Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
Resource
win11-20250619-en
General
-
Target
2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe
-
Size
520KB
-
MD5
90016714f6cf7dc7b4e2a09e4ce6f4c6
-
SHA1
dbea7941077f5d2ee20ce974981933230a83b268
-
SHA256
8fc84170adc7838af8cc6e15994acb4ca9684acd99281d5b6a69185d8107e01d
-
SHA512
a52cb119202feaf77f6ae6c5c745616c9e1b4cb26084a8ebcf3551af2f17a862d4c4e74f9fa2663522c8fcfe3a8f133ac56429462e1f962a22177c8faa5fd3fb
-
SSDEEP
12288:gj8fuxR21t5i8fdkm+f7vPNeg2N6np1AJTaKMYoNZ6:gj8fuK1GY47vP4O1tnNI
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4640 7501.tmp 4572 755F.tmp 2528 75DC.tmp 4404 7639.tmp 5956 7697.tmp 4172 7714.tmp 1296 7762.tmp 5516 77B0.tmp 4760 782D.tmp 4808 787C.tmp 4836 78CA.tmp 4844 7947.tmp 4872 79B4.tmp 4948 7A21.tmp 5068 7A9E.tmp 4976 7B0C.tmp 5172 7B6A.tmp 4448 7BB8.tmp 3960 7C15.tmp 4208 7C73.tmp 3648 7CC1.tmp 3100 7D1F.tmp 5472 7D6D.tmp 5044 7DEA.tmp 4408 7E48.tmp 5056 7E96.tmp 3652 7F13.tmp 1688 7F61.tmp 5696 7FCF.tmp 5164 803C.tmp 684 80A9.tmp 432 80F7.tmp 2888 8165.tmp 5184 81C3.tmp 1676 8211.tmp 2668 826E.tmp 2424 82CC.tmp 1728 832A.tmp 2516 8378.tmp 3300 83D6.tmp 5876 8434.tmp 224 8491.tmp 3088 84EF.tmp 4320 853D.tmp 4072 858B.tmp 1848 85D9.tmp 3420 8637.tmp 4512 8695.tmp 2456 86F3.tmp 6072 8750.tmp 2120 87AE.tmp 6124 881C.tmp 3600 8879.tmp 3784 88C7.tmp 952 8916.tmp 2452 8973.tmp 2924 89C1.tmp 2928 8A10.tmp 1588 8A5E.tmp 1060 8AAC.tmp 1604 8AFA.tmp 5268 8B48.tmp 2088 8B96.tmp 1732 8BE4.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A2F7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB63.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B40E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E436.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5C06.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7A3C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7CEB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F26E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DA14.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 315C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5196.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 558D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9D69.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3851.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88B3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D457.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DA62.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F4D0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1AD6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3D81.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8B48.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1DF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BA71.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1D2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2D54.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7BA3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC29.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E714.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 4640 2796 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 78 PID 2796 wrote to memory of 4640 2796 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 78 PID 2796 wrote to memory of 4640 2796 2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe 78 PID 4640 wrote to memory of 4572 4640 7501.tmp 79 PID 4640 wrote to memory of 4572 4640 7501.tmp 79 PID 4640 wrote to memory of 4572 4640 7501.tmp 79 PID 4572 wrote to memory of 2528 4572 755F.tmp 80 PID 4572 wrote to memory of 2528 4572 755F.tmp 80 PID 4572 wrote to memory of 2528 4572 755F.tmp 80 PID 2528 wrote to memory of 4404 2528 75DC.tmp 81 PID 2528 wrote to memory of 4404 2528 75DC.tmp 81 PID 2528 wrote to memory of 4404 2528 75DC.tmp 81 PID 4404 wrote to memory of 5956 4404 7639.tmp 82 PID 4404 wrote to memory of 5956 4404 7639.tmp 82 PID 4404 wrote to memory of 5956 4404 7639.tmp 82 PID 5956 wrote to memory of 4172 5956 7697.tmp 83 PID 5956 wrote to memory of 4172 5956 7697.tmp 83 PID 5956 wrote to memory of 4172 5956 7697.tmp 83 PID 4172 wrote to memory of 1296 4172 7714.tmp 84 PID 4172 wrote to memory of 1296 4172 7714.tmp 84 PID 4172 wrote to memory of 1296 4172 7714.tmp 84 PID 1296 wrote to memory of 5516 1296 7762.tmp 85 PID 1296 wrote to memory of 5516 1296 7762.tmp 85 PID 1296 wrote to memory of 5516 1296 7762.tmp 85 PID 5516 wrote to memory of 4760 5516 77B0.tmp 86 PID 5516 wrote to memory of 4760 5516 77B0.tmp 86 PID 5516 wrote to memory of 4760 5516 77B0.tmp 86 PID 4760 wrote to memory of 4808 4760 782D.tmp 87 PID 4760 wrote to memory of 4808 4760 782D.tmp 87 PID 4760 wrote to memory of 4808 4760 782D.tmp 