Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
Resource
win11-20250619-en
General
-
Target
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
-
Size
520KB
-
MD5
90016714f6cf7dc7b4e2a09e4ce6f4c6
-
SHA1
dbea7941077f5d2ee20ce974981933230a83b268
-
SHA256
8fc84170adc7838af8cc6e15994acb4ca9684acd99281d5b6a69185d8107e01d
-
SHA512
a52cb119202feaf77f6ae6c5c745616c9e1b4cb26084a8ebcf3551af2f17a862d4c4e74f9fa2663522c8fcfe3a8f133ac56429462e1f962a22177c8faa5fd3fb
-
SSDEEP
12288:gj8fuxR21t5i8fdkm+f7vPNeg2N6np1AJTaKMYoNZ6:gj8fuK1GY47vP4O1tnNI
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4984 9328.tmp 3908 93A5.tmp 2896 9412.tmp 5464 948F.tmp 4032 94ED.tmp 1900 954B.tmp 2232 95B8.tmp 432 9635.tmp 4404 96B2.tmp 4540 9700.tmp 4656 977D.tmp 4824 97FA.tmp 4360 9867.tmp 4716 98B6.tmp 4736 9904.tmp 4692 9952.tmp 4376 99B0.tmp 1196 99FE.tmp 3968 9A7B.tmp 5008 9AE8.tmp 4876 9B46.tmp 2672 9BB3.tmp 5016 9C11.tmp 2616 9C7E.tmp 1772 9CCC.tmp 4680 9D3A.tmp 1660 9DB7.tmp 2240 9E24.tmp 3616 9EA1.tmp 5724 9F0F.tmp 3988 9F7C.tmp 3656 9FE9.tmp 5380 A057.tmp 5424 A0B4.tmp 3764 A112.tmp 4092 A160.tmp 6124 A1AE.tmp 4168 A1FD.tmp 3972 A24B.tmp 5480 A299.tmp 2020 A2E7.tmp 3952 A325.tmp 628 A374.tmp 2812 A3C2.tmp 3020 A410.tmp 388 A45E.tmp 772 A4AC.tmp 3320 A4FA.tmp 1080 A548.tmp 452 A596.tmp 3804 A5E5.tmp 4300 A633.tmp 708 A681.tmp 5772 A6CF.tmp 2168 A71D.tmp 4676 A77B.tmp 3692 A7C9.tmp 1452 A827.tmp 1804 A875.tmp 5484 A8C3.tmp 4076 A911.tmp 4832 A95F.tmp 4064 A9AD.tmp 5108 AA0B.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1CE9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3E7B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BA8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC61.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6B86.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D7EC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 915E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C36A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C58D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CB4F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 858.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3B9D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C091.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E38A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E426.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D174.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 954B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A374.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DA91.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FF7E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 894F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9D45.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B565.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DD02.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47F1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FA1F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 500F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8C6C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFE5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D03C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EDB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 397A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8BB1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C5DB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A112.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDEF.