61d4734d321ba26666285675e32a4f5cdad28e14bb7451cf3a01b514ede95f8e

Analysis

max time kernel
168s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe
Size

536KB
MD5

bbd9d401126d69a7a018ab29480465e5
SHA1

86e0b6b729ce84119bb8cf59c5e3c50c8a6aac59
SHA256

61d4734d321ba26666285675e32a4f5cdad28e14bb7451cf3a01b514ede95f8e
SHA512

04ae894eb7416a6ad4d08158413ae2a3bdf32feabf27d77fea2dcdd71a1be2457ee8654e9573d4334bfbe357079515f0932e508b61251f4ebc76c8a8fa9d506c
SSDEEP

12288:wU5rCOTeiUdV9G42tFjNiwf152dpiUnilJeH2ocIZxVJ0ZT9:wUQOJUVGfQw9AgzjeW1IRJ0ZT9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1696	E678.tmp
2560	E6F5.tmp
3060	318.tmp
3348	F944.tmp
3180	1316.tmp
5076	EAAE.tmp
3416	146D.tmp
4664	EBE6.tmp
2288	ECA2.tmp
1420	ED3E.tmp
4204	ED9C.tmp
3456	EE09.tmp
4864	EE86.tmp
4832	EEE4.tmp
4816	971.tmp
4136	svchost.exe
2372	F00D.tmp
3512	FEC3.tmp
5104	F174.tmp
3580	F201.tmp
3876	F25F.tmp
1228	F2FB.tmp
2236	F359.tmp
1508	F3E5.tmp
1432	F453.tmp
1864	F4B0.tmp
3568	F52D.tmp
4416	F5BA.tmp
4892	F666.tmp
2768	F6B4.tmp
3660	F731.tmp
4956	376.tmp
2576	F86A.tmp
1088	F8E7.tmp
3348	F944.tmp
1548	F9B2.tmp
4912	15E4.tmp
4144	73E.tmp
4240	FB19.tmp
1856	FC52.tmp
640	FCBF.tmp
3452	FD5B.tmp
1484	TrustedInstaller.exe
4008	FE65.tmp
3512	FEC3.tmp
2300	B84.tmp
4420	FF8E.tmp
3692	C8E.tmp
3504	D1A.tmp
652	EEF.tmp
3736	182.tmp
2544	23D.tmp
4124	2BA.tmp
3060	318.tmp
4956	376.tmp
3652	3F3.tmp
4432	460.tmp
4276	4ED.tmp
3900	56A.tmp
1632	1519.tmp
4912	15E4.tmp
4144	73E.tmp
4684	7CB.tmp
4496	848.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1696	1860	2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe	87
PID 1860 wrote to memory of 1696	1860	2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe	87
PID 1860 wrote to memory of 1696	1860	2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe	87
PID 1696 wrote to memory of 2560	1696	E678.tmp	88
PID 1696 wrote to memory of 2560	1696	E678.tmp	88
PID 1696 wrote to memory of 2560	1696	E678.tmp	88
PID 2560 wrote to memory of 3060	2560	E6F5.tmp	138
PID 2560 wrote to memory of 3060	2560	E6F5.tmp	138
PID 2560 wrote to memory of 3060	2560	E6F5.tmp	138
PID 3060 wrote to memory of 3348	3060	318.tmp	109
PID 3060 wrote to memory of 3348	3060	318.tmp	109
PID 3060 wrote to memory of 3348	3060	318.tmp	109
PID 3348 wrote to memory of 3180	3348	F944.tmp	176
PID 3348 wrote to memory of 3180	3348	F944.tmp	176
PID 3348 wrote to memory of 3180	3348	F944.tmp	176
PID 3180 wrote to memory of 5076	3180	1316.tmp	183
PID 3180 wrote to memory of 5076	3180	1316.tmp	183
PID 3180 wrote to memory of 5076	3180	1316.tmp	183
PID 5076 wrote to memory of 3416	5076	EAAE.tmp	180
PID 5076 wrote to memory of 3416	5076	EAAE.tmp	180
PID 5076 wrote to memory of 3416	5076	EAAE.tmp	180
PID 3416 wrote to memory of 4664	3416	146D.tmp	182
PID 3416 wrote to memory of 4664	3416	146D.tmp	182
PID 3416 wrote to memory of 4664	3416	146D.tmp	182
PID 4664 wrote to memory of 2288	4664	EBE6.tmp	96
PID 4664 wrote to memory of 2288	4664	EBE6.tmp	96
PID 4664 wrote to memory of 2288	4664	EBE6.tmp	96
PID 2288 wrote to memory of 1420	2288	ECA2.tmp	181
PID 2288 wrote to memory of 1420	2288	ECA2.tmp	181
PID 2288 wrote to memory of 1420	2288	ECA2.tmp	181
PID 1420 wrote to memory of 4204	1420	ED3E.tmp	97
PID 1420 wrote to memory of 4204	1420	ED3E.tmp	97
PID 1420 wrote to memory of 4204	1420	ED3E.tmp	97
PID 4204 wrote to memory of 3456	4204	ED9C.tmp	179
PID 4204 wrote to memory of 3456	4204	ED9C.tmp	179
PID 4204 wrote to memory of 3456	4204	ED9C.tmp	179
PID 3456 wrote to memory of 4864	3456	EE09.tmp	175
PID 3456 wrote to memory of 4864	3456	EE09.tmp	175
PID 3456 wrote to memory of 4864	3456	EE09.tmp	175
PID 4864 wrote to memory of 4832	4864	EE86.tmp	172
PID 4864 wrote to memory of 4832	4864	EE86.tmp	172
PID 4864 wrote to memory of 4832	4864	EE86.tmp	172
PID 4832 wrote to memory of 4816	4832	EEE4.tmp	152
PID 4832 wrote to memory of 4816	4832	EEE4.tmp	152
PID 4832 wrote to memory of 4816	4832	EEE4.tmp	152
PID 4816 wrote to memory of 4136	4816	971.tmp	129
PID 4816 wrote to memory of 4136	4816	971.tmp	129
PID 4816 wrote to memory of 4136	4816	971.tmp	129
PID 4136 wrote to memory of 2372	4136	svchost.exe	100
PID 4136 wrote to memory of 2372	4136	svchost.exe	100
PID 4136 wrote to memory of 2372	4136	svchost.exe	100
PID 2372 wrote to memory of 3512	2372	F00D.tmp	128
PID 2372 wrote to memory of 3512	2372	F00D.tmp	128
PID 2372 wrote to memory of 3512	2372	F00D.tmp	128
PID 3512 wrote to memory of 5104	3512	FEC3.tmp	102
PID 3512 wrote to memory of 5104	3512	FEC3.tmp	102
PID 3512 wrote to memory of 5104	3512	FEC3.tmp	102
PID 5104 wrote to memory of 3580	5104	F174.tmp	158
PID 5104 wrote to memory of 3580	5104	F174.tmp	158
PID 5104 wrote to memory of 3580	5104	F174.tmp	158
PID 3580 wrote to memory of 3876	3580	F201.tmp	153
PID 3580 wrote to memory of 3876	3580	F201.tmp	153
PID 3580 wrote to memory of 3876	3580	F201.tmp	153
PID 3876 wrote to memory of 1228	3876	F25F.tmp	149

