Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe
-
Size
520KB
-
MD5
2f1ba7e4159a2d5804160a6cb34679c1
-
SHA1
74049f50c69cbf04f026089522315bf645935b63
-
SHA256
e754d873bb134bd718bb32f78ab9e33f5892f7709b716a45315b44642cf88331
-
SHA512
7c4320fb53c947505a75170ee97d7185050a65086e305c8232fad9d38387bd8dc7c0d7d6f0ab95cfd37dbdafd5c3a45f2d4f7447abb31f585cc6ec0c7af02b6e
-
SSDEEP
12288:gj8fuxR21t5i8fHD/FQvwP1ZTofDKWWNZ:gj8fuK1GYHD/FYwAMN
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2664 7E67.tmp 3256 7ED5.tmp 4464 7F52.tmp 3428 7FAF.tmp 1964 802C.tmp 3792 807A.tmp 3708 80E8.tmp 220 8155.tmp 412 81A3.tmp 2848 8211.tmp 2728 826E.tmp 2316 82DC.tmp 3476 833A.tmp 1700 8397.tmp 2944 8405.tmp 1524 8472.tmp 4356 84DF.tmp 4924 852E.tmp 4640 859B.tmp 3716 8608.tmp 856 8676.tmp 2224 86C4.tmp 2828 8731.tmp 1292 877F.tmp 4780 87ED.tmp 4108 883B.tmp 3352 8889.tmp 4032 88E7.tmp 4752 8954.tmp 2384 89C1.tmp 4080 8A4E.tmp 2080 8ABB.tmp 3648 8B0A.tmp 1144 8B58.tmp 2064 8BA6.tmp 492 8BF4.tmp 2772 8C42.tmp 1472 8C90.tmp 4276 8CEE.tmp 4292 8D3C.tmp 1476 8D8A.tmp 3192 8DD8.tmp 744 8E26.tmp 2796 8E75.tmp 648 8EC3.tmp 4028 8F20.tmp 4760 8F5F.tmp 3064 8FAD.tmp 3080 8FFB.tmp 520 9049.tmp 4708 9097.tmp 2328 90E6.tmp 4036 9134.tmp 5060 9191.tmp 3708 91E0.tmp 220 922E.tmp 4960 927C.tmp 2644 92DA.tmp 2344 9337.tmp 936 9385.tmp 2728 93D4.tmp 2376 9431.tmp 1960 947F.tmp 60 94CE.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7FAF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10B4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7EFF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8836.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8BA6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9D3A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3563.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C85.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2F0A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 144E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 581E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A91C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 489D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B55.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 777D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9A18.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD60.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 700.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3285.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C02E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77CB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A478.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B650.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 337F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A2F2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D793.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FA3E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4755.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A73C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8150.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E03.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8A1A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C6D5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F760.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ED2F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4A91.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EADD.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 897E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4A43.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A572.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5436.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7441.