Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe
Resource
win10v2004-20250619-en
3 signatures
150 seconds
General
-
Target
2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe
-
Size
520KB
-
MD5
8513c8bd36e15e377ee949170eb60920
-
SHA1
a8c3b0359929ebd26857ce087a36401c5afd18bb
-
SHA256
aa0b23d0607a0b592bb35a046cd9944151110ac8f87e0a9421dcb1f783e7bfaa
-
SHA512
06c53da02cfe72da34cb03beca44555886aeb0dd13255e6b252120afc45bdcd03120bca74305148cd5a2652e451301fa619da9d958c0198db6f42694676d9506
-
SSDEEP
12288:gj8fuxR21t5i8fLktlT0VzeC/x/797q1z3usr+aNZ:gj8fuK1GYwr41eC/xj97qlDN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2904 79B4.tmp 2108 7A31.tmp 1160 7ABE.tmp 1140 7B3B.tmp 1920 7BB8.tmp 4328 7C25.tmp 2024 7C92.tmp 2896 7CF0.tmp 4932 7D4E.tmp 1064 7DFA.tmp 3408 7E77.tmp 1648 7EE4.tmp 4816 7F52.tmp 3132 7FAF.tmp 624 7FFD.tmp 1680 805B.tmp 2156 80B9.tmp 2296 8117.tmp 4488 8194.tmp 1352 8201.tmp 1864 826E.tmp 2084 82BD.tmp 3096 831A.tmp 4424 8368.tmp 4472 83D6.tmp 3180 8453.tmp 3652 84D0.tmp 4256 854D.tmp 2864 859B.tmp 1524 8618.tmp 4308 8695.tmp 1772 86E3.tmp 3168 8731.tmp 4920 878F.tmp 2052 87DD.tmp 5040 882B.tmp 3032 8879.tmp 1572 88D7.tmp 3992 8925.tmp 4556 8973.tmp 64 89C1.tmp 3444 8A10.tmp 4832 8A5E.tmp 2004 8AAC.tmp 4712 8AFA.tmp 3216 8B48.tmp 3008 8B96.tmp 552 8C04.tmp 4808 8C61.tmp 4884 8CBF.tmp 4824 8D1D.tmp 2960 8D7B.tmp 3188 8DC9.tmp 1964 8E17.tmp 2976 8E75.tmp 2984 8ED2.tmp 3212 8F30.tmp 5016 8F8E.tmp 3704 8FDC.tmp 212 9049.tmp 4684 90A7.tmp 3896 9105.tmp 3228 9163.tmp 5080 91D0.tmp -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D1D7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7598.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C3EC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1151.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9A18.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB7D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B13A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B7F1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9606.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96A2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B7A7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C975.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8AFA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1289.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6B38.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 749E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7DFA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9C5F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C39E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28D0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A5D0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A393.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62EB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B793.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A0A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A95F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61F1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ADA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C658.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDCB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EC0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1B24.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1CDA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8EDD.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9654.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9E24.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C94B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7CB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1930.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7DE5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B5DE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8D1D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C1D9.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4324 wrote to memory of 2904 4324 2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe 86 PID 4324 wrote to memory of 2904 4324 2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe 86 PID 4324 wrote to memory of 2904 4324 2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe 86 PID 2904 wrote to memory of 2108 2904 79B4.tmp 87 PID 2904 wrote to memory of 2108 2904 79B4.tmp 87 PID 2904 wrote to memory of 2108 2904 79B4.tmp 87 PID 2108 wrote to memory of 1160 2108 7A31.tmp 90 PID 2108 wrote to memory of 1160 2108 7A31.tmp 90 PID 2108 wrote to memory of 1160 2108 7A31.tmp 90 PID 1160 wrote to memory of 1140 1160 7ABE.tmp 91 PID 1160 wrote to memory of 1140 1160 7ABE.tmp 91 PID 1160 wrote to memory of 1140 1160 7ABE.tmp 91 PID 1140 wrote to memory of 1920 1140 7B3B.tmp 93 PID 1140 wrote to memory of 1920 1140 7B3B.tmp 93 PID 1140 wrote to memory of 1920 1140 