C:\Users\Admin\AppData\Local\Temp\2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_bbd9d401126d69a7a018ab29480465e5_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\E678.tmp
  "C:\Users\Admin\AppData\Local\Temp\E678.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\E6F5.tmp
    "C:\Users\Admin\AppData\Local\Temp\E6F5.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\E7FE.tmp
      "C:\Users\Admin\AppData\Local\Temp\E7FE.tmp"
      4⤵
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\E8F8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E8F8.tmp"
        5⤵
        
        PID:3348
      - C:\Users\Admin\AppData\Local\Temp\EA21.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EA21.tmp"
        6⤵
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\376.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\376.tmp"
        5⤵
        Executes dropped EXE
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\3F3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3F3.tmp"
        6⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\460.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\460.tmp"
        7⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\4ED.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4ED.tmp"
        8⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\56A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\56A.tmp"
        9⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\5F6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5F6.tmp"
        10⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\6D1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6D1.tmp"
        11⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\73E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\73E.tmp"
        12⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\7CB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7CB.tmp"
        13⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\848.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\848.tmp"
        14⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\8F4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8F4.tmp"
        15⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\971.tmp"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\9FE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9FE.tmp"
        17⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\A7B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A7B.tmp"
        18⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\AF8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF8.tmp"
        19⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\B84.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B84.tmp"
        20⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\BF2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BF2.tmp"
        21⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\C8E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C8E.tmp"
        22⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\D1A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D1A.tmp"
        23⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\D97.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D97.tmp"
        24⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\E24.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E24.tmp"
        25⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\E91.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E91.tmp"
        26⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\EEF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EEF.tmp"
        27⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\F5D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F5D.tmp"
        28⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\FCA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FCA.tmp"
        29⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\1057.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1057.tmp"
        30⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\10D4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\10D4.tmp"
        31⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\119F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\119F.tmp"
        32⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\120C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\120C.tmp"
        33⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\1316.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1316.tmp"
        34⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\1393.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1393.tmp"
        35⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\1400.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1400.tmp"
        36⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\146D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\146D.tmp"
        37⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\EBE6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EBE6.tmp"
        38⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\1519.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1519.tmp"
        38⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\15E4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\15E4.tmp"
        39⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\1633.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1633.tmp"
        40⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\16A0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\16A0.tmp"
        41⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\16FE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\16FE.tmp"
        42⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\177B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\177B.tmp"
        43⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\17D8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\17D8.tmp"
        44⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\1855.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1855.tmp"
        45⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\18E2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\18E2.tmp"
        46⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\1940.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1940.tmp"
        47⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\1A1B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1A1B.tmp"
        48⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\1A98.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1A98.tmp"
        49⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\1AF5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1AF5.tmp"
        50⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\1F99.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1F99.tmp"
        51⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2006.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2006.tmp"
        52⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\2083.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2083.tmp"
        53⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\2110.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2110.tmp"
        54⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\21DB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\21DB.tmp"
        55⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\2239.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2239.tmp"
        56⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\2AD4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2AD4.tmp"
        57⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\317B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\317B.tmp"
        58⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\31F8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\31F8.tmp"
        59⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3285.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3285.tmp"
        60⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\3F75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3F75.tmp"
        61⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\4179.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4179.tmp"
        62⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\41C7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\41C7.tmp"
        63⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\4428.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4428.tmp"
        64⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\4486.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4486.tmp"
        65⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\45BE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\45BE.tmp"
        66⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\461C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\461C.tmp"
        67⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\468A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\468A.tmp"
        68⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\4716.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4716.tmp"
        69⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\4784.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4784.tmp"
        70⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\47F1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\47F1.tmp"
        71⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\485E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\485E.tmp"
        72⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\48BC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\48BC.tmp"
        73⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\491A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\491A.tmp"
        74⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\4987.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4987.tmp"
        75⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\4A04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A04.tmp"
        76⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\4A52.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A52.tmp"
        77⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\4BBA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4BBA.tmp"
        78⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\4C66.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4C66.tmp"
        79⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\50CB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\50CB.tmp"
        80⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\51E4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\51E4.tmp"
        81⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\5261.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5261.tmp"
        82⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\52DE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\52DE.tmp"
        83⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\534B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\534B.tmp"
        84⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\53A9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\53A9.tmp"
        85⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\5426.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5426.tmp"
        86⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\5493.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5493.tmp"
        87⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\557E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\557E.tmp"
        88⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\55EB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\55EB.tmp"
        89⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\5658.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5658.tmp"
        90⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\56C6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\56C6.tmp"
        91⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\5724.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5724.tmp"
        92⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\6760.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6760.tmp"
        93⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\76A2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\76A2.tmp"
        94⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\7896.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7896.tmp"
        95⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\7FD9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7FD9.tmp"
        96⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\86AF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\86AF.tmp"
        97⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\8C2E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8C2E.tmp"
        98⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\9025.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9025.tmp"
        99⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\9F39.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9F39.tmp"
        100⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\A350.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A350.tmp"
        101⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\A61E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A61E.tmp"
        102⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\AAE1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AAE1.tmp"
        103⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\B438.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B438.tmp"
        104⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\BC46.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BC46.tmp"
        105⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\C6A6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C6A6.tmp"
        106⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\CF51.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CF51.tmp"
        107⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\D6B4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D6B4.tmp"
        108⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\DF01.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DF01.tmp"
        109⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\E683.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E683.tmp"
        110⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\EB36.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EB36.tmp"
        111⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\EEA1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EEA1.tmp"
        112⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\EFAA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EFAA.tmp"
        113⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\F085.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F085.tmp"
        114⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\F18F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F18F.tmp"
        115⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\F344.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F344.tmp"
        116⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\F43E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F43E.tmp"
        117⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\F548.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F548.tmp"
        118⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\F652.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F652.tmp"
        119⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\F884.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F884.tmp"
        120⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\F920.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F920.tmp"
        121⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\F9EB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F9EB.tmp"
        122⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\FAA7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FAA7.tmp"
        123⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\FBA1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FBA1.tmp"
        124⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\FC0E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FC0E.tmp"
        125⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\FC8B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FC8B.tmp"
        126⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\FD95.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FD95.tmp"
        127⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\FE70.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FE70.tmp"
        128⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\FF4A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FF4A.tmp"
        129⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\25.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\25.tmp"
        130⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\D1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D1.tmp"
        131⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\15E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\15E.tmp"
        132⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\1BB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1BB.tmp"
        133⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\287.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\287.tmp"
        134⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\2E4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2E4.tmp"
        135⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\361.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\361.tmp"
        136⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3DE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3DE.tmp"
        137⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\4B9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4B9.tmp"
        138⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\526.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\526.tmp"
        139⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\584.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\584.tmp"
        140⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\5F2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5F2.tmp"