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A38E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCD3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2664 1476 2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe 85 PID 1476 wrote to memory of 2664 1476 2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe 85 PID 1476 wrote to memory of 2664 1476 2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe 85 PID 2664 wrote to memory of 3256 2664 7E67.tmp 86 PID 2664 wrote to memory of 3256 2664 7E67.tmp 86 PID 2664 wrote to memory of 3256 2664 7E67.tmp 86 PID 3256 wrote to memory of 4464 3256 7ED5.tmp 88 PID 3256 wrote to memory of 4464 3256 7ED5.tmp 88 PID 3256 wrote to memory of 4464 3256 7ED5.tmp 88 PID 4464 wrote to memory of 3428 4464 7F52.tmp 89 PID 4464 wrote to memory of 3428 4464 7F52.tmp 89 PID 4464 wrote to memory of 3428 4464 7F52.tmp 89 PID 3428 wrote to memory of 1964 3428 7FAF.tmp 90 PID 3428 wrote to memory of 1964 3428 7FAF.tmp 90 PID 3428 wrote to memory of 1964 3428 7FAF.tmp 90 PID 1964 wrote to memory of 3792 1964 802C.tmp 91 PID 1964 wrote to memory of 3792 1964 802C.tmp 91 PID 1964 wrote to memory of 3792 1964 802C.tmp 91 PID 3792 wrote to memory of 3708 3792 807A.tmp 92 PID 3792 wrote to memory of 3708 3792 807A.tmp 92 PID 3792 wrote to memory of 3708 3792 807A.tmp 92 PID 3708 wrote to memory of 220 3708 80E8.tmp 93 PID 3708 wrote to memory of 220 3708 80E8.tmp 93 PID 3708 wrote to memory of 220 3708 80E8.tmp 93 PID 220 wrote to memory of 412 220 8155.tmp 94 PID 220 wrote to memory of 412 220 8155.tmp 94 PID 220 wrote to memory of 412 220 8155.tmp 94 PID 412 wrote to memory of 2848 412 81A3.tmp 95 PID 412 wrote to memory of 2848 412 81A3.tmp 95 PID 412 wrote to memory of 2848 412 81A3.tmp 95 PID 2848 wrote to memory of 2728 2848 8211.tmp 96 PID 2848 wrote to memory of 2728 2848 8211.tmp 96 PID 2848 wrote to memory of 2728 2848 8211.tmp 96 PID 2728 wrote to memory of 2316 2728 826E.tmp 97 PID 2728 wrote to memory of 2316 2728 826E.tmp 97 PID 2728 wrote to memory of 2316 2728 826E.tmp 97 PID 2316 wrote to memory of 3476 2316 82DC.tmp 98 PID 2316 wrote to memory of 3476 2316 82DC.tmp 98 PID 2316 wrote to memory of 3476 2316 82DC.tmp 98 PID 3476 wrote to memory of 1700 3476 833A.tmp 99 PID 3476 wrote to memory of 1700 3476 833A.tmp 99 PID 3476 wrote to memory of 1700 3476 833A.tmp 99 PID 1700 wrote to memory of 2944 1700 8397.tmp 100 PID 1700 wrote to memory of 2944 1700 8397.tmp 100 PID 1700 wrote to memory of 2944 1700 8397.tmp 100 PID 2944 wrote to memory of 1524 2944 8405.tmp 101 PID 2944 wrote to memory of 1524 2944 8405.tmp 101 PID 2944 wrote to memory of 1524 2944 8405.tmp 101 PID 1524 wrote to memory of 4356 1524 8472.tmp 102 PID 1524 wrote to memory of 4356 1524 8472.tmp 102 PID 1524 wrote to memory of 4356 1524 8472.tmp 102 PID 4356 wrote to memory of 4924 4356 84DF.tmp 103 PID 4356 wrote to memory of 4924 4356 84DF.tmp 103 PID 4356 wrote to memory of 4924 4356 84DF.tmp 103 PID 4924 wrote to memory of 4640 4924 852E.tmp 104 PID 4924 wrote to memory of 4640 4924 852E.tmp 104 PID 4924 wrote to memory of 4640 4924 852E.tmp 104 PID 4640 wrote to memory of 3716 4640 859B.tmp 105 PID 4640 wrote to memory of 3716 4640 859B.tmp 105 PID 4640 wrote to memory of 3716 4640 859B.tmp 105 PID 3716 wrote to memory of 856 3716 8608.tmp 106 PID 3716 wrote to memory of 856 3716 8608.tmp 106 PID 3716 wrote to memory of 856 3716 8608.tmp 106 PID 856 wrote to memory of 2224 856 8676.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_2f1ba7e4159a2d5804160a6cb34679c1_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7E67.tmp"C:\Users\Admin\AppData\Local\Temp\7E67.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\7ED5.tmp"C:\Users\Admin\AppData\Local\Temp\7ED5.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\802C.tmp"C:\Users\Admin\AppData\Local\Temp\802C.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\807A.tmp"C:\Users\Admin\AppData\Local\Temp\807A.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\80E8.tmp"C:\Users\Admin\AppData\Local\Temp\80E8.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\81A3.tmp"C:\Users\Admin\AppData\Local\Temp\81A3.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\8211.tmp"C:\Users\Admin\AppData\Local\Temp\8211.