87 PID 4808 wrote to memory of 4836 4808 787C.tmp 88 PID 4808 wrote to memory of 4836 4808 787C.tmp 88 PID 4808 wrote to memory of 4836 4808 787C.tmp 88 PID 4836 wrote to memory of 4844 4836 78CA.tmp 89 PID 4836 wrote to memory of 4844 4836 78CA.tmp 89 PID 4836 wrote to memory of 4844 4836 78CA.tmp 89 PID 4844 wrote to memory of 4872 4844 7947.tmp 90 PID 4844 wrote to memory of 4872 4844 7947.tmp 90 PID 4844 wrote to memory of 4872 4844 7947.tmp 90 PID 4872 wrote to memory of 4948 4872 79B4.tmp 91 PID 4872 wrote to memory of 4948 4872 79B4.tmp 91 PID 4872 wrote to memory of 4948 4872 79B4.tmp 91 PID 4948 wrote to memory of 5068 4948 7A21.tmp 92 PID 4948 wrote to memory of 5068 4948 7A21.tmp 92 PID 4948 wrote to memory of 5068 4948 7A21.tmp 92 PID 5068 wrote to memory of 4976 5068 7A9E.tmp 93 PID 5068 wrote to memory of 4976 5068 7A9E.tmp 93 PID 5068 wrote to memory of 4976 5068 7A9E.tmp 93 PID 4976 wrote to memory of 5172 4976 7B0C.tmp 94 PID 4976 wrote to memory of 5172 4976 7B0C.tmp 94 PID 4976 wrote to memory of 5172 4976 7B0C.tmp 94 PID 5172 wrote to memory of 4448 5172 7B6A.tmp 95 PID 5172 wrote to memory of 4448 5172 7B6A.tmp 95 PID 5172 wrote to memory of 4448 5172 7B6A.tmp 95 PID 4448 wrote to memory of 3960 4448 7BB8.tmp 96 PID 4448 wrote to memory of 3960 4448 7BB8.tmp 96 PID 4448 wrote to memory of 3960 4448 7BB8.tmp 96 PID 3960 wrote to memory of 4208 3960 7C15.tmp 97 PID 3960 wrote to memory of 4208 3960 7C15.tmp 97 PID 3960 wrote to memory of 4208 3960 7C15.tmp 97 PID 4208 wrote to memory of 3648 4208 7C73.tmp 98 PID 4208 wrote to memory of 3648 4208 7C73.tmp 98 PID 4208 wrote to memory of 3648 4208 7C73.tmp 98 PID 3648 wrote to memory of 3100 3648 7CC1.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_90016714f6cf7dc7b4e2a09e4ce6f4c6_elex_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\755F.tmp"C:\Users\Admin\AppData\Local\Temp\755F.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\75DC.tmp"C:\Users\Admin\AppData\Local\Temp\75DC.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\7639.tmp"C:\Users\Admin\AppData\Local\Temp\7639.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\7697.tmp"C:\Users\Admin\AppData\Local\Temp\7697.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\7714.tmp"C:\Users\Admin\AppData\Local\Temp\7714.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\77B0.tmp"C:\Users\Admin\AppData\Local\Temp\77B0.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5516 -
C:\Users\Admin\AppData\Local\Temp\782D.tmp"C:\Users\Admin\AppData\Local\Temp\782D.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\787C.tmp"C:\Users\Admin\AppData\Local\Temp\787C.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\78CA.tmp"C:\Users\Admin\AppData\Local\Temp\78CA.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\7947.tmp"C:\Users\Admin\AppData\Local\Temp\7947.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\7A21.tmp"C:\Users\Admin\AppData\Local\Temp\7A21.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\7A9E.tmp"C:\Users\Admin\AppData\Local\Temp\7A9E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\7C15.tmp"C:\Users\Admin\AppData\Local\Temp\7C15.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\7C73.tmp"C:\Users\Admin\AppData\Local\Temp\7C73.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"23⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"24⤵
- Executes dropped EXE
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\7DEA.tmp"C:\Users\Admin\AppData\Local\Temp\7DEA.tmp"25⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\7E48.tmp"C:\Users\Admin\AppData\Local\Temp\7E48.tmp"26⤵
- Executes dropped EXE
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\7E96.tmp"C:\Users\Admin\AppData\Local\Temp\7E96.tmp"27⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\7F13.tmp"C:\Users\Admin\AppData\Local\Temp\7F13.tmp"28⤵
- Executes dropped EXE
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\7F61.tmp"C:\Users\Admin\AppData\Local\Temp\7F61.tmp"29⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"30⤵
- Executes dropped EXE
PID:5696 -
C:\Users\Admin\AppData\Local\Temp\803C.tmp"C:\Users\Admin\AppData\Local\Temp\803C.tmp"31⤵
- Executes dropped EXE
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\80A9.tmp"C:\Users\Admin\AppData\Local\Temp\80A9.tmp"32⤵
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\80F7.tmp"C:\Users\Admin\AppData\Local\Temp\80F7.tmp"33⤵
- Executes dropped EXE
PID:432 -
C:\Users\Admin\AppData\Local\Temp\8165.tmp"C:\Users\Admin\AppData\Local\Temp\8165.tmp"34⤵
- Executes dropped EXE
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\81C3.tmp"C:\Users\Admin\AppData\Local\Temp\81C3.tmp"35⤵
- Executes dropped EXE
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\8211.tmp"C:\Users\Admin\AppData\Local\Temp\8211.tmp"36⤵