7B3B.tmp 93 PID 1920 wrote to memory of 4328 1920 7BB8.tmp 94 PID 1920 wrote to memory of 4328 1920 7BB8.tmp 94 PID 1920 wrote to memory of 4328 1920 7BB8.tmp 94 PID 4328 wrote to memory of 2024 4328 7C25.tmp 95 PID 4328 wrote to memory of 2024 4328 7C25.tmp 95 PID 4328 wrote to memory of 2024 4328 7C25.tmp 95 PID 2024 wrote to memory of 2896 2024 7C92.tmp 96 PID 2024 wrote to memory of 2896 2024 7C92.tmp 96 PID 2024 wrote to memory of 2896 2024 7C92.tmp 96 PID 2896 wrote to memory of 4932 2896 7CF0.tmp 97 PID 2896 wrote to memory of 4932 2896 7CF0.tmp 97 PID 2896 wrote to memory of 4932 2896 7CF0.tmp 97 PID 4932 wrote to memory of 1064 4932 7D4E.tmp 98 PID 4932 wrote to memory of 1064 4932 7D4E.tmp 98 PID 4932 wrote to memory of 1064 4932 7D4E.tmp 98 PID 1064 wrote to memory of 3408 1064 7DFA.tmp 99 PID 1064 wrote to memory of 3408 1064 7DFA.tmp 99 PID 1064 wrote to memory of 3408 1064 7DFA.tmp 99 PID 3408 wrote to memory of 1648 3408 7E77.tmp 101 PID 3408 wrote to memory of 1648 3408 7E77.tmp 101 PID 3408 wrote to memory of 1648 3408 7E77.tmp 101 PID 1648 wrote to memory of 4816 1648 7EE4.tmp 102 PID 1648 wrote to memory of 4816 1648 7EE4.tmp 102 PID 1648 wrote to memory of 4816 1648 7EE4.tmp 102 PID 4816 wrote to memory of 3132 4816 7F52.tmp 103 PID 4816 wrote to memory of 3132 4816 7F52.tmp 103 PID 4816 wrote to memory of 3132 4816 7F52.tmp 103 PID 3132 wrote to memory of 624 3132 7FAF.tmp 104 PID 3132 wrote to memory of 624 3132 7FAF.tmp 104 PID 3132 wrote to memory of 624 3132 7FAF.tmp 104 PID 624 wrote to memory of 1680 624 7FFD.tmp 105 PID 624 wrote to memory of 1680 624 7FFD.tmp 105 PID 624 wrote to memory of 1680 624 7FFD.tmp 105 PID 1680 wrote to memory of 2156 1680 805B.tmp 106 PID 1680 wrote to memory of 2156 1680 805B.tmp 106 PID 1680 wrote to memory of 2156 1680 805B.tmp 106 PID 2156 wrote to memory of 2296 2156 80B9.tmp 107 PID 2156 wrote to memory of 2296 2156 80B9.tmp 107 PID 2156 wrote to memory of 2296 2156 80B9.tmp 107 PID 2296 wrote to memory of 4488 2296 8117.tmp 108 PID 2296 wrote to memory of 4488 2296 8117.tmp 108 PID 2296 wrote to memory of 4488 2296 8117.tmp 108 PID 4488 wrote to memory of 1352 4488 8194.tmp 109 PID 4488 wrote to memory of 1352 4488 8194.tmp 109 PID 4488 wrote to memory of 1352 4488 8194.tmp 109 PID 1352 wrote to memory of 1864 1352 8201.tmp 110 PID 1352 wrote to memory of 1864 1352 8201.tmp 110 PID 1352 wrote to memory of 1864 1352 8201.tmp 110 PID 1864 wrote to memory of 2084 1864 826E.tmp 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_8513c8bd36e15e377ee949170eb60920_elex_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\7A31.tmp"C:\Users\Admin\AppData\Local\Temp\7A31.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\7C25.tmp"C:\Users\Admin\AppData\Local\Temp\7C25.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\7C92.tmp"C:\Users\Admin\AppData\Local\Temp\7C92.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\7D4E.tmp"C:\Users\Admin\AppData\Local\Temp\7D4E.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\7E77.tmp"C:\Users\Admin\AppData\Local\Temp\7E77.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\7EE4.tmp"C:\Users\Admin\AppData\Local\Temp\7EE4.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\805B.tmp"C:\Users\Admin\AppData\Local\Temp\805B.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\80B9.tmp"C:\Users\Admin\AppData\Local\Temp\80B9.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\8117.tmp"C:\Users\Admin\AppData\Local\Temp\8117.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\8194.tmp"C:\Users\Admin\AppData\Local\Temp\8194.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\826E.tmp"C:\Users\Admin\AppData\Local\Temp\826E.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\82BD.tmp"C:\Users\Admin\AppData\Local\Temp\82BD.tmp"23⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"24⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\8368.tmp"C:\Users\Admin\AppData\Local\Temp\8368.tmp"25⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\83D6.tmp"C:\Users\Admin\AppData\Local\Temp\83D6.tmp"26⤵
- Executes dropped EXE
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\8453.tmp"C:\Users\Admin\AppData\Local\Temp\8453.tmp"27⤵
- Executes dropped EXE
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\84D0.tmp"C:\Users\Admin\AppData\Local\Temp\84D0.tmp"28⤵
- Executes dropped EXE
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\854D.tmp"C:\Users\Admin\AppData\Local\Temp\854D.tmp"29⤵
- Executes dropped EXE
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\859B.tmp"C:\Users\Admin\AppData\Local\Temp\859B.tmp"30⤵
- Executes dropped EXE
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\8618.tmp"C:\Users\Admin\AppData\Local\Temp\8618.tmp"31⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\8695.tmp"C:\Users\Admin\AppData\Local\Temp\8695.tmp"32⤵
- Executes dropped EXE