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\826E.tmp"C:\Users\Admin\AppData\Local\Temp\826E.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\82DC.tmp"C:\Users\Admin\AppData\Local\Temp\82DC.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\833A.tmp"C:\Users\Admin\AppData\Local\Temp\833A.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\8397.tmp"C:\Users\Admin\AppData\Local\Temp\8397.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\8405.tmp"C:\Users\Admin\AppData\Local\Temp\8405.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\8472.tmp"C:\Users\Admin\AppData\Local\Temp\8472.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\84DF.tmp"C:\Users\Admin\AppData\Local\Temp\84DF.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\852E.tmp"C:\Users\Admin\AppData\Local\Temp\852E.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\859B.tmp"C:\Users\Admin\AppData\Local\Temp\859B.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\8608.tmp"C:\Users\Admin\AppData\Local\Temp\8608.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\8676.tmp"C:\Users\Admin\AppData\Local\Temp\8676.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\86C4.tmp"C:\Users\Admin\AppData\Local\Temp\86C4.tmp"23⤵
- Executes dropped EXE
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\8731.tmp"C:\Users\Admin\AppData\Local\Temp\8731.tmp"24⤵
- Executes dropped EXE
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\877F.tmp"C:\Users\Admin\AppData\Local\Temp\877F.tmp"25⤵
- Executes dropped EXE
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\87ED.tmp"C:\Users\Admin\AppData\Local\Temp\87ED.tmp"26⤵
- Executes dropped EXE
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\883B.tmp"C:\Users\Admin\AppData\Local\Temp\883B.tmp"27⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\8889.tmp"C:\Users\Admin\AppData\Local\Temp\8889.tmp"28⤵
- Executes dropped EXE
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\88E7.tmp"C:\Users\Admin\AppData\Local\Temp\88E7.tmp"29⤵
- Executes dropped EXE
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\8954.tmp"C:\Users\Admin\AppData\Local\Temp\8954.tmp"30⤵
- Executes dropped EXE
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\89C1.tmp"C:\Users\Admin\AppData\Local\Temp\89C1.tmp"31⤵
- Executes dropped EXE
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\8A4E.tmp"C:\Users\Admin\AppData\Local\Temp\8A4E.tmp"32⤵
- Executes dropped EXE
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"33⤵
- Executes dropped EXE
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"34⤵
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\8B58.tmp"C:\Users\Admin\AppData\Local\Temp\8B58.tmp"35⤵
- Executes dropped EXE
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\8BF4.tmp"C:\Users\Admin\AppData\Local\Temp\8BF4.tmp"37⤵
- Executes dropped EXE
PID:492 -
C:\Users\Admin\AppData\Local\Temp\8C42.tmp"C:\Users\Admin\AppData\Local\Temp\8C42.tmp"38⤵
- Executes dropped EXE
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\8C90.tmp"C:\Users\Admin\AppData\Local\Temp\8C90.tmp"39⤵
- Executes dropped EXE
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\8CEE.tmp"C:\Users\Admin\AppData\Local\Temp\8CEE.tmp"40⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"41⤵
- Executes dropped EXE
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"42⤵
- Executes dropped EXE
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"C:\Users\Admin\AppData\Local\Temp\8DD8.tmp"43⤵
- Executes dropped EXE
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\8E26.tmp"C:\Users\Admin\AppData\Local\Temp\8E26.tmp"44⤵
- Executes dropped EXE
PID:744 -
C:\Users\Admin\AppData\Local\Temp\8E75.tmp"C:\Users\Admin\AppData\Local\Temp\8E75.tmp"45⤵
- Executes dropped EXE
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\8EC3.tmp"C:\Users\Admin\AppData\Local\Temp\8EC3.tmp"46⤵
- Executes dropped EXE
PID:648 -
C:\Users\Admin\AppData\Local\Temp\8F20.tmp"C:\Users\Admin\AppData\Local\Temp\8F20.tmp"47⤵
- Executes dropped EXE