- Executes dropped EXE
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\826E.tmp"C:\Users\Admin\AppData\Local\Temp\826E.tmp"37⤵
- Executes dropped EXE
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\82CC.tmp"C:\Users\Admin\AppData\Local\Temp\82CC.tmp"38⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\832A.tmp"C:\Users\Admin\AppData\Local\Temp\832A.tmp"39⤵
- Executes dropped EXE
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\8378.tmp"C:\Users\Admin\AppData\Local\Temp\8378.tmp"40⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\83D6.tmp"C:\Users\Admin\AppData\Local\Temp\83D6.tmp"41⤵
- Executes dropped EXE
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\8434.tmp"C:\Users\Admin\AppData\Local\Temp\8434.tmp"42⤵
- Executes dropped EXE
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\8491.tmp"C:\Users\Admin\AppData\Local\Temp\8491.tmp"43⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Local\Temp\84EF.tmp"C:\Users\Admin\AppData\Local\Temp\84EF.tmp"44⤵
- Executes dropped EXE
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\853D.tmp"C:\Users\Admin\AppData\Local\Temp\853D.tmp"45⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\858B.tmp"C:\Users\Admin\AppData\Local\Temp\858B.tmp"46⤵
- Executes dropped EXE
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"47⤵
- Executes dropped EXE
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\8637.tmp"C:\Users\Admin\AppData\Local\Temp\8637.tmp"48⤵
- Executes dropped EXE
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\8695.tmp"C:\Users\Admin\AppData\Local\Temp\8695.tmp"49⤵
- Executes dropped EXE
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\86F3.tmp"C:\Users\Admin\AppData\Local\Temp\86F3.tmp"50⤵
- Executes dropped EXE
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\8750.tmp"C:\Users\Admin\AppData\Local\Temp\8750.tmp"51⤵
- Executes dropped EXE
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\87AE.tmp"C:\Users\Admin\AppData\Local\Temp\87AE.tmp"52⤵
- Executes dropped EXE
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\881C.tmp"C:\Users\Admin\AppData\Local\Temp\881C.tmp"53⤵
- Executes dropped EXE
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\8879.tmp"C:\Users\Admin\AppData\Local\Temp\8879.tmp"54⤵
- Executes dropped EXE
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\88C7.tmp"C:\Users\Admin\AppData\Local\Temp\88C7.tmp"55⤵
- Executes dropped EXE
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\8916.tmp"C:\Users\Admin\AppData\Local\Temp\8916.tmp"56⤵
- Executes dropped EXE
PID:952 -
C:\Users\Admin\AppData\Local\Temp\8973.tmp"C:\Users\Admin\AppData\Local\Temp\8973.tmp"57⤵
- Executes dropped EXE
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\89C1.tmp"C:\Users\Admin\AppData\Local\Temp\89C1.tmp"58⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\8A10.tmp"C:\Users\Admin\AppData\Local\Temp\8A10.tmp"59⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"60⤵
- Executes dropped EXE
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"61⤵
- Executes dropped EXE
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\8AFA.tmp"C:\Users\Admin\AppData\Local\Temp\8AFA.tmp"62⤵
- Executes dropped EXE
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\8B48.tmp"C:\Users\Admin\AppData\Local\Temp\8B48.tmp"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\8B96.tmp"C:\Users\Admin\AppData\Local\Temp\8B96.tmp"64⤵
- Executes dropped EXE
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"65⤵
- Executes dropped EXE
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\8C32.tmp"C:\Users\Admin\AppData\Local\Temp\8C32.tmp"66⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\8C81.tmp"C:\Users\Admin\AppData\Local\Temp\8C81.tmp"67⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\8CDE.tmp"C:\Users\Admin\AppData\Local\Temp\8CDE.tmp"68⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"69⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\8D9A.tmp"C:\Users\Admin\AppData\Local\Temp\8D9A.tmp"70⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp"C:\Users\Admin\AppData\Local\Temp\8DE8.tmp"71⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\8E36.tmp"C:\Users\Admin\AppData\Local\Temp\8E36.tmp"72⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\8E84.tmp"C:\Users\Admin\AppData\Local\Temp\8E84.tmp"73⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"74⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\8F30.tmp"C:\Users\Admin\AppData\Local\Temp\8F30.tmp"75⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\8F8E.tmp"C:\Users\Admin\AppData\Local\Temp\8F8E.tmp"76⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"77⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\903