Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe
-
Size
486KB
-
MD5
b443c687e1f014ff8e3b946928621d65
-
SHA1
4ec4971f05e52d02aeb06b306c486848def8c9de
-
SHA256
a062cfaf24f95020394dfbb96d040cb27445711dbbd92d13a474980caf417e86
-
SHA512
74f1de9d8d0314308cd218d7d5e070b8415a26c52d5e3a2806374349bc36f736fa8ba5294858d5189703f2a4e2bf0d54605beb706b4695bcbcb1a0e7b791e81d
-
SSDEEP
12288:/U5rCOTeiD8hQP35MTRjLV9ZEBDf2pHMp7BNZ:/UQOJD8qPpqZEB5p1N
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
AC7C.tmpACE9.tmpAD47.tmpADC4.tmpAE41.tmpAEAF.tmpAEFD.tmpAF5A.tmpAFC8.tmpB016.tmpB093.tmpB0E1.tmpB12F.tmpB17D.tmpB1CB.tmpB239.tmpB2A6.tmpB304.tmpB371.tmpB3EE.tmpB43C.tmpB49A.tmpB508.tmpB575.tmpB5E2.tmpB640.tmpB6BD.tmpB71B.tmpB788.tmpB815.tmpB863.tmpB8B1.tmpB8FF.tmpB94D.tmpB9AB.tmpBA09.tmpBA57.tmpBAA5.tmpBB03.tmpBB61.tmpBBBE.tmpBC0C.tmpBC5B.tmpBCA9.tmpBCF7.tmpBD45.tmpBD93.tmpBDF1.tmpBE3F.tmpBE9D.tmpBEEB.tmpBF39.tmpBF97.tmpBFE5.tmpC043.tmpC091.tmpC0EE.tmpC14C.tmpC19A.tmpC1F8.tmpC246.tmpC2A4.tmpC2F2.tmpC340.tmppid Process 4948 AC7C.tmp 2416 ACE9.tmp 4504 AD47.tmp 3808 ADC4.tmp 4444 AE41.tmp 3464 AEAF.tmp 1408 AEFD.tmp 264 AF5A.tmp 2544 AFC8.tmp 1324 B016.tmp 4344 B093.tmp 4944 B0E1.tmp 2312 B12F.tmp 1852 B17D.tmp 4544 B1CB.tmp 224 B239.tmp 4312 B2A6.tmp 2628 B304.tmp 2392 B371.tmp 1820 B3EE.tmp 5068 B43C.tmp 4856 B49A.tmp 4216 B508.tmp 4516 B575.tmp 2496 B5E2.tmp 3348 B640.tmp 536 B6BD.tmp 1668 B71B.tmp 4148 B788.tmp 2936 B815.tmp 4868 B863.tmp 2484 B8B1.tmp 4732 B8FF.tmp 2440 B94D.tmp 2592 B9AB.tmp 3616 BA09.tmp 3132 BA57.tmp 2676 BAA5.tmp 4032 BB03.tmp 1772 BB61.tmp 3344 BBBE.tmp 1904 BC0C.tmp 4232 BC5B.tmp 5020 BCA9.tmp 640 BCF7.tmp 4224 BD45.tmp 4420 BD93.tmp 4816 BDF1.tmp 4308 BE3F.tmp 4200 BE9D.tmp 3992 BEEB.tmp 344 BF39.tmp 2232 BF97.tmp 3580 BFE5.tmp 1972 C043.tmp 1384 C091.tmp 3556 C0EE.tmp 3808 C14C.tmp 4744 C19A.tmp 4140 C1F8.tmp 3896 C246.tmp 3312 C2A4.tmp 2480 C2F2.tmp 1776 C340.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5510.tmp644.tmp4E69.tmpBA3.tmp6481.tmp8E12.tmp946B.tmpB7D2.tmp2E8D.tmp3A55.tmp3D81.tmp7B65.tmpE153.tmpE70F.tmpD63C.tmp1AD6.tmpCDEA.tmpE53B.tmpE4D2.tmp9C0C.tmpFA3E.tmp9093.tmpD443.tmpDC9F.tmp33BD.tmp9C5A.tmp7F6C.tmpA709.tmp1018.tmpF846.tmp8F4B.tmp1D95.tmp7308.tmpE426.tmpDD4B.tmp25C3.tmpEB74.tmp51D4.tmpE1A1.tmpB31E.tmpCDA0.tmp40EC.tmp60C8.tmpB476.tmp5658.tmpB5E2.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5510.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4E69.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BA3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6481.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E12.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 946B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B7D2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2E8D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3A55.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3D81.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B65.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E153.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E70F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D63C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1AD6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDEA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E53B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E4D2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9C0C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FA3E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9093.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D443.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC9F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33BD.