        141⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\66F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\66F.tmp"
        142⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\29A6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\29A6.tmp"
        143⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2A42.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2A42.tmp"
        144⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3E09.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3E09.tmp"
        145⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\48A8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\48A8.tmp"
        146⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\4A4E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A4E.tmp"
        147⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\5828.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5828.tmp"
        148⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\5DF5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5DF5.tmp"
        149⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\6586.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6586.tmp"
        150⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\6FB8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6FB8.tmp"
        151⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\78DF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\78DF.tmp"
        152⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\8330.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8330.tmp"
        153⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\89C8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\89C8.tmp"
        154⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\8A93.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8A93.tmp"
        155⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\8AF0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8AF0.tmp"
        156⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\937C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\937C.tmp"
        157⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\93F9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\93F9.tmp"
        158⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\9476.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9476.tmp"
        159⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\94E3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\94E3.tmp"
        160⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\9551.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9551.tmp"
        161⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\95CE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\95CE.tmp"
        162⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\964B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\964B.tmp"
        163⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\96A8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\96A8.tmp"
        164⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\9725.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9725.tmp"
        165⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\9783.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9783.tmp"
        166⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\97E1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\97E1.tmp"
        167⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\985E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\985E.tmp"
        168⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\98BC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\98BC.tmp"
        169⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\9977.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9977.tmp"
        170⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\99C5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\99C5.tmp"
        171⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\9A23.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9A23.tmp"
        172⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\9A81.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9A81.tmp"
        173⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\9AFE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9AFE.tmp"
        174⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\9B6B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9B6B.tmp"
        175⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\9BF8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9BF8.tmp"
        176⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\9C75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9C75.tmp"
        177⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\9CF2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9CF2.tmp"
        178⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\9D5F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9D5F.tmp"
        179⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\9DDC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9DDC.tmp"
        180⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\9E4A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9E4A.tmp"
        181⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\9ED6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9ED6.tmp"
        182⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\9F44.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9F44.tmp"
        183⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\9FB1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9FB1.tmp"
        184⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\A04D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A04D.tmp"
        185⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\A0E9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A0E9.tmp"
        186⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\A147.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A147.tmp"
        187⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\A1B5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A1B5.tmp"
        188⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\A222.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A222.tmp"
        189⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\A280.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A280.tmp"
        190⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\A2ED.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A2ED.tmp"
        191⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\A35A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A35A.tmp"
        192⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\A426.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A426.tmp"
        193⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\A493.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A493.tmp"
        194⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\A500.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A500.tmp"
        195⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\A56E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A56E.tmp"
        196⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\A5DB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A5DB.tmp"
        197⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\A668.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A668.tmp"
        198⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\A6E5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A6E5.tmp"
        199⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\A752.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A752.tmp"
        200⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\A7EE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A7EE.tmp"
        201⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\A87B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A87B.tmp"
        202⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\A8F8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A8F8.tmp"
        203⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\A965.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A965.tmp"
        204⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\AA11.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AA11.tmp"
        205⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\AA7F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AA7F.tmp"
        206⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\AAEC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AAEC.tmp"
        207⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\AB79.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AB79.tmp"
        208⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\ABE6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ABE6.tmp"
        209⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\AC53.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AC53.tmp"
        210⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\ACA1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ACA1.tmp"
        211⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\ACFF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ACFF.tmp"
        212⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\AD5D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AD5D.tmp"
        213⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\ADDA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ADDA.tmp"
        214⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\AF12.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF12.tmp"
        215⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\AF80.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF80.tmp"
        216⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\AFCE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AFCE.tmp"
        217⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\B05B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B05B.tmp"
        218⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\B0C8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B0C8.tmp"
        219⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\B126.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B126.tmp"
        220⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\B183.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B183.tmp"
        221⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\B210.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B210.tmp"
        222⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\B27D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B27D.tmp"
        223⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\B30A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B30A.tmp"
        224⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\B3A6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B3A6.tmp"
        225⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\B414.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B414.tmp"
        226⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\B471.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B471.tmp"
        227⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\B4DF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B4DF.tmp"
        228⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\B56B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B56B.tmp"
        229⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\B5D9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B5D9.tmp"
        230⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\B656.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B656.tmp"
        231⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\B6D3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B6D3.tmp"
        232⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\B750.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B750.tmp"
        233⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\B7BD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B7BD.tmp"
        234⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\B81B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B81B.tmp"
        235⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\B888.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B888.tmp"
        236⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\B8F6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B8F6.tmp"
        237⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\B953.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B953.tmp"
        238⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\B9C1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B9C1.tmp"
        239⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\BA1F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BA1F.tmp"
        240⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\BA8C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BA8C.tmp"
        241⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\BAF9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BAF9.tmp"
        242⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\BB57.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BB57.tmp"
        243⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\BBB5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BBB5.tmp"
        244⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\BC13.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BC13.tmp"
        245⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\BC70.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BC70.tmp"
        246⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\BCDE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BCDE.tmp"
        247⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\BD99.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD99.tmp"
        248⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\BE07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BE07.tmp"
        249⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\BE64.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BE64.tmp"
        250⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\BED2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BED2.tmp"
        251⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\BF4F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BF4F.tmp"
        252⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\BFAC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BFAC.tmp"
        253⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\C00A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C00A.tmp"
        254⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\C068.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C068.tmp"
        255⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\C0B6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C0B6.tmp"
        256⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\C114.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C114.tmp"
        257⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\C162.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C162.tmp"
        258⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\C1CF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C1CF.tmp"
        259⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\C23D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C23D.tmp"
        260⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\C28B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C28B.tmp"
        261⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\C346.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C346.tmp"
        262⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\CEA1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CEA1.tmp"
        263⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\CEFE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CEFE.tmp"
        264⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\CF4C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CF4C.tmp"
        265⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\CFAA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CFAA.tmp"
        266⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\D008.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D008.tmp"
        267⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\D075.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D075.tmp"
        268⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\D0C3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D0C3.tmp"
        269⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\D121.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D121.tmp"
        270⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\D18F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D18F.tmp"
        271⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\D1EC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D1EC.tmp"
        272⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\D24A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D24A.tmp"
        273⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\EF29.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EF29.tmp"
        274⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\FD32.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FD32.tmp"
        275⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\B9A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B9A.tmp"
        276⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\D8E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D8E.tmp"
        277⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\136A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\136A.tmp"
        278⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\1A11.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1A11.tmp"
        279⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\1C44.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1C44.tmp"
        280⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\23E5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\23E5.tmp"
        281⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\EAAE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EAAE.tmp"
        35⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076