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\86E3.tmp"C:\Users\Admin\AppData\Local\Temp\86E3.tmp"33⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\8731.tmp"C:\Users\Admin\AppData\Local\Temp\8731.tmp"34⤵
- Executes dropped EXE
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\878F.tmp"C:\Users\Admin\AppData\Local\Temp\878F.tmp"35⤵
- Executes dropped EXE
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\87DD.tmp"C:\Users\Admin\AppData\Local\Temp\87DD.tmp"36⤵
- Executes dropped EXE
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\882B.tmp"C:\Users\Admin\AppData\Local\Temp\882B.tmp"37⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\8879.tmp"C:\Users\Admin\AppData\Local\Temp\8879.tmp"38⤵
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\88D7.tmp"C:\Users\Admin\AppData\Local\Temp\88D7.tmp"39⤵
- Executes dropped EXE
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\8925.tmp"C:\Users\Admin\AppData\Local\Temp\8925.tmp"40⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\8973.tmp"C:\Users\Admin\AppData\Local\Temp\8973.tmp"41⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\89C1.tmp"C:\Users\Admin\AppData\Local\Temp\89C1.tmp"42⤵
- Executes dropped EXE
PID:64 -
C:\Users\Admin\AppData\Local\Temp\8A10.tmp"C:\Users\Admin\AppData\Local\Temp\8A10.tmp"43⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"44⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"45⤵
- Executes dropped EXE
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\8AFA.tmp"C:\Users\Admin\AppData\Local\Temp\8AFA.tmp"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\8B48.tmp"C:\Users\Admin\AppData\Local\Temp\8B48.tmp"47⤵
- Executes dropped EXE
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\8B96.tmp"C:\Users\Admin\AppData\Local\Temp\8B96.tmp"48⤵
- Executes dropped EXE
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\8C04.tmp"C:\Users\Admin\AppData\Local\Temp\8C04.tmp"49⤵
- Executes dropped EXE
PID:552 -
C:\Users\Admin\AppData\Local\Temp\8C61.tmp"C:\Users\Admin\AppData\Local\Temp\8C61.tmp"50⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\8CBF.tmp"C:\Users\Admin\AppData\Local\Temp\8CBF.tmp"51⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\8D1D.tmp"C:\Users\Admin\AppData\Local\Temp\8D1D.tmp"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\8D7B.tmp"C:\Users\Admin\AppData\Local\Temp\8D7B.tmp"53⤵
- Executes dropped EXE
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\8DC9.tmp"C:\Users\Admin\AppData\Local\Temp\8DC9.tmp"54⤵
- Executes dropped EXE
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\8E17.tmp"C:\Users\Admin\AppData\Local\Temp\8E17.tmp"55⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\8E75.tmp"C:\Users\Admin\AppData\Local\Temp\8E75.tmp"56⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"57⤵
- Executes dropped EXE
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\8F30.tmp"C:\Users\Admin\AppData\Local\Temp\8F30.tmp"58⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\8F8E.tmp"C:\Users\Admin\AppData\Local\Temp\8F8E.tmp"59⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"60⤵
- Executes dropped EXE
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\9049.tmp"C:\Users\Admin\AppData\Local\Temp\9049.tmp"61⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\90A7.tmp"C:\Users\Admin\AppData\Local\Temp\90A7.tmp"62⤵
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\9105.tmp"C:\Users\Admin\AppData\Local\Temp\9105.tmp"63⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\9163.tmp"C:\Users\Admin\AppData\Local\Temp\9163.tmp"64⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\91D0.tmp"C:\Users\Admin\AppData\Local\Temp\91D0.tmp"65⤵
- Executes dropped EXE
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\922E.tmp"C:\Users\Admin\AppData\Local\Temp\922E.tmp"66⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\928B.tmp"C:\Users\Admin\AppData\Local\Temp\928B.tmp"67⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\92DA.tmp"C:\Users\Admin\AppData\Local\Temp\92DA.tmp"68⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"69⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\9385.tmp"C:\Users\Admin\AppData\Local\Temp\9385.tmp"70⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\93E3.tmp"C:\Users\Admin\AppData\Local\Temp\93E3.tmp"71⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\9441.tmp"C:\Users\Admin\AppData\Local\Temp\9441.tmp"72⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\949F.tmp"C:\Users\Admin\AppData\Local\Temp\949F.tmp"73⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\94FC.tmp"C:\Users\Admin\AppData\Local\Temp\94FC.tmp"74⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\954B.tmp"C:\Users\Admin\AppData\Local\Temp\954B.tmp"75⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\95A8.tmp"C:\Users\Admin\AppData\Local\Temp\95A8.tmp"76⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\9606.tmp"C:\Users\Admin\AppData\Local\Temp\9606.tmp"77⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\9654.tmp"C:\Users\Admin\AppData\Local\Temp\9654.tmp"78⤵