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9C5A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7F6C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A709.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1018.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F846.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8F4B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1D95.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7308.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E426.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD4B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25C3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EB74.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51D4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E1A1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B31E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDA0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40EC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60C8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B476.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5658.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B5E2.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exeAC7C.tmpACE9.tmpAD47.tmpADC4.tmpAE41.tmpAEAF.tmpAEFD.tmpAF5A.tmpAFC8.tmpB016.tmpB093.tmpB0E1.tmpB12F.tmpB17D.tmpB1CB.tmpB239.tmpB2A6.tmpB304.tmpB371.tmpB3EE.tmpB43C.tmpdescription pid Process procid_target PID 4972 wrote to memory of 4948 4972 2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe 84 PID 4972 wrote to memory of 4948 4972 2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe 84 PID 4972 wrote to memory of 4948 4972 2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe 84 PID 4948 wrote to memory of 2416 4948 AC7C.tmp 85 PID 4948 wrote to memory of 2416 4948 AC7C.tmp 85 PID 4948 wrote to memory of 2416 4948 AC7C.tmp 85 PID 2416 wrote to memory of 4504 2416 ACE9.tmp 87 PID 2416 wrote to memory of 4504 2416 ACE9.tmp 87 PID 2416 wrote to memory of 4504 2416 ACE9.tmp 87 PID 4504 wrote to memory of 3808 4504 AD47.tmp 89 PID 4504 wrote to memory of 3808 4504 AD47.tmp 89 PID 4504 wrote to memory of 3808 4504 AD47.tmp 89 PID 3808 wrote to memory of 4444 3808 ADC4.tmp 90 PID 3808 wrote to memory of 4444 3808 ADC4.tmp 90 PID 3808 wrote to memory of 4444 3808 ADC4.tmp 90 PID 4444 wrote to memory of 3464 4444 AE41.tmp 91 PID 4444 wrote to memory of 3464 4444 AE41.tmp 91 PID 4444 wrote to memory of 3464 4444 AE41.tmp 91 PID 3464 wrote to memory of 1408 3464 AEAF.tmp 92 PID 3464 wrote to memory of 1408 3464 AEAF.tmp 92 PID 3464 wrote to memory of 1408 3464 AEAF.tmp 92 PID 1408 wrote to memory of 264 1408 AEFD.tmp 93 PID 1408 wrote to memory of 264 1408 AEFD.tmp 93 PID 1408 wrote to memory of 264 1408 AEFD.tmp 93 PID 264 wrote to memory of 2544 264 AF5A.tmp 94 PID 264 wrote to memory of 2544 264 AF5A.tmp 94 PID 264 wrote to memory of 2544 264 AF5A.tmp 94 PID 2544 wrote to memory of 1324 2544 AFC8.tmp 95 PID 2544 wrote to memory of 1324 2544 AFC8.tmp 95 PID 2544 wrote to memory of 1324 2544 AFC8.tmp 95 PID 1324 wrote to memory of 4344 1324 B016.tmp 96 PID 1324 wrote to memory of 4344 1324 B016.tmp 96 PID 1324 wrote to memory of 4344 1324 B016.tmp 96 PID 4344 wrote to memory of 4944 4344 B093.tmp 97 PID 4344 wrote to memory of 4944 4344 B093.tmp 97 PID 4344 wrote to memory of 4944 4344 B093.tmp 97 PID 4944 wrote to memory of 2312 4944 B0E1.tmp 98 PID 4944 wrote to memory of 2312 4944 B0E1.tmp 98 PID 4944 wrote to memory of 2312 4944 B0E1.tmp 98 PID 2312 wrote to memory of 1852 2312 B12F.tmp 99 PID 2312 wrote to memory of 1852 2312 B12F.tmp 99 PID 2312 wrote to memory