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\8F5F.tmp"C:\Users\Admin\AppData\Local\Temp\8F5F.tmp"48⤵
- Executes dropped EXE
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"49⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"50⤵
- Executes dropped EXE
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\9049.tmp"C:\Users\Admin\AppData\Local\Temp\9049.tmp"51⤵
- Executes dropped EXE
PID:520 -
C:\Users\Admin\AppData\Local\Temp\9097.tmp"C:\Users\Admin\AppData\Local\Temp\9097.tmp"52⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\90E6.tmp"C:\Users\Admin\AppData\Local\Temp\90E6.tmp"53⤵
- Executes dropped EXE
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\9134.tmp"C:\Users\Admin\AppData\Local\Temp\9134.tmp"54⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\9191.tmp"C:\Users\Admin\AppData\Local\Temp\9191.tmp"55⤵
- Executes dropped EXE
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\91E0.tmp"C:\Users\Admin\AppData\Local\Temp\91E0.tmp"56⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\922E.tmp"C:\Users\Admin\AppData\Local\Temp\922E.tmp"57⤵
- Executes dropped EXE
PID:220 -
C:\Users\Admin\AppData\Local\Temp\927C.tmp"C:\Users\Admin\AppData\Local\Temp\927C.tmp"58⤵
- Executes dropped EXE
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\92DA.tmp"C:\Users\Admin\AppData\Local\Temp\92DA.tmp"59⤵
- Executes dropped EXE
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"60⤵
- Executes dropped EXE
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\9385.tmp"C:\Users\Admin\AppData\Local\Temp\9385.tmp"61⤵
- Executes dropped EXE
PID:936 -
C:\Users\Admin\AppData\Local\Temp\93D4.tmp"C:\Users\Admin\AppData\Local\Temp\93D4.tmp"62⤵
- Executes dropped EXE
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\9431.tmp"C:\Users\Admin\AppData\Local\Temp\9431.tmp"63⤵
- Executes dropped EXE
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\947F.tmp"C:\Users\Admin\AppData\Local\Temp\947F.tmp"64⤵
- Executes dropped EXE
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\94CE.tmp"C:\Users\Admin\AppData\Local\Temp\94CE.tmp"65⤵
- Executes dropped EXE
PID:60 -
C:\Users\Admin\AppData\Local\Temp\952B.tmp"C:\Users\Admin\AppData\Local\Temp\952B.tmp"66⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\9589.tmp"C:\Users\Admin\AppData\Local\Temp\9589.tmp"67⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\95D7.tmp"C:\Users\Admin\AppData\Local\Temp\95D7.tmp"68⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\9635.tmp"C:\Users\Admin\AppData\Local\Temp\9635.tmp"69⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\9693.tmp"C:\Users\Admin\AppData\Local\Temp\9693.tmp"70⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\96E1.tmp"C:\Users\Admin\AppData\Local\Temp\96E1.tmp"71⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\973F.tmp"C:\Users\Admin\AppData\Local\Temp\973F.tmp"72⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\979C.tmp"C:\Users\Admin\AppData\Local\Temp\979C.tmp"73⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\97FA.tmp"C:\Users\Admin\AppData\Local\Temp\97FA.tmp"74⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\9858.tmp"C:\Users\Admin\AppData\Local\Temp\9858.tmp"75⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\98B6.tmp"C:\Users\Admin\AppData\Local\Temp\98B6.tmp"76⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\9904.tmp"C:\Users\Admin\AppData\Local\Temp\9904.tmp"77⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\9952.tmp"C:\Users\Admin\AppData\Local\Temp\9952.tmp"78⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\99B0.tmp"C:\Users\Admin\AppData\Local\Temp\99B0.tmp"79⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\99FE.tmp"C:\Users\Admin\AppData\Local\Temp\99FE.tmp"80⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\9A5B.tmp"C:\Users\Admin\AppData\Local\Temp\9A5B.tmp"81⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\9AB9.tmp"C:\Users\Admin\AppData\Local\Temp\9AB9.tmp"82⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\9B07.tmp"C:\Users\Admin\AppData\Local