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4984 3184 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 87 PID 3184 wrote to memory of 4984 3184 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 87 PID 3184 wrote to memory of 4984 3184 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 87 PID 4984 wrote to memory of 3908 4984 9328.tmp 88 PID 4984 wrote to memory of 3908 4984 9328.tmp 88 PID 4984 wrote to memory of 3908 4984 9328.tmp 88 PID 3908 wrote to memory of 2896 3908 93A5.tmp 91 PID 3908 wrote to memory of 2896 3908 93A5.tmp 91 PID 3908 wrote to memory of 2896 3908 93A5.tmp 91 PID 2896 wrote to memory of 5464 2896 9412.tmp 93 PID 2896 wrote to memory of 5464 2896 9412.tmp 93 PID 2896 wrote to memory of 5464 2896 9412.tmp 93 PID 5464 wrote to memory of 4032 5464 948F.tmp 94 PID 5464 wrote to memory of 4032 5464 948F.tmp 94 PID 5464 wrote to memory of 4032 5464 948F.tmp 94 PID 4032 wrote to memory of 1900 4032 94ED.tmp 95 PID 4032 wrote to memory of 1900 4032 94ED.tmp 95 PID 4032 wrote to memory of 1900 4032 94ED.tmp 95 PID 1900 wrote to memory of 2232 1900 954B.tmp 96 PID 1900 wrote to memory of 2232 1900 954B.tmp 96 PID 1900 wrote to memory of 2232 1900 954B.tmp 96 PID 2232 wrote to memory of 432 2232 95B8.tmp 97 PID 2232 wrote to memory of 432 2232 95B8.tmp 97 PID 2232 wrote to memory of 432 2232 95B8.tmp 97 PID 432 wrote to memory of 4404 432 9635.tmp 98 PID 432 wrote to memory of 4404 432 9635.tmp 98 PID 432 wrote to memory of 4404 432 9635.tmp 98 PID 4404 wrote to memory of 4540 4404 96B2.tmp 99 PID 4404 wrote to memory of 4540 4404 96B2.tmp 99 PID 4404 wrote to memory of 4540 4404 96B2.tmp 99 PID 4540 wrote to memory of 4656 4540 9700.tmp 100 PID 4540 wrote to memory of 4656 4540 9700.tmp 100 PID 4540 wrote to memory of 4656 4540 9700.tmp 100 PID 4656 wrote to memory of 4824 4656 977D.tmp 101 PID 4656 wrote to memory of 4824 4656 977D.tmp 101 PID 4656 wrote to memory of 4824 4656 977D.tmp 101 PID 4824 wrote to memory of 4360 4824 97FA.tmp 102 PID 4824 wrote to memory of 4360 4824 97FA.tmp 102 PID 4824 wrote to memory of 4360 4824 97FA.tmp 102 PID 4360 wrote to memory of 4716 4360 9867.tmp 103 PID 4360 wrote to memory of 4716 4360 9867.tmp 103 PID 4360 wrote to memory of 4716 4360 9867.tmp 103 PID 4716 wrote to memory of 4736 4716 98B6.tmp 104 PID 4716 wrote to memory of 4736 4716 98B6.tmp 104 PID 4716 wrote to memory of 4736 4716 98B6.tmp 104 PID 4736 wrote to memory of 4692 4736 9904.tmp 105 PID 4736 wrote to memory of 4692 4736 9904.tmp 105 PID 4736 wrote to memory of 4692 4736 9904.tmp 105 PID 4692 wrote to memory of 4376 4692 9952.tmp 106 PID 4692 wrote to memory of 4376 4692 9952.tmp 106 PID 4692 wrote to memory of 4376 4692 9952.tmp 106 PID 4376 wrote to memory of 1196 4376 99B0.tmp 107 PID 4376 wrote to memory of 1196 4376 99B0.tmp 107 PID 4376 wrote to memory of 1196 4376 99B0.tmp 107 PID 1196 wrote to memory of 3968 1196 99FE.tmp 108 PID 1196 wrote to memory of 3968 1196 99FE.tmp 108 PID 1196 wrote to memory of 3968 1196 99FE.tmp 108 PID 3968 wrote to memory of 5008 3968 9A7B.tmp 109 PID 3968 wrote to memory of 5008 3968 9A7B.tmp 109 PID 3968 wrote to memory of 5008 3968 9A7B.tmp 109 PID 5008 wrote to memory of 4876 5008 9AE8.tmp 110 PID 5008 wrote to memory of 4876 5008 9AE8.tmp 110 PID 5008 wrote to memory of 4876 5008 9AE8.tmp 110 PID 4876 wrote to memory of 2672 4876 9B46.tmp 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\9328.tmp"C:\Users\Admin\AppData\Local\Temp\9328.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\9412.tmp"C:\Users\Admin\AppData\Local\Temp\9412.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\948F.tmp"C:\Users\Admin\AppData\Local\Temp\948F.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\94ED.tmp"C:\Users\Admin\AppData\Local\Temp\94ED.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\954B.tmp"C:\Users\Admin\AppData\Local\Temp\954B.tmp"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\95B8.tmp"C:\Users\Admin\AppData\Local\Temp\95B8.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\9635.tmp"C:\Users\Admin\AppData\Local\Temp\9635.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\96B2.tmp"C:\Users\Admin\AppData\Local\Temp\96B2.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\9700.tmp"C:\Users\Admin\AppData\Local\Temp\9700.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\977D.tmp"C:\Users\Admin\AppData\Local\Temp\977D.