C:\Users\Admin\AppData\Local\Temp\EB2B.tmp
"C:\Users\Admin\AppData\Local\Temp\EB2B.tmp"
1⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\ECA2.tmp
"C:\Users\Admin\AppData\Local\Temp\ECA2.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\ED3E.tmp
  "C:\Users\Admin\AppData\Local\Temp\ED3E.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1420

C:\Users\Admin\AppData\Local\Temp\ED9C.tmp
"C:\Users\Admin\AppData\Local\Temp\ED9C.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\EE09.tmp
  "C:\Users\Admin\AppData\Local\Temp\EE09.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3456

C:\Users\Admin\AppData\Local\Temp\EF42.tmp
"C:\Users\Admin\AppData\Local\Temp\EF42.tmp"
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\EFBF.tmp
  "C:\Users\Admin\AppData\Local\Temp\EFBF.tmp"
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\F00D.tmp
    "C:\Users\Admin\AppData\Local\Temp\F00D.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\F06B.tmp
      "C:\Users\Admin\AppData\Local\Temp\F06B.tmp"
      4⤵
      PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\F174.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F174.tmp"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\F201.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F201.tmp"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\FF20.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FF20.tmp"
        5⤵
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\FF8E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FF8E.tmp"
        6⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\FFEB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"
        7⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\49.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\49.tmp"
        8⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\114.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\114.tmp"
        9⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\182.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\182.tmp"
        10⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\23D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\23D.tmp"
        11⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2BA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2BA.tmp"
        12⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\318.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\318.tmp"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060