A.tmp"C:\Users\Admin\AppData\Local\Temp\903A.tmp"78⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\9088.tmp"C:\Users\Admin\AppData\Local\Temp\9088.tmp"79⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\90D6.tmp"C:\Users\Admin\AppData\Local\Temp\90D6.tmp"80⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\9134.tmp"C:\Users\Admin\AppData\Local\Temp\9134.tmp"81⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\9191.tmp"C:\Users\Admin\AppData\Local\Temp\9191.tmp"82⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\91E0.tmp"C:\Users\Admin\AppData\Local\Temp\91E0.tmp"83⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\922E.tmp"C:\Users\Admin\AppData\Local\Temp\922E.tmp"84⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\928B.tmp"C:\Users\Admin\AppData\Local\Temp\928B.tmp"85⤵PID:480
-
C:\Users\Admin\AppData\Local\Temp\92E9.tmp"C:\Users\Admin\AppData\Local\Temp\92E9.tmp"86⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"87⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\9395.tmp"C:\Users\Admin\AppData\Local\Temp\9395.tmp"88⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\93E3.tmp"C:\Users\Admin\AppData\Local\Temp\93E3.tmp"89⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\9441.tmp"C:\Users\Admin\AppData\Local\Temp\9441.tmp"90⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\948F.tmp"C:\Users\Admin\AppData\Local\Temp\948F.tmp"91⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\94ED.tmp"C:\Users\Admin\AppData\Local\Temp\94ED.tmp"92⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\953B.tmp"C:\Users\Admin\AppData\Local\Temp\953B.tmp"93⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\9589.tmp"C:\Users\Admin\AppData\Local\Temp\9589.tmp"94⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\95C8.tmp"C:\Users\Admin\AppData\Local\Temp\95C8.tmp"95⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\9616.tmp"C:\Users\Admin\AppData\Local\Temp\9616.tmp"96⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\9673.tmp"C:\Users\Admin\AppData\Local\Temp\9673.tmp"97⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\96D1.tmp"C:\Users\Admin\AppData\Local\Temp\96D1.tmp"98⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\971F.tmp"C:\Users\Admin\AppData\Local\Temp\971F.tmp"99⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\977D.tmp"C:\Users\Admin\AppData\Local\Temp\977D.tmp"100⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\97CB.tmp"C:\Users\Admin\AppData\Local\Temp\97CB.tmp"101⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\9819.tmp"C:\Users\Admin\AppData\Local\Temp\9819.tmp"102⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\9877.tmp"C:\Users\Admin\AppData\Local\Temp\9877.tmp"103⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\98D5.tmp"C:\Users\Admin\AppData\Local\Temp\98D5.tmp"104⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\9923.tmp"C:\Users\Admin\AppData\Local\Temp\9923.tmp"105⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\9971.tmp"C:\Users\Admin\AppData\Local\Temp\9971.tmp"106⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\99BF.tmp"C:\Users\Admin\AppData\Local\Temp\99BF.tmp"107⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\9A0D.tmp"C:\Users\Admin\AppData\Local\Temp\9A0D.tmp"108⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\9A6B.tmp"C:\Users\Admin\AppData\Local\Temp\9A6B.tmp"109⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\9AB9.tmp"C:\Users\Admin\AppData\Local\Temp\9AB9.tmp"110⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\9B17.tmp"C:\Users\Admin\AppData\Local\Temp\9B17.tmp"111⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\9B65.tmp"C:\Users\Admin\AppData\Local\Temp\9B65.tmp"112⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\9BB3.tmp"C:\Users\Admin\AppData\Local\Temp\9BB3.tmp"113⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\9C01.tmp"C:\Users\Admin\AppData\Local\Temp\9C01.tmp"114⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\9C4F.tmp"C:\Users\Admin\AppData\Local\Temp\9C4F.tmp"115⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"116⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"117⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\9D69.tmp"C:\Users\Admin\AppData\Local\Temp\9D69.tmp"118⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\9DB7.tmp"C:\Users\Admin\AppData\Local\Temp\9DB7.tmp"119⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\9E05.tmp"C:\Users\Admin\AppData\Local\Temp\9E05.tmp"120⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\9E53.tmp"C:\Users\Admin\AppData\Local\Temp\9E53.tmp"121⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"C:\Users\Admin\AppData\Local\Temp\9EA1.tmp"122⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-