of 1852 2312 B12F.tmp 99 PID 1852 wrote to memory of 4544 1852 B17D.tmp 100 PID 1852 wrote to memory of 4544 1852 B17D.tmp 100 PID 1852 wrote to memory of 4544 1852 B17D.tmp 100 PID 4544 wrote to memory of 224 4544 B1CB.tmp 101 PID 4544 wrote to memory of 224 4544 B1CB.tmp 101 PID 4544 wrote to memory of 224 4544 B1CB.tmp 101 PID 224 wrote to memory of 4312 224 B239.tmp 102 PID 224 wrote to memory of 4312 224 B239.tmp 102 PID 224 wrote to memory of 4312 224 B239.tmp 102 PID 4312 wrote to memory of 2628 4312 B2A6.tmp 103 PID 4312 wrote to memory of 2628 4312 B2A6.tmp 103 PID 4312 wrote to memory of 2628 4312 B2A6.tmp 103 PID 2628 wrote to memory of 2392 2628 B304.tmp 105 PID 2628 wrote to memory of 2392 2628 B304.tmp 105 PID 2628 wrote to memory of 2392 2628 B304.tmp 105 PID 2392 wrote to memory of 1820 2392 B371.tmp 106 PID 2392 wrote to memory of 1820 2392 B371.tmp 106 PID 2392 wrote to memory of 1820 2392 B371.tmp 106 PID 1820 wrote to memory of 5068 1820 B3EE.tmp 107 PID 1820 wrote to memory of 5068 1820 B3EE.tmp 107 PID 1820 wrote to memory of 5068 1820 B3EE.tmp 107 PID 5068 wrote to memory of 4856 5068 B43C.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b443c687e1f014ff8e3b946928621d65_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"C:\Users\Admin\AppData\Local\Temp\AC7C.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"C:\Users\Admin\AppData\Local\Temp\ACE9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\AD47.tmp"C:\Users\Admin\AppData\Local\Temp\AD47.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\ADC4.tmp"C:\Users\Admin\AppData\Local\Temp\ADC4.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\AE41.tmp"C:\Users\Admin\AppData\Local\Temp\AE41.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\AEAF.tmp"C:\Users\Admin\AppData\Local\Temp\AEAF.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\AEFD.tmp"C:\Users\Admin\AppData\Local\Temp\AEFD.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\AF5A.tmp"C:\Users\Admin\AppData\Local\Temp\AF5A.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Local\Temp\AFC8.tmp"C:\Users\Admin\AppData\Local\Temp\AFC8.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\B016.tmp"C:\Users\Admin\AppData\Local\Temp\B016.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\B093.tmp"C:\Users\Admin\AppData\Local\Temp\B093.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\B0E1.tmp"C:\Users\Admin\AppData\Local\Temp\B0E1.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\B12F.tmp"C:\Users\Admin\AppData\Local\Temp\B12F.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\B17D.tmp"C:\Users\Admin\AppData\Local\Temp\B17D.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\B1CB.tmp"C:\Users\Admin\AppData\Local\Temp\B1CB.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\B239.tmp"C:\Users\Admin\AppData\Local\Temp\B239.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\B2A6.tmp"C:\Users\Admin\AppData\Local\Temp\B2A6.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\B304.tmp"C:\Users\Admin\AppData\Local\Temp\B304.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\B371.tmp"C:\Users\Admin\AppData\Local\Temp\B371.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\B43C.tmp"C:\Users\Admin\AppData\Local\Temp\B43C.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\B49A.tmp"C:\Users\Admin\AppData\Local\Temp\B49A.tmp"23⤵
- Executes dropped EXE
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\B508.tmp"C:\Users\Admin\AppData\Local\Temp\B508.tmp"24⤵
- Executes dropped EXE
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\B575.tmp"C:\Users\Admin\AppData\Local\Temp\B575.tmp"25⤵
- Executes dropped EXE