C:\Users\Admin\AppData\Local\Temp\F52D.tmp
"C:\Users\Admin\AppData\Local\Temp\F52D.tmp"
1⤵
- Executes dropped EXE
PID:3568
- C:\Users\Admin\AppData\Local\Temp\F5BA.tmp
  "C:\Users\Admin\AppData\Local\Temp\F5BA.tmp"
  2⤵
  - Executes dropped EXE
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\F666.tmp
    "C:\Users\Admin\AppData\Local\Temp\F666.tmp"
    3⤵
    - Executes dropped EXE
    PID:4892

C:\Users\Admin\AppData\Local\Temp\F731.tmp
"C:\Users\Admin\AppData\Local\Temp\F731.tmp"
1⤵
- Executes dropped EXE
PID:3660
- C:\Users\Admin\AppData\Local\Temp\F7FC.tmp
  "C:\Users\Admin\AppData\Local\Temp\F7FC.tmp"
  2⤵
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\F86A.tmp
    "C:\Users\Admin\AppData\Local\Temp\F86A.tmp"
    3⤵
    - Executes dropped EXE
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\F8E7.tmp
      "C:\Users\Admin\AppData\Local\Temp\F8E7.tmp"
      4⤵
      Executes dropped EXE
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\F944.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F944.tmp"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Users\Admin\AppData\Local\Temp\F9B2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F9B2.tmp"
        6⤵
        Executes dropped EXE
        
        PID:1548

C:\Users\Admin\AppData\Local\Temp\FA2F.tmp
"C:\Users\Admin\AppData\Local\Temp\FA2F.tmp"
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\FA9C.tmp
  "C:\Users\Admin\AppData\Local\Temp\FA9C.tmp"
  2⤵
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\FB19.tmp
    "C:\Users\Admin\AppData\Local\Temp\FB19.tmp"
    3⤵
    - Executes dropped EXE
    PID:4240

C:\Users\Admin\AppData\Local\Temp\F6B4.tmp
"C:\Users\Admin\AppData\Local\Temp\F6B4.tmp"
1⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\FC52.tmp
"C:\Users\Admin\AppData\Local\Temp\FC52.tmp"
1⤵
- Executes dropped EXE
PID:1856
- C:\Users\Admin\AppData\Local\Temp\FCBF.tmp
  "C:\Users\Admin\AppData\Local\Temp\FCBF.tmp"
  2⤵
  - Executes dropped EXE
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\FD5B.tmp
    "C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"
    3⤵
    - Executes dropped EXE
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\FDF7.tmp
      "C:\Users\Admin\AppData\Local\Temp\FDF7.tmp"
      4⤵
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\FE65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FE65.tmp"
        5⤵
        Executes dropped EXE
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\FEC3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FEC3.tmp"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Local\Temp\F4B0.tmp
"C:\Users\Admin\AppData\Local\Temp\F4B0.tmp"
1⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Temp\F453.tmp
"C:\Users\Admin\AppData\Local\Temp\F453.tmp"
1⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\F3E5.tmp
"C:\Users\Admin\AppData\Local\Temp\F3E5.tmp"
1⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\F359.tmp
"C:\Users\Admin\AppData\Local\Temp\F359.tmp"
1⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\F2FB.tmp
"C:\Users\Admin\AppData\Local\Temp\F2FB.tmp"
1⤵
- Executes dropped EXE
PID:1228

C:\Users\Admin\AppData\Local\Temp\F25F.tmp
"C:\Users\Admin\AppData\Local\Temp\F25F.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\EEE4.tmp
"C:\Users\Admin\AppData\Local\Temp\EEE4.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\EE86.tmp
"C:\Users\Admin\AppData\Local\Temp\EE86.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2052

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4888

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2784

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E678.tmp

Filesize
536KB

MD5
0bf2990d0c0ef32715e72ad0c76f5c42

SHA1
f2c5d2ce480c0c1e85d44fb0c33d168896b1bc3c

SHA256
0a81c2b03435ba16a291f957dd7750904b34d6b2b1557054a764f47a3a23c1a7

SHA512
56b398baa6b0f38990801379ada67b8971450037c4a8fdf32804e6572211dd551fcaca53bc438ef8c9388c014e282acb9346406be24a01575812bc889669d565

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6F5.tmp

Filesize
536KB

MD5
51f4e5d833768597d3352637eb2dcdbc

SHA1
0694cb5bb25c2023c7568fecb3733890118b4f97

SHA256
36840adcec8ac5bc3b96e78ed82bfc91054e19a9d2f9c2baa4b4aee222eb2c06

SHA512
f819beaee8f0015e05b079675512384088edd170c810ec2ea7ee7de7b6f5ea14f48eb3353cb8b0700cb9508f8ce283bf72bf5201c15d0007ffc33ee020f5fc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7FE.tmp

Filesize
536KB

MD5
913a9276f5a7647373251bc6fac00590

SHA1
2241c00d1c10249a825310b251efd042796ef342

SHA256
25f8f9b889da924613691adf36bec4358d46b570c147a9db81129c422c681ede

SHA512
530a0241746af4aae213938fb900633e4990ff638ecdf5d03c40a6411602973cebaa98ffcaaa2ddd9fd16df2860630db587ae4cb6eaad39c79de0222d2fa5dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8F8.tmp