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\97FA.tmp"C:\Users\Admin\AppData\Local\Temp\97FA.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\9867.tmp"C:\Users\Admin\AppData\Local\Temp\9867.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\98B6.tmp"C:\Users\Admin\AppData\Local\Temp\98B6.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\9904.tmp"C:\Users\Admin\AppData\Local\Temp\9904.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\9952.tmp"C:\Users\Admin\AppData\Local\Temp\9952.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\99B0.tmp"C:\Users\Admin\AppData\Local\Temp\99B0.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\99FE.tmp"C:\Users\Admin\AppData\Local\Temp\99FE.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\9A7B.tmp"C:\Users\Admin\AppData\Local\Temp\9A7B.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\9AE8.tmp"C:\Users\Admin\AppData\Local\Temp\9AE8.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\9B46.tmp"C:\Users\Admin\AppData\Local\Temp\9B46.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\9BB3.tmp"C:\Users\Admin\AppData\Local\Temp\9BB3.tmp"23⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\9C11.tmp"C:\Users\Admin\AppData\Local\Temp\9C11.tmp"24⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"25⤵
- Executes dropped EXE
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\9CCC.tmp"C:\Users\Admin\AppData\Local\Temp\9CCC.tmp"26⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"27⤵
- Executes dropped EXE
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\9DB7.tmp"C:\Users\Admin\AppData\Local\Temp\9DB7.tmp"28⤵
- Executes dropped EXE
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\9E24.tmp"C:\Users\Admin\AppData\Local\Temp\9E24.tmp"29⤵
- Executes dropped EXE
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"30⤵
- Executes dropped EXE
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\9F0F.tmp"C:\Users\Admin\AppData\Local\Temp\9F0F.tmp"31⤵
- Executes dropped EXE
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\9F7C.tmp"C:\Users\Admin\AppData\Local\Temp\9F7C.tmp"32⤵
- Executes dropped EXE
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"33⤵
- Executes dropped EXE
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\A057.tmp"C:\Users\Admin\AppData\Local\Temp\A057.tmp"34⤵
- Executes dropped EXE
PID:5380 -
C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"35⤵
- Executes dropped EXE
PID:5424 -
C:\Users\Admin\AppData\Local\Temp\A112.tmp"C:\Users\Admin\AppData\Local\Temp\A112.tmp"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\A160.tmp"C:\Users\Admin\AppData\Local\Temp\A160.tmp"37⤵
- Executes dropped EXE
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\A1AE.tmp"C:\Users\Admin\AppData\Local\Temp\A1AE.tmp"38⤵
- Executes dropped EXE
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\A1FD.tmp"C:\Users\Admin\AppData\Local\Temp\A1FD.tmp"39⤵
- Executes dropped EXE
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\A24B.tmp"C:\Users\Admin\AppData\Local\Temp\A24B.tmp"40⤵
- Executes dropped EXE
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\A299.tmp"C:\Users\Admin\AppData\Local\Temp\A299.tmp"41⤵
- Executes dropped EXE
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\A2E7.tmp"C:\Users\Admin\AppData\Local\Temp\A2E7.tmp"42⤵
- Executes dropped EXE
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\A325.tmp"C:\Users\Admin\AppData\Local\Temp\A325.tmp"43⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\A374.tmp"C:\Users\Admin\AppData\Local\Temp\A374.tmp"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"45⤵
- Executes dropped EXE
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\A410.tmp"C:\Users\Admin\AppData\Local\Temp\A410.tmp"46⤵
- Executes dropped EXE
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\A45E.tmp"C:\Users\Admin\AppData\Local\Temp\A45E.tmp"47⤵
- Executes dropped EXE
PID:388 -
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"48⤵
- Executes dropped EXE
PID:772 -