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\B5E2.tmp"C:\Users\Admin\AppData\Local\Temp\B5E2.tmp"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\B640.tmp"C:\Users\Admin\AppData\Local\Temp\B640.tmp"27⤵
- Executes dropped EXE
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp"C:\Users\Admin\AppData\Local\Temp\B6BD.tmp"28⤵
- Executes dropped EXE
PID:536 -
C:\Users\Admin\AppData\Local\Temp\B71B.tmp"C:\Users\Admin\AppData\Local\Temp\B71B.tmp"29⤵
- Executes dropped EXE
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\B788.tmp"C:\Users\Admin\AppData\Local\Temp\B788.tmp"30⤵
- Executes dropped EXE
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\B815.tmp"C:\Users\Admin\AppData\Local\Temp\B815.tmp"31⤵
- Executes dropped EXE
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\B863.tmp"C:\Users\Admin\AppData\Local\Temp\B863.tmp"32⤵
- Executes dropped EXE
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"33⤵
- Executes dropped EXE
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\B8FF.tmp"C:\Users\Admin\AppData\Local\Temp\B8FF.tmp"34⤵
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\B94D.tmp"C:\Users\Admin\AppData\Local\Temp\B94D.tmp"35⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\B9AB.tmp"C:\Users\Admin\AppData\Local\Temp\B9AB.tmp"36⤵
- Executes dropped EXE
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\BA09.tmp"C:\Users\Admin\AppData\Local\Temp\BA09.tmp"37⤵
- Executes dropped EXE
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\BA57.tmp"C:\Users\Admin\AppData\Local\Temp\BA57.tmp"38⤵
- Executes dropped EXE
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"39⤵
- Executes dropped EXE
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\BB03.tmp"C:\Users\Admin\AppData\Local\Temp\BB03.tmp"40⤵
- Executes dropped EXE
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\BB61.tmp"C:\Users\Admin\AppData\Local\Temp\BB61.tmp"41⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\BBBE.tmp"C:\Users\Admin\AppData\Local\Temp\BBBE.tmp"42⤵
- Executes dropped EXE
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\BC0C.tmp"C:\Users\Admin\AppData\Local\Temp\BC0C.tmp"43⤵
- Executes dropped EXE
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\BC5B.tmp"C:\Users\Admin\AppData\Local\Temp\BC5B.tmp"44⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\BCA9.tmp"C:\Users\Admin\AppData\Local\Temp\BCA9.tmp"45⤵
- Executes dropped EXE
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\BCF7.tmp"C:\Users\Admin\AppData\Local\Temp\BCF7.tmp"46⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Temp\BD45.tmp"C:\Users\Admin\AppData\Local\Temp\BD45.tmp"47⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\BD93.tmp"C:\Users\Admin\AppData\Local\Temp\BD93.tmp"48⤵
- Executes dropped EXE
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\BDF1.tmp"C:\Users\Admin\AppData\Local\Temp\BDF1.tmp"49⤵
- Executes dropped EXE
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\BE3F.tmp"C:\Users\Admin\AppData\Local\Temp\BE3F.tmp"50⤵
- Executes dropped EXE
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\BE9D.tmp"C:\Users\Admin\AppData\Local\Temp\BE9D.tmp"51⤵
- Executes dropped EXE
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\BEEB.tmp"C:\Users\Admin\AppData\Local\Temp\BEEB.tmp"52⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\BF39.tmp"C:\Users\Admin\AppData\Local\Temp\BF39.tmp"53⤵
- Executes dropped EXE
PID:344 -
C:\Users\Admin\AppData\Local\Temp\BF97.tmp"C:\Users\Admin\AppData\Local\Temp\BF97.tmp"54⤵
- Executes dropped EXE
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\BFE5.tmp"C:\Users\Admin\AppData\Local\Temp\BFE5.tmp"55⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\C043.tmp"C:\Users\Admin\AppData\Local\Temp\C043.tmp"56⤵