Filesize
536KB

MD5
ddd1ec8cd295b0f561b923c26eee6f9c

SHA1
5c19998e645b5a6ce726f7e129ea5b1e28bcb79b

SHA256
d0b690a8f0913aabe3c25d7defd0730c3b8d4ca48b7fa801bb8f8557bf72cb81

SHA512
16b593dc8e5a0e94b946628ff22b963987ece773e216ef5ce24015bce3e8368ea43a8448b0e0d9589dbb90ed211e508d55759dd34d56287d64c0b0c69e42733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA21.tmp

Filesize
536KB

MD5
2541fdde411b5a299237597b6c53dd1e

SHA1
af664860cf5b48b32df25fe857f633048f8f3510

SHA256
439375b33680cb69d3ebc49c366b9168bb6e12f1b464a67b6523bbd43efed4f1

SHA512
92e973d341fb08fe26a27d1c9bd1363528f5c85c2981d878b1f71a8c7372124db111a8a602a17f63927d7496a2af422bcb85faae748ec84f9c6534a11de57c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAE.tmp

Filesize
93KB

MD5
b749a48e4278087c63ea6c960987f6a8

SHA1
499a43d13a94a5ce46e73e210e221cbfb09a63af

SHA256
4332abff8326c234b8a3bcb582e28222ffc0d9c046296c7ceb364c494d9f4a91

SHA512
5540e69ffbb9daedafc15696ad985902ba42336d8d8dc76809d2f24b56c99052d1cbc99539a036653de11512aa2e688df1d4e69717063b357c03e4bf8cd67fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB2B.tmp

Filesize
536KB

MD5
90f9c6644a646b78214190e30e0888bf

SHA1
d55cbc693580f143b4579382c21e55d3095dae2c

SHA256
0bf89c53ade4b79243d2bdb02acfe5d74ef5ef598ed01479adc8a7fbaaf75afd

SHA512
a4ec9f652445d87e0da5ad50a8eb4460f8a63b70fef887352c253337de676795f47069346b24a72cd46c47d5988bc0e9b7e790acedc4d8e62a0919a8aa33d1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE6.tmp

Filesize
536KB

MD5
a6c44e77e569926ebd33b7c07efce306

SHA1
4f0035759739ad14aef1497afc2e7b9fd013c9cc

SHA256
d55dd2ef60f4d769cb6b912f3fb7b900f552e99f16aed30d919ee517c7a683f6

SHA512
5a2318cad25aa0decf7917f6cb8158ca489f94ca2eeadfd424880a022be1262daa08cb86da1510ed16cde53e7769e7e20164806df24779e731ea7df757afa023

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECA2.tmp

Filesize
536KB

MD5
35d2b1ce9813b8009234ff037a211fcc

SHA1
6d7a06237c3ee88780141fe5b1bbac8d17858e38

SHA256
1e80040ecc46e5b0a40953a0836a8c9b217d965f7e36e6113f4dfc51457d8ab7

SHA512
f92edc4034c13797b8a21055104885f8910c65e26ace5765076c7d67ba1fe633da4d91356cba631ea23390efa32db5b021d84b6eb021fb608150feb093967162

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED3E.tmp

Filesize
536KB

MD5
eacb9ced0852580134c6b775b91d13ad

SHA1
28cb39dc4a5762018f25c32bfb7abe528c27c013

SHA256
42556d67e34248d6d2ebb8f6c7946c578d4ea70021232fb00688144129d9a113

SHA512
04768851ae277c18cd4abd95bed9bfd9ebcaf8dd79b11a7788d0a4c67acfec7ac8d4cd084670b56b21a8d81b88d641b2dfc52832018c36930a0b14c1b47ef90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED9C.tmp

Filesize
92KB

MD5
07c92774a0006188b5505c7dda939026

SHA1
1afac4bfa2a6a84922b23de50ad17637262bd497

SHA256
e9167cda2584b338f3a59a7c5b5e3590bb17baa1d904e447f29e2c89db5c407b

SHA512
c4507ce74c05a04e9b302fdd24ba4e22f3dbfaa801b36c54ba721ed5984e627396590b467e2112b0337373d804a8d02967391c9f409ea2e3859dd5d788b46c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED9C.tmp

Filesize
536KB

MD5
e96e6619d39dcb94a261cdba4f7947c1

SHA1
27d323e831f98ef4e498b9894f21f396a21f9e90

SHA256
757a8a637404c4a2e47b2131a492f8933f3cd2d6cb6d90118b928adc0066a3e2

SHA512
26fd2f86cc6d1c45847a2299e31f176d5df95c5f331ed4f551a25d8cc3eeb2923ee783430063b20585bb43386b3b3f214666b48fc4aac5f989f75b26022cedfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE09.tmp

Filesize
536KB

MD5
9fedbc9486b6aa84d490fc9735d5f971

SHA1
38cc249a1f14e8dd14f6abe448d52f86b3e53c88

SHA256
2fe6cdc793da2491a59fd6be202fb72f43f51cf43ac21e1c433ba33d6cef7a86

SHA512
e0c25220fc2f2611eaa870f8c90fd160e5329f28735b1306694005b47b6084f2da438515a6beeccdb7c028c4d72390de8fdc983f51c3ac8b3ae51e533c004dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE86.tmp

Filesize
536KB

MD5
ace37ef0f9daef381511878f0d60ac8e

SHA1
a806ec82400a923bd23a0864c8a1fbf89fc92fa7

SHA256
f80946eda29966de873e83a48f75bce74dbe49b81d5d24450ca593d820e52f95

SHA512
1073008b814e29443d35b68dadcda95aa3d0b9e5dfc8216e1f3a93e5da31443e1e086c5f812400bbd8c07b49145d2847f4a8a4fac20c55caae6dad8c2589d10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEE4.tmp