C:\Users\Admin\AppData\Local\Temp\A4FA.tmp"C:\Users\Admin\AppData\Local\Temp\A4FA.tmp"49⤵
- Executes dropped EXE
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\A548.tmp"C:\Users\Admin\AppData\Local\Temp\A548.tmp"50⤵
- Executes dropped EXE
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\A596.tmp"C:\Users\Admin\AppData\Local\Temp\A596.tmp"51⤵
- Executes dropped EXE
PID:452 -
C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"52⤵
- Executes dropped EXE
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\A633.tmp"C:\Users\Admin\AppData\Local\Temp\A633.tmp"53⤵
- Executes dropped EXE
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\A681.tmp"C:\Users\Admin\AppData\Local\Temp\A681.tmp"54⤵
- Executes dropped EXE
PID:708 -
C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"55⤵
- Executes dropped EXE
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\A71D.tmp"C:\Users\Admin\AppData\Local\Temp\A71D.tmp"56⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\A77B.tmp"C:\Users\Admin\AppData\Local\Temp\A77B.tmp"57⤵
- Executes dropped EXE
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"58⤵
- Executes dropped EXE
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\A827.tmp"C:\Users\Admin\AppData\Local\Temp\A827.tmp"59⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\A875.tmp"C:\Users\Admin\AppData\Local\Temp\A875.tmp"60⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\A8C3.tmp"C:\Users\Admin\AppData\Local\Temp\A8C3.tmp"61⤵
- Executes dropped EXE
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\A911.tmp"C:\Users\Admin\AppData\Local\Temp\A911.tmp"62⤵
- Executes dropped EXE
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\A95F.tmp"C:\Users\Admin\AppData\Local\Temp\A95F.tmp"63⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"64⤵
- Executes dropped EXE
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\AA0B.tmp"C:\Users\Admin\AppData\Local\Temp\AA0B.tmp"65⤵
- Executes dropped EXE
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\AA59.tmp"C:\Users\Admin\AppData\Local\Temp\AA59.tmp"66⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\AAA7.tmp"C:\Users\Admin\AppData\Local\Temp\AAA7.tmp"67⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\AAF5.tmp"C:\Users\Admin\AppData\Local\Temp\AAF5.tmp"68⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\AB53.tmp"C:\Users\Admin\AppData\Local\Temp\AB53.tmp"69⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\ABA1.tmp"C:\Users\Admin\AppData\Local\Temp\ABA1.tmp"70⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\ABEF.tmp"C:\Users\Admin\AppData\Local\Temp\ABEF.tmp"71⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\AC3E.tmp"C:\Users\Admin\AppData\Local\Temp\AC3E.tmp"72⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"73⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"74⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\AD57.tmp"C:\Users\Admin\AppData\Local\Temp\AD57.tmp"75⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\ADA5.tmp"C:\Users\Admin\AppData\Local\Temp\ADA5.tmp"76⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\ADF3.tmp"C:\Users\Admin\AppData\Local\Temp\ADF3.tmp"77⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\AE41.tmp"C:\Users\Admin\AppData\Local\Temp\AE41.tmp"78⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"C:\Users\Admin\AppData\Local\Temp\AE8F.tmp"79⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\AEDD.tmp"C:\Users\Admin\AppData\Local\Temp\AEDD.tmp"80⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\AF2C.tmp"C:\Users\Admin\AppData\Local\Temp\AF2C.tmp"81⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\AF89.tmp"C:\Users\Admin\AppData\Local\Temp\AF89.tmp"82⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\AFD7.tmp"C:\Users\Admin\AppData\Local\Temp\AFD7.tmp"83⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\B035.tmp"C:\Users\Admin\AppData\Local\Temp\B035.tmp"84⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\B083.tmp