- Executes dropped EXE
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\C091.tmp"C:\Users\Admin\AppData\Local\Temp\C091.tmp"57⤵
- Executes dropped EXE
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"C:\Users\Admin\AppData\Local\Temp\C0EE.tmp"58⤵
- Executes dropped EXE
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\C14C.tmp"C:\Users\Admin\AppData\Local\Temp\C14C.tmp"59⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\C19A.tmp"C:\Users\Admin\AppData\Local\Temp\C19A.tmp"60⤵
- Executes dropped EXE
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\C1F8.tmp"C:\Users\Admin\AppData\Local\Temp\C1F8.tmp"61⤵
- Executes dropped EXE
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\C246.tmp"C:\Users\Admin\AppData\Local\Temp\C246.tmp"62⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\C2A4.tmp"C:\Users\Admin\AppData\Local\Temp\C2A4.tmp"63⤵
- Executes dropped EXE
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\C2F2.tmp"C:\Users\Admin\AppData\Local\Temp\C2F2.tmp"64⤵
- Executes dropped EXE
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\C340.tmp"C:\Users\Admin\AppData\Local\Temp\C340.tmp"65⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\C38E.tmp"C:\Users\Admin\AppData\Local\Temp\C38E.tmp"66⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\C3EC.tmp"C:\Users\Admin\AppData\Local\Temp\C3EC.tmp"67⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\C43A.tmp"C:\Users\Admin\AppData\Local\Temp\C43A.tmp"68⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\C498.tmp"C:\Users\Admin\AppData\Local\Temp\C498.tmp"69⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"70⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\C544.tmp"C:\Users\Admin\AppData\Local\Temp\C544.tmp"71⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\C592.tmp"C:\Users\Admin\AppData\Local\Temp\C592.tmp"72⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\C5E0.tmp"C:\Users\Admin\AppData\Local\Temp\C5E0.tmp"73⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\C62E.tmp"C:\Users\Admin\AppData\Local\Temp\C62E.tmp"74⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\C68C.tmp"C:\Users\Admin\AppData\Local\Temp\C68C.tmp"75⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\C6DA.tmp"C:\Users\Admin\AppData\Local\Temp\C6DA.tmp"76⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\C728.tmp"C:\Users\Admin\AppData\Local\Temp\C728.tmp"77⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\C776.tmp"C:\Users\Admin\AppData\Local\Temp\C776.tmp"78⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\C7C4.tmp"C:\Users\Admin\AppData\Local\Temp\C7C4.tmp"79⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\C813.tmp"C:\Users\Admin\AppData\Local\Temp\C813.tmp"80⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\C861.tmp"C:\Users\Admin\AppData\Local\Temp\C861.tmp"81⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\C8AF.tmp"C:\Users\Admin\AppData\Local\Temp\C8AF.tmp"82⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\C90D.tmp"C:\Users\Admin\AppData\Local\Temp\C90D.tmp"83⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\C96A.tmp"C:\Users\Admin\AppData\Local\Temp\C96A.tmp"84⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\C9C8.tmp"C:\Users\Admin\AppData\Local\Temp\C9C8.tmp"85⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\CA16.tmp"C:\Users\Admin\AppData\Local\Temp\CA16.tmp"86⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\CA74.tmp"C:\Users\Admin\AppData\Local\Temp\CA74.tmp"87⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\CAD2.tmp"C:\Users\Admin\AppData\Local\Temp\CAD2.tmp"88⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\CB20.tmp"C:\Users\Admin\AppData\Local\Temp\CB20.tmp"89⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\CB6E.tmp"C:\Users\Admin\AppData\Local\Temp\CB6E.tmp"90⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\CBBC.tmp"C:\Users\Admin\AppData\Local\Temp\CBBC.tmp"91⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\CC0A.tmp"C:\Users\Admin\AppData\Local\Temp\CC0A.tmp"92⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\CC58.tmp"C:\Users\Admin\AppData\Local\Temp\CC58.tmp"93⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\CCA6.tmp"C:\Users\Admin\AppData\Local\Temp\CCA6.tmp"94⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\CCF5.tmp"C:\Users\Admin\AppData\Local\Temp\CCF5.tmp"95⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\CD43.tmp"C:\Users\Admin\AppData\Local\Temp\CD43.tmp"96⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\CDA0.tmp"C:\Users\Admin\AppData\Local\Temp\CDA0.tmp"97⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\CDEF.tmp"C:\Users\Admin\AppData\Local\Temp\CDEF.tmp"98⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\CE4C.tmp"C:\Users\Admin\AppData\Local\Temp\CE4C.tmp"99⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\CE9A.tmp"C:\Users\Admin\AppData\Local\Temp\CE9A.tmp"100⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\CEE9.tmp"C:\Users\Admin\AppData\Local\Temp\CEE9.tmp"101⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\CF37.tmp"C:\Users\Admin\AppData\Local\Temp\CF37.tmp"102⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\CF85.tmp"C:\Users\Admin\AppData\Local\Temp\CF85.tmp"103⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\CFD3.tmp"C:\Users\Admin\AppData\Local\Temp\CFD3.tmp"104⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\D021.tmp"C:\Users\Admin\AppData\Local\Temp\D021.tmp"105⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\D06F.tmp"C:\Users\Admin\AppData\Local\Temp\D06F.tmp"106⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\D0BD.tmp"C:\Users\Admin\AppData\Local\Temp\D0BD.tmp"107⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\D10B.tmp"C:\Users\Admin\AppData\Local\Temp\D10B.tmp"108⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\D15A.tmp"C:\Users\Admin\AppData\Local\Temp\D15A.tmp"109⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\D1A8.tmp"C:\Users\Admin\AppData\Local\Temp\D1A8.tmp"110⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\D1F6.tmp"C:\Users\Admin\AppData\Local\Temp\D1F6.tmp"111⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\D244.tmp"C:\Users\Admin\AppData\Local\Temp\D244.tmp"112⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\D292.tmp"C:\Users\Admin\AppData\Local\Temp\D292.tmp"113⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\D2E0.tmp"C:\Users\Admin\AppData\Local\Temp\D2E0.tmp"114⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\D32E.tmp"C:\Users\Admin\AppData\Local\Temp\D32E.tmp"115⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\D37C.tmp"C:\Users\Admin\AppData\Local\Temp\D37C.tmp"116⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"117⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\D419.tmp"C:\Users\Admin\AppData\Local\Temp\D419.tmp"118⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\D476.tmp"C:\Users\Admin\AppData\Local\Temp\D476.tmp"119⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\D4C5.tmp"C:\Users\Admin\AppData\Local\Temp\D4C5.tmp"120⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\D522.tmp"C:\Users\Admin\AppData\Local\Temp\D522.tmp"121⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\D580.tmp"C:\Users\Admin\AppData\Local\Temp\D580.tmp"122⤵PID:3832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-