Filesize
536KB

MD5
5baa67bd31801ab3c1df47ac95989d5f

SHA1
5dbe33498bbde04fc76cccbff192cd4ffddb4226

SHA256
4f355bc6757f1e8f926995846877baa1b29a1c0383608fecc23e79ff4a8f5e76

SHA512
f425e8ab368a270012fe2914a7ea08c2b5bfb95cf207d11308a03ec0244da796c07d10c880f6f4ac56c92fbae0ac4eba7c16532192720d75945b61a0faefc4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF42.tmp

Filesize
536KB

MD5
800be995844eeeb00b78a3cab1a6de6d

SHA1
851c67070c8b59caeb7bd1b25fea56835b8b4eaa

SHA256
e7128a80bcdde5d3f4ef2d3c6d4ca8f41fff112ffb09bfd73d46332366fbcc0d

SHA512
2b3750561069908a061065d47a693e806e0a6dc98aa61bbad54cd65b4b4555c4272d589ad5ff3097812892ea716196477acba393c98e96b12aa408c9493f8c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFBF.tmp

Filesize
536KB

MD5
d7e6393fe7c3978ad792c319eaeb2fb8

SHA1
08e962ed2d389c62665332d9a6ccb45f6236e8ae

SHA256
291c28fa13b8173ddf1aa5d0fecb5f31d6ec20e50afd4992f33c78bad6f49825

SHA512
3db40ed683d83d6eee91134111ae3a380f75bb814f0d63e4048f5cced392387e38e8a5344bfe9d3153593072b0209b00d019b373454c4fdb6a8f326f0e67dd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\F06B.tmp

Filesize
536KB

MD5
69be7e210bb59edf7841a176eff39515

SHA1
c8224ffe0e3dd42a879356f5fa21cdc713fb1cea

SHA256
7f7dc622e4f3c0f99d7b0a9550ebd977b50210ab672d629112a4aae546109c4a

SHA512
99acde00798fc0867350a524b1f14b36b43384614d36d4f0375d02bf74f19cb8dbb4d7aa04daef82852ee29229d28a15a1d7a126ca2f37cae982fc9e58c4bef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F174.tmp

Filesize
536KB

MD5
c0ffd556bd272a1ddf541c2e72a1afff

SHA1
4acf4b1e7e69d4319b689717dfb1e780fc5e316b

SHA256
70c12c85d50702514f1f8a9302ebdd13f1d2bf2dca5c0a7a4a1e785c94385fe8

SHA512
ad2e4b44cbe1dd7348b89600a438307fe8fcd7f3639fb26fcba36d69d03a980b66bb2cc24edf15ce9adc4fa5b414fee4def7089cc1d836289fe64c6ef63fbe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F201.tmp

Filesize
536KB

MD5
8800aa2638178768bb89bd5ed8dc292d

SHA1
8d1e716f2f1420a2fd4a06eaee737eb3911a56a4

SHA256
e21254915d47b113403f9b3b4c508ce1dd09608e713ce48cf163cb0ec5da3352

SHA512
171c274efd43b526e3d1d8fbb30455bbf2f5230307b6f04fed5b2a6faa5f61337d8b51cab2bf5e7cc390b508c6f63b833da8172c613697bfa6725b08995cad35

Download Submit
C:\Users\Admin\AppData\Local\Temp\F25F.tmp

Filesize
536KB

MD5
9b395e18e67b1f4a87ec78de56dfa21d

SHA1
27a3ff317fc67a499f06dc466ed8b5ee1e212611

SHA256
c5b307e91fecb0893f4b660039afc07ba13a32c600b50463c2a1e861b671f22c

SHA512
5ac7505647ff7aa89f23d3f2f1e91bcc096a48a3ea93b0a8b630e1fa72cd326afec8ad8ff8ae2348953b19d0ff0deb37f0c314e07af94db5fe4bbce74ea8b7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2FB.tmp

Filesize
536KB

MD5
fbda0fd6e8c66aea90b88dcca5bcf99d

SHA1
8498d1f9857c0800ce0cbca720376a3bca1b632f

SHA256
7c3c2045375fc0eb876c55570c33e42a6ad5a64f47407863c92deeef3f275f6e

SHA512
5400958576403e3c05c70fbd7d9c41c66cc691d2153898feda2a0403b530e4a68fb15dc84987143fa50ab81c07d49b346c9077e89c02b368d6a886adb2066030

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3E5.tmp

Filesize
94KB

MD5
9499d45fdf082ecff6685ee0e19d02c7

SHA1
9e14e889f40e7231481218bca83e843085492cdf

SHA256
0115e73cea44a950c236d6f629dc3d3a07bef8902f60fd3169bc876c435d7872

SHA512
5284c2f35a441c72b21fb40f9f098212d6d4a62cce22db676ca9f3ad46118c51c0ded26184c778f6f8a0924825b2bf30ce5eb0b4bdf7ecf27cf897b8fc7ddfd8

Download Submit
memory/1228-132-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/1228-137-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/1420-65-0x0000000000240000-0x00000000002CC000-memory.dmp

Filesize
560KB

Download
memory/1420-60-0x0000000000240000-0x00000000002CC000-memory.dmp

Filesize
560KB

Download
memory/1432-156-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1432-150-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1508-142-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/1508-148-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/1696-12-0x0000000000F00000-0x0000000000F8C000-memory.dmp