"C:\Users\Admin\AppData\Local\Temp\B083.tmp"85⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\B0E1.tmp"C:\Users\Admin\AppData\Local\Temp\B0E1.tmp"86⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\B13F.tmp"C:\Users\Admin\AppData\Local\Temp\B13F.tmp"87⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\B18D.tmp"C:\Users\Admin\AppData\Local\Temp\B18D.tmp"88⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\B1DB.tmp"C:\Users\Admin\AppData\Local\Temp\B1DB.tmp"89⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\B229.tmp"C:\Users\Admin\AppData\Local\Temp\B229.tmp"90⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\B277.tmp"C:\Users\Admin\AppData\Local\Temp\B277.tmp"91⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\B2D5.tmp"C:\Users\Admin\AppData\Local\Temp\B2D5.tmp"92⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\B333.tmp"C:\Users\Admin\AppData\Local\Temp\B333.tmp"93⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\B381.tmp"C:\Users\Admin\AppData\Local\Temp\B381.tmp"94⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\B3CF.tmp"C:\Users\Admin\AppData\Local\Temp\B3CF.tmp"95⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\B41D.tmp"C:\Users\Admin\AppData\Local\Temp\B41D.tmp"96⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\B47B.tmp"C:\Users\Admin\AppData\Local\Temp\B47B.tmp"97⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp"C:\Users\Admin\AppData\Local\Temp\B4C9.tmp"98⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\B517.tmp"C:\Users\Admin\AppData\Local\Temp\B517.tmp"99⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\B565.tmp"C:\Users\Admin\AppData\Local\Temp\B565.tmp"100⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Users\Admin\AppData\Local\Temp\B5C3.tmp"C:\Users\Admin\AppData\Local\Temp\B5C3.tmp"101⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\B611.tmp"C:\Users\Admin\AppData\Local\Temp\B611.tmp"102⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\B65F.tmp"C:\Users\Admin\AppData\Local\Temp\B65F.tmp"103⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\B6AD.tmp"C:\Users\Admin\AppData\Local\Temp\B6AD.tmp"104⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"105⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\B74A.tmp"C:\Users\Admin\AppData\Local\Temp\B74A.tmp"106⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\B798.tmp"C:\Users\Admin\AppData\Local\Temp\B798.tmp"107⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\B7F6.tmp"C:\Users\Admin\AppData\Local\Temp\B7F6.tmp"108⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\B853.tmp"C:\Users\Admin\AppData\Local\Temp\B853.tmp"109⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"110⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\B90F.tmp"C:\Users\Admin\AppData\Local\Temp\B90F.tmp"111⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\B96D.tmp"C:\Users\Admin\AppData\Local\Temp\B96D.tmp"112⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\B9BB.tmp"C:\Users\Admin\AppData\Local\Temp\B9BB.tmp"113⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\BA09.tmp"C:\Users\Admin\AppData\Local\Temp\BA09.tmp"114⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\BA57.tmp"C:\Users\Admin\AppData\Local\Temp\BA57.tmp"115⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\BAB5.tmp"C:\Users\Admin\AppData\Local\Temp\BAB5.tmp"116⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\BB12.tmp"C:\Users\Admin\AppData\Local\Temp\BB12.tmp"117⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\BB61.tmp"C:\Users\Admin\AppData\Local\Temp\BB61.tmp"118⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\BBAF.tmp"C:\Users\Admin\AppData\Local\Temp\BBAF.tmp"119⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"120⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"121⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\BC99.tmp"C:\Users\Admin\AppData\Local\Temp\BC99.tmp"122⤵PID:3876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-