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\9C40.tmp"C:\Users\Admin\AppData\Local\Temp\9C40.tmp"67⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"68⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\9CDC.tmp"C:\Users\Admin\AppData\Local\Temp\9CDC.tmp"69⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\9D2A.tmp"C:\Users\Admin\AppData\Local\Temp\9D2A.tmp"70⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\9D88.tmp"C:\Users\Admin\AppData\Local\Temp\9D88.tmp"71⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\9DD6.tmp"C:\Users\Admin\AppData\Local\Temp\9DD6.tmp"72⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\9E34.tmp"C:\Users\Admin\AppData\Local\Temp\9E34.tmp"73⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\9E82.tmp"C:\Users\Admin\AppData\Local\Temp\9E82.tmp"74⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\9EE0.tmp"C:\Users\Admin\AppData\Local\Temp\9EE0.tmp"75⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\9F3D.tmp"C:\Users\Admin\AppData\Local\Temp\9F3D.tmp"76⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\9F9B.tmp"C:\Users\Admin\AppData\Local\Temp\9F9B.tmp"77⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"78⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\A047.tmp"C:\Users\Admin\AppData\Local\Temp\A047.tmp"79⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"80⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\A112.tmp"C:\Users\Admin\AppData\Local\Temp\A112.tmp"81⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\A160.tmp"C:\Users\Admin\AppData\Local\Temp\A160.tmp"82⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"83⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\A21C.tmp"C:\Users\Admin\AppData\Local\Temp\A21C.tmp"84⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\A26A.tmp"C:\Users\Admin\AppData\Local\Temp\A26A.tmp"85⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\A2C8.tmp"C:\Users\Admin\AppData\Local\Temp\A2C8.tmp"86⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\A316.tmp"C:\Users\Admin\AppData\Local\Temp\A316.tmp"87⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\A364.tmp"C:\Users\Admin\AppData\Local\Temp\A364.tmp"88⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"89⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\A41F.tmp"C:\Users\Admin\AppData\Local\Temp\A41F.tmp"90⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\A47D.tmp"C:\Users\Admin\AppData\Local\Temp\A47D.tmp"91⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\A4DB.tmp"C:\Users\Admin\AppData\Local\Temp\A4DB.tmp"92⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\A539.tmp"C:\Users\Admin\AppData\Local\Temp\A539.tmp"93⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\A587.tmp"C:\Users\Admin\AppData\Local\Temp\A587.tmp"94⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"95⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\A642.tmp"C:\Users\Admin\AppData\Local\Temp\A642.tmp"96⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\A690.tmp"C:\Users\Admin\AppData\Local\Temp\A690.tmp"97⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"98⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\A73C.tmp"C:\Users\Admin\AppData\Local\Temp\A73C.tmp"99⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\A78A.tmp"C:\Users\Admin\AppData\Local\Temp\A78A.tmp"100⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\A7E8.tmp"C:\Users\Admin\AppData\Local\Temp\A7E8.tmp"101⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\A836.tmp"C:\Users\Admin\AppData\Local\Temp\A836.tmp"102⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\A894.tmp"C:\Users\Admin\AppData\Local\Temp\A894.tmp"103⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"104⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\A930.tmp"C:\Users\Admin\AppData\Local\Temp\A930.tmp"105⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\A97E.tmp"C:\Users\Admin\AppData\Local\Temp\A97E.tmp"106⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\A9CD.tmp"C:\Users\Admin\AppData\Local\Temp\A9CD.tmp"107⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\AA1B.tmp"C:\Users\Admin\AppData\Local\Temp\AA1B.tmp"108⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\AA69.tmp"C:\Users\Admin\AppData\Local\Temp\AA69.tmp"109⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\AAC7.tmp"C:\Users\Admin\AppData\Local\Temp\AAC7.tmp"110⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\AB24.tmp"C:\Users\Admin\AppData\Local\Temp\AB24.tmp"111⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\AB72.tmp"C:\Users\Admin\AppData\Local\Temp\AB72.tmp"112⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\ABC1.tmp"C:\Users\Admin\AppData\Local\Temp\ABC1.tmp"113⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\AC1E.tmp"C:\Users\Admin\AppData\Local\Temp\AC1E.tmp"114⤵
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"115⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\ACDA.tmp"C:\Users\Admin\AppData\Local\Temp\ACDA.tmp"116⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\AD28.tmp"C:\Users\Admin\AppData\Local\Temp\AD28.tmp"117⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\AD86.tmp"C:\Users\Admin\AppData\Local\Temp\AD86.tmp"118⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\ADE3.tmp"C:\Users\Admin\AppData\Local\Temp\ADE3.tmp"119⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\AE41.tmp"C:\Users\Admin\AppData\Local\Temp\AE41.tmp"120⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"121⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\AEED.tmp"C:\Users\Admin\AppData\Local\Temp\AEED.tmp"122⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-