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\96A2.tmp"C:\Users\Admin\AppData\Local\Temp\96A2.tmp"79⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\9700.tmp"C:\Users\Admin\AppData\Local\Temp\9700.tmp"80⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\975E.tmp"C:\Users\Admin\AppData\Local\Temp\975E.tmp"81⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\97BC.tmp"C:\Users\Admin\AppData\Local\Temp\97BC.tmp"82⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\9819.tmp"C:\Users\Admin\AppData\Local\Temp\9819.tmp"83⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\9877.tmp"C:\Users\Admin\AppData\Local\Temp\9877.tmp"84⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\98D5.tmp"C:\Users\Admin\AppData\Local\Temp\98D5.tmp"85⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\9933.tmp"C:\Users\Admin\AppData\Local\Temp\9933.tmp"86⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\9981.tmp"C:\Users\Admin\AppData\Local\Temp\9981.tmp"87⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\99CF.tmp"C:\Users\Admin\AppData\Local\Temp\99CF.tmp"88⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"89⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\9A7B.tmp"C:\Users\Admin\AppData\Local\Temp\9A7B.tmp"90⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\9AC9.tmp"C:\Users\Admin\AppData\Local\Temp\9AC9.tmp"91⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\9B17.tmp"C:\Users\Admin\AppData\Local\Temp\9B17.tmp"92⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\9B75.tmp"C:\Users\Admin\AppData\Local\Temp\9B75.tmp"93⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\9BC3.tmp"C:\Users\Admin\AppData\Local\Temp\9BC3.tmp"94⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\9C11.tmp"C:\Users\Admin\AppData\Local\Temp\9C11.tmp"95⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\9C5F.tmp"C:\Users\Admin\AppData\Local\Temp\9C5F.tmp"96⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\9CBD.tmp"C:\Users\Admin\AppData\Local\Temp\9CBD.tmp"97⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"C:\Users\Admin\AppData\Local\Temp\9D0B.tmp"98⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\9D69.tmp"C:\Users\Admin\AppData\Local\Temp\9D69.tmp"99⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\9DC6.tmp"C:\Users\Admin\AppData\Local\Temp\9DC6.tmp"100⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\9E24.tmp"C:\Users\Admin\AppData\Local\Temp\9E24.tmp"101⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\9E82.tmp"C:\Users\Admin\AppData\Local\Temp\9E82.tmp"102⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\9EE0.tmp"C:\Users\Admin\AppData\Local\Temp\9EE0.tmp"103⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\9F3D.tmp"C:\Users\Admin\AppData\Local\Temp\9F3D.tmp"104⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\9F9B.tmp"C:\Users\Admin\AppData\Local\Temp\9F9B.tmp"105⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\9FF9.tmp"C:\Users\Admin\AppData\Local\Temp\9FF9.tmp"106⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\A047.tmp"C:\Users\Admin\AppData\Local\Temp\A047.tmp"107⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\A0A5.tmp"C:\Users\Admin\AppData\Local\Temp\A0A5.tmp"108⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Users\Admin\AppData\Local\Temp\A0F3.tmp"C:\Users\Admin\AppData\Local\Temp\A0F3.tmp"109⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\A141.tmp"C:\Users\Admin\AppData\Local\Temp\A141.tmp"110⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\A18F.tmp"C:\Users\Admin\AppData\Local\Temp\A18F.tmp"111⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\A1DD.tmp"C:\Users\Admin\AppData\Local\Temp\A1DD.tmp"112⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\A23B.tmp"C:\Users\Admin\AppData\Local\Temp\A23B.tmp"113⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\A289.tmp"C:\Users\Admin\AppData\Local\Temp\A289.tmp"114⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\A2E7.tmp"C:\Users\Admin\AppData\Local\Temp\A2E7.tmp"115⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\A335.tmp"C:\Users\Admin\AppData\Local\Temp\A335.tmp"116⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\A393.tmp"C:\Users\Admin\AppData\Local\Temp\A393.tmp"117⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\A3E1.tmp"C:\Users\Admin\AppData\Local\Temp\A3E1.tmp"118⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\A42F.tmp"C:\Users\Admin\AppData\Local\Temp\A42F.tmp"119⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\A47D.tmp"C:\Users\Admin\AppData\Local\Temp\A47D.tmp"120⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"121⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\A519.tmp"C:\Users\Admin\AppData\Local\Temp\A519.tmp"122⤵PID:3100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-