\Temp\9B07.tmp"83⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\9B55.tmp"C:\Users\Admin\AppData\Local\Temp\9B55.tmp"84⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\9BA4.tmp"C:\Users\Admin\AppData\Local\Temp\9BA4.tmp"85⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"86⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\9C4F.tmp"C:\Users\Admin\AppData\Local\Temp\9C4F.tmp"87⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\9C9E.tmp"C:\Users\Admin\AppData\Local\Temp\9C9E.tmp"88⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"89⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"90⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\9D88.tmp"C:\Users\Admin\AppData\Local\Temp\9D88.tmp"91⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\9DD6.tmp"C:\Users\Admin\AppData\Local\Temp\9DD6.tmp"92⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\9E34.tmp"C:\Users\Admin\AppData\Local\Temp\9E34.tmp"93⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\9E82.tmp"C:\Users\Admin\AppData\Local\Temp\9E82.tmp"94⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\9ED0.tmp"C:\Users\Admin\AppData\Local\Temp\9ED0.tmp"95⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\9F1E.tmp"C:\Users\Admin\AppData\Local\Temp\9F1E.tmp"96⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\9F6C.tmp"C:\Users\Admin\AppData\Local\Temp\9F6C.tmp"97⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\9FBA.tmp"C:\Users\Admin\AppData\Local\Temp\9FBA.tmp"98⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\A018.tmp"C:\Users\Admin\AppData\Local\Temp\A018.tmp"99⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\A066.tmp"C:\Users\Admin\AppData\Local\Temp\A066.tmp"100⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"101⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\A103.tmp"C:\Users\Admin\AppData\Local\Temp\A103.tmp"102⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\A160.tmp"C:\Users\Admin\AppData\Local\Temp\A160.tmp"103⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"C:\Users\Admin\AppData\Local\Temp\A1BE.tmp"104⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\A21C.tmp"C:\Users\Admin\AppData\Local\Temp\A21C.tmp"105⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\A26A.tmp"C:\Users\Admin\AppData\Local\Temp\A26A.tmp"106⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\A2B8.tmp"C:\Users\Admin\AppData\Local\Temp\A2B8.tmp"107⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\A316.tmp"C:\Users\Admin\AppData\Local\Temp\A316.tmp"108⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\A374.tmp"C:\Users\Admin\AppData\Local\Temp\A374.tmp"109⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"110⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\A410.tmp"C:\Users\Admin\AppData\Local\Temp\A410.tmp"111⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\A45E.tmp"C:\Users\Admin\AppData\Local\Temp\A45E.tmp"112⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"113⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\A4FA.tmp"C:\Users\Admin\AppData\Local\Temp\A4FA.tmp"114⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\A548.tmp"C:\Users\Admin\AppData\Local\Temp\A548.tmp"115⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\A5A6.tmp"C:\Users\Admin\AppData\Local\Temp\A5A6.tmp"116⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\A5F4.tmp"C:\Users\Admin\AppData\Local\Temp\A5F4.tmp"117⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\A642.tmp"C:\Users\Admin\AppData\Local\Temp\A642.tmp"118⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\A690.tmp"C:\Users\Admin\AppData\Local\Temp\A690.tmp"119⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"C:\Users\Admin\AppData\Local\Temp\A6DF.tmp"120⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\A73C.tmp"C:\Users\Admin\AppData\Local\Temp\A73C.tmp"121⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\A78A.tmp"C:\Users\Admin\AppData\Local\Temp\A78A.tmp"122⤵PID:4832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-