Filesize
560KB

Download
memory/1696-5-0x0000000000F00000-0x0000000000F8C000-memory.dmp

Filesize
560KB

Download
memory/1860-0-0x00000000000B0000-0x000000000013C000-memory.dmp

Filesize
560KB

Download
memory/1860-6-0x00000000000B0000-0x000000000013C000-memory.dmp

Filesize
560KB

Download
memory/1864-160-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1864-155-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/2236-144-0x0000000000920000-0x00000000009AC000-memory.dmp

Filesize
560KB

Download
memory/2236-138-0x0000000000920000-0x00000000009AC000-memory.dmp

Filesize
560KB

Download
memory/2288-53-0x0000000000F20000-0x0000000000FAC000-memory.dmp

Filesize
560KB

Download
memory/2288-58-0x0000000000F20000-0x0000000000FAC000-memory.dmp

Filesize
560KB

Download
memory/2372-107-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/2372-102-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/2560-17-0x0000000000BF0000-0x0000000000C7C000-memory.dmp

Filesize
560KB

Download
memory/2560-11-0x0000000000BF0000-0x0000000000C7C000-memory.dmp

Filesize
560KB

Download
memory/2768-180-0x00000000006E0000-0x000000000076C000-memory.dmp

Filesize
560KB

Download
memory/2768-186-0x00000000006E0000-0x000000000076C000-memory.dmp

Filesize
560KB

Download
memory/3060-18-0x0000000000F50000-0x0000000000FDC000-memory.dmp

Filesize
560KB

Download
memory/3060-23-0x0000000000F50000-0x0000000000FDC000-memory.dmp

Filesize
560KB

Download
memory/3180-30-0x0000000000E80000-0x0000000000F0C000-memory.dmp

Filesize
560KB

Download
memory/3180-35-0x0000000000E80000-0x0000000000F0C000-memory.dmp

Filesize
560KB

Download
memory/3348-29-0x0000000000C80000-0x0000000000D0C000-memory.dmp

Filesize
560KB

Download
memory/3348-24-0x0000000000C80000-0x0000000000D0C000-memory.dmp

Filesize
560KB

Download
memory/3416-48-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/3416-42-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/3456-71-0x0000000000650000-0x00000000006DC000-memory.dmp

Filesize
560KB

Download
memory/3456-77-0x0000000000650000-0x00000000006DC000-memory.dmp

Filesize
560KB

Download
memory/3512-108-0x0000000000D90000-0x0000000000E1C000-memory.dmp

Filesize
560KB

Download
memory/3512-113-0x0000000000D90000-0x0000000000E1C000-memory.dmp

Filesize
560KB

Download
memory/3568-168-0x0000000000230000-0x00000000002BC000-memory.dmp

Filesize
560KB

Download
memory/3568-162-0x0000000000230000-0x00000000002BC000-memory.dmp

Filesize
560KB

Download
memory/3580-120-0x00000000004F0000-0x000000000057C000-memory.dmp

Filesize
560KB

Download
memory/3580-125-0x00000000004F0000-0x000000000057C000-memory.dmp

Filesize
560KB

Download
memory/3660-185-0x0000000000E00000-0x0000000000E8C000-memory.dmp

Filesize
560KB

Download
memory/3660-191-0x0000000000E00000-0x0000000000E8C000-memory.dmp

Filesize
560KB

Download
memory/3876-131-0x0000000000FC0000-0x000000000104C000-memory.dmp

Filesize
560KB

Download
memory/3876-126-0x0000000000FC0000-0x000000000104C000-memory.dmp

Filesize
560KB

Download
memory/4136-101-0x0000000000810000-0x000000000089C000-memory.dmp

Filesize
560KB

Download
memory/4136-96-0x0000000000810000-0x000000000089C000-memory.dmp

Filesize
560KB

Download
memory/4204-66-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/4204-72-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/4416-173-0x0000000000850000-0x00000000008DC000-memory.dmp

Filesize
560KB

Download
memory/4416-167-0x0000000000850000-0x00000000008DC000-memory.dmp

Filesize
560KB

Download
memory/4664-47-0x0000000000210000-0x000000000029C000-memory.dmp

Filesize
560KB

Download
memory/4664-54-0x0000000000210000-0x000000000029C000-memory.dmp

Filesize
560KB

Download
memory/4816-89-0x0000000000DD0000-0x0000000000E5C000-memory.dmp

Filesize
560KB

Download
memory/4816-95-0x0000000000DD0000-0x0000000000E5C000-memory.dmp

Filesize
560KB

Download
memory/4832-84-0x00000000004C0000-0x000000000054C000-memory.dmp

Filesize
560KB

Download
memory/4832-90-0x00000000004C0000-0x000000000054C000-memory.dmp

Filesize
560KB

Download
memory/4864-78-0x0000000000D70000-0x0000000000DFC000-memory.dmp

Filesize
560KB

Download
memory/4864-83-0x0000000000D70000-0x0000000000DFC000-memory.dmp

Filesize
560KB

Download
memory/4892-179-0x0000000000B80000-0x0000000000C0C000-memory.dmp

Filesize
560KB

Download
memory/4892-174-0x0000000000B80000-0x0000000000C0C000-memory.dmp

Filesize
560KB

Download
memory/5076-39-0x0000000000BB0000-0x0000000000C3C000-memory.dmp

Filesize
560KB

Download
memory/5076-36-0x0000000000BB0000-0x0000000000C3C000-memory.dmp

Filesize
560KB

Download
memory/5104-119-0x0000000000F10000-0x0000000000F9C000-memory.dmp

Filesize
560KB

Download
memory/5104-114-0x0000000000F10000-0x0000000000F9C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads