Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 09:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe
-
Size
529KB
-
MD5
510e80b302a13b6d601274ee238d7b2b
-
SHA1
0f3d7379cddc66dba622ce9590108375bccaff5a
-
SHA256
56e6b37024008073df0c1b24d452438eabae865055e8c741dee3a9dba1984f17
-
SHA512
72822e4f116cc29b99b5dd5f9b573f57902de81a09d1cc73ff62f8509d12ba9504c3d505ba269a9d4a0e2829f8dd0730befaa8193b16de8c06199fb12224f1b5
-
SSDEEP
12288:NU5rCOTeijdzNkqYCXA5Lsa7GIHxWCt+042UyrAR+W9TZwlH4Hp:NUQOJj5l/Q5R57g042dW9TSlH4Hp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2532 4F1A.tmp 2920 4FA6.tmp 4892 5062.tmp 5028 50EF.tmp 2624 5321.tmp 4248 539E.tmp 936 543A.tmp 4040 54B7.tmp 4780 5544.tmp 4756 55C1.tmp 5056 565D.tmp 2472 56F9.tmp 3132 5767.tmp 3044 5803.tmp 4064 589F.tmp 4616 591C.tmp 4888 598A.tmp 2608 59F7.tmp 4448 5A74.tmp 2604 5AD2.tmp 2784 5B3F.tmp 5084 5BAD.tmp 5036 5C2A.tmp 2376 5CB6.tmp 3268 5D33.tmp 1684 5DB0.tmp 2724 5E0E.tmp 2460 5EBA.tmp 1776 5F46.tmp 2100 5FA4.tmp 1680 6040.tmp 1488 60CD.tmp 3984 612B.tmp 4276 6198.tmp 4944 61F6.tmp 2324 6244.tmp 2500 62B1.tmp 4428 6300.tmp 644 636D.tmp 3064 63CB.tmp 3912 6438.tmp 2252 64A5.tmp 2548 6513.tmp 4240 6571.tmp 8 65BF.tmp 4972 661C.tmp 2716 666B.tmp 1868 66C8.tmp 4156 6726.tmp 3644 6793.tmp 4828 67F1.tmp 1420 683F.tmp 3924 68AD.tmp 2608 691A.tmp 2268 6968.tmp 4832 69C6.tmp 5116 6A24.tmp 4844 6A81.tmp 3548 6AEF.tmp 1644 6B4D.tmp 1044 6BCA.tmp 512 6C27.tmp 2652 6C95.tmp 2164 6CF2.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2532 2976 2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe 88 PID 2976 wrote to memory of 2532 2976 2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe 88 PID 2976 wrote to memory of 2532 2976 2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe 88 PID 2532 wrote to memory of 2920 2532 4F1A.tmp 89 PID 2532 wrote to memory of 2920 2532 4F1A.tmp 89 PID 2532 wrote to memory of 2920 2532 4F1A.tmp 89 PID 2920 wrote to memory of 4892 2920 4FA6.tmp 90 PID 2920 wrote to memory of 4892 2920 4FA6.tmp 90 PID 2920 wrote to memory of 4892 2920 4FA6.tmp 90 PID 4892 wrote to memory of 5028 4892 5062.tmp 92 PID 4892 wrote to memory of 5028 4892 5062.tmp 92 PID 4892 wrote to memory of 5028 4892 5062.tmp 92 PID 5028 wrote to memory of 2624 5028 50EF.tmp 93 PID 5028 wrote to memory of 2624 5028 50EF.tmp 93 PID 5028 wrote to memory of 2624 5028 50EF.tmp 93 PID 2624 wrote to memory of 4248 2624 5321.tmp 95 PID 2624 wrote to memory of 4248 2624 5321.tmp 95 PID 2624 wrote to memory of 4248 2624 5321.tmp 95 PID 4248 wrote to memory of 936 4248 539E.tmp 97 PID 4248 wrote to memory of 936 4248 539E.tmp 97 PID 4248 wrote to memory of 936 4248 539E.tmp 97 PID 936 wrote to memory of 4040 936 543A.tmp 98 PID 936 wrote to memory of 4040 936 543A.tmp 98 PID 936 wrote to memory of 4040 936 543A.tmp 98 PID 4040 wrote to memory of 4780 4040 54B7.tmp 99 PID 4040 wrote to memory of 4780 4040 54B7.tmp 99 PID 4040 wrote to memory of 4780 4040 54B7.tmp 99 PID 4780 wrote to memory of 4756 4780 5544.tmp 100 PID 4780 wrote to memory of 4756 4780 5544.tmp 100 PID 4780 wrote to memory of 4756 4780 5544.tmp 100 PID 4756 wrote to memory of 5056 4756 55C1.tmp 101 PID 4756 wrote to memory of 5056 4756 55C1.tmp 101 PID 4756 wrote to memory of 5056 4756 55C1.tmp 101 PID 5056 wrote to memory of 2472 5056 565D.tmp 102 PID 5056 wrote to memory of 2472 5056 565D.tmp 102 PID 5056 wrote to memory of 2472 5056 565D.tmp 102 PID 2472 wrote to memory of 3132 2472 56F9.tmp 103 PID 2472 wrote to memory of 3132 2472 56F9.tmp 103 PID 2472 wrote to memory of 3132 2472 56F9.tmp 103 PID 3132 wrote to memory of 3044 3132 5767.tmp 104 PID 3132 wrote to memory of 3044 3132 5767.tmp 104 PID 3132 wrote to memory of 3044 3132 5767.tmp 104 PID 3044 wrote to memory of 4064 3044 5803.tmp 105 PID 3044 wrote to memory of 4064 3044 5803.tmp 105 PID 3044 wrote to memory of 4064 3044 5803.tmp 105 PID 4064 wrote to memory of 4616 4064 589F.tmp 106 PID 4064 wrote to memory of 4616 4064 589F.tmp 106 PID 4064 wrote to memory of 4616 4064 589F.tmp 106 PID 4616 wrote to memory of 4888 4616 591C.tmp 107 PID 4616 wrote to memory of 4888 4616 591C.tmp 107 PID 4616 wrote to memory of 4888 4616 591C.tmp 107 PID 4888 wrote to memory of 2608 4888 598A.tmp 108 PID 4888 wrote to memory of 2608 4888 598A.tmp 108 PID 4888 wrote to memory of 2608 4888 598A.tmp 108 PID 2608 wrote to memory of 4448 2608 59F7.tmp 109 PID 2608 wrote to memory of 4448 2608 59F7.tmp 109 PID 2608 wrote to memory of 4448 2608 59F7.tmp 109 PID 4448 wrote to memory of 2604 4448 5A74.tmp 110 PID 4448 wrote to memory of 2604 4448 5A74.tmp 110 PID 4448 wrote to memory of 2604 4448 5A74.tmp 110 PID 2604 wrote to memory of 2784 2604 5AD2.tmp 111 PID 2604 wrote to memory of 2784 2604 5AD2.tmp 111 PID 2604 wrote to memory of 2784 2604 5AD2.tmp 111 PID 2784 wrote to memory of 5084 2784 5B3F.tmp 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-19_510e80b302a13b6d601274ee238d7b2b_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"C:\Users\Admin\AppData\Local\Temp\4FA6.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\5062.tmp"C:\Users\Admin\AppData\Local\Temp\5062.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\50EF.tmp"C:\Users\Admin\AppData\Local\Temp\50EF.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\5321.tmp"C:\Users\Admin\AppData\Local\Temp\5321.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\539E.tmp"C:\Users\Admin\AppData\Local\Temp\539E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\543A.tmp"C:\Users\Admin\AppData\Local\Temp\543A.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\54B7.tmp"C:\Users\Admin\AppData\Local\Temp\54B7.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\5544.tmp"C:\Users\Admin\AppData\Local\Temp\5544.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\56F9.tmp"C:\Users\Admin\AppData\Local\Temp\56F9.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\5767.tmp"C:\Users\Admin\AppData\Local\Temp\5767.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\589F.tmp"C:\Users\Admin\AppData\Local\Temp\589F.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\598A.tmp"C:\Users\Admin\AppData\Local\Temp\598A.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\59F7.tmp"C:\Users\Admin\AppData\Local\Temp\59F7.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\5A74.tmp"C:\Users\Admin\AppData\Local\Temp\5A74.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\5BAD.tmp"C:\Users\Admin\AppData\Local\Temp\5BAD.tmp"23⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"24⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"25⤵
- Executes dropped EXE
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\5D33.tmp"C:\Users\Admin\AppData\Local\Temp\5D33.tmp"26⤵
- Executes dropped EXE
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"27⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"28⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\5EBA.tmp"C:\Users\Admin\AppData\Local\Temp\5EBA.tmp"29⤵
- Executes dropped EXE
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\5F46.tmp"C:\Users\Admin\AppData\Local\Temp\5F46.tmp"30⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"31⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\6040.tmp"C:\Users\Admin\AppData\Local\Temp\6040.tmp"32⤵
- Executes dropped EXE
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\60CD.tmp"C:\Users\Admin\AppData\Local\Temp\60CD.tmp"33⤵
- Executes dropped EXE
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\612B.tmp"C:\Users\Admin\AppData\Local\Temp\612B.tmp"34⤵
- Executes dropped EXE
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\6198.tmp"C:\Users\Admin\AppData\Local\Temp\6198.tmp"35⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\61F6.tmp"C:\Users\Admin\AppData\Local\Temp\61F6.tmp"36⤵
- Executes dropped EXE
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\6244.tmp"C:\Users\Admin\AppData\Local\Temp\6244.tmp"37⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\62B1.tmp"C:\Users\Admin\AppData\Local\Temp\62B1.tmp"38⤵
- Executes dropped EXE
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"39⤵
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\636D.tmp"C:\Users\Admin\AppData\Local\Temp\636D.tmp"40⤵
- Executes dropped EXE
PID:644 -
C:\Users\Admin\AppData\Local\Temp\63CB.tmp"C:\Users\Admin\AppData\Local\Temp\63CB.tmp"41⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"42⤵
- Executes dropped EXE
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\64A5.tmp"C:\Users\Admin\AppData\Local\Temp\64A5.tmp"43⤵
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\6513.tmp"C:\Users\Admin\AppData\Local\Temp\6513.tmp"44⤵
- Executes dropped EXE
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"45⤵
- Executes dropped EXE
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\65BF.tmp"C:\Users\Admin\AppData\Local\Temp\65BF.tmp"46⤵
- Executes dropped EXE
PID:8 -
C:\Users\Admin\AppData\Local\Temp\661C.tmp"C:\Users\Admin\AppData\Local\Temp\661C.tmp"47⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\666B.tmp"C:\Users\Admin\AppData\Local\Temp\666B.tmp"48⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\66C8.tmp"C:\Users\Admin\AppData\Local\Temp\66C8.tmp"49⤵
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"50⤵
- Executes dropped EXE
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\6793.tmp"C:\Users\Admin\AppData\Local\Temp\6793.tmp"51⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\67F1.tmp"C:\Users\Admin\AppData\Local\Temp\67F1.tmp"52⤵
- Executes dropped EXE
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\683F.tmp"C:\Users\Admin\AppData\Local\Temp\683F.tmp"53⤵
- Executes dropped EXE
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"54⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\691A.tmp"C:\Users\Admin\AppData\Local\Temp\691A.tmp"55⤵
- Executes dropped EXE
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\6968.tmp"C:\Users\Admin\AppData\Local\Temp\6968.tmp"56⤵
- Executes dropped EXE
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\69C6.tmp"C:\Users\Admin\AppData\Local\Temp\69C6.tmp"57⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\6A24.tmp"C:\Users\Admin\AppData\Local\Temp\6A24.tmp"58⤵
- Executes dropped EXE
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\6A81.tmp"C:\Users\Admin\AppData\Local\Temp\6A81.tmp"59⤵
- Executes dropped EXE
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"60⤵
- Executes dropped EXE
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\6B4D.tmp"C:\Users\Admin\AppData\Local\Temp\6B4D.tmp"61⤵
- Executes dropped EXE
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"62⤵
- Executes dropped EXE
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\6C27.tmp"C:\Users\Admin\AppData\Local\Temp\6C27.tmp"63⤵
- Executes dropped EXE
PID:512 -
C:\Users\Admin\AppData\Local\Temp\6C95.tmp"C:\Users\Admin\AppData\Local\Temp\6C95.tmp"64⤵
- Executes dropped EXE
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"65⤵
- Executes dropped EXE
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\6D60.tmp"C:\Users\Admin\AppData\Local\Temp\6D60.tmp"66⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"67⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"68⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"69⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"70⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\6F63.tmp"C:\Users\Admin\AppData\Local\Temp\6F63.tmp"71⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"72⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\701F.tmp"C:\Users\Admin\AppData\Local\Temp\701F.tmp"73⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\707D.tmp"C:\Users\Admin\AppData\Local\Temp\707D.tmp"74⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"75⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"76⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\71B5.tmp"C:\Users\Admin\AppData\Local\Temp\71B5.tmp"77⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\7213.tmp"C:\Users\Admin\AppData\Local\Temp\7213.tmp"78⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\7280.tmp"C:\Users\Admin\AppData\Local\Temp\7280.tmp"79⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\72DE.tmp"C:\Users\Admin\AppData\Local\Temp\72DE.tmp"80⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\733C.tmp"C:\Users\Admin\AppData\Local\Temp\733C.tmp"81⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\73A9.tmp"C:\Users\Admin\AppData\Local\Temp\73A9.tmp"82⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\7407.tmp"C:\Users\Admin\AppData\Local\Temp\7407.tmp"83⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\7465.tmp"C:\Users\Admin\AppData\Local\Temp\7465.tmp"84⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\74C2.tmp"C:\Users\Admin\AppData\Local\Temp\74C2.tmp"85⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"86⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\758E.tmp"C:\Users\Admin\AppData\Local\Temp\758E.tmp"87⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\75FB.tmp"C:\Users\Admin\AppData\Local\Temp\75FB.tmp"88⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\7649.tmp"C:\Users\Admin\AppData\Local\Temp\7649.tmp"89⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\7697.tmp"C:\Users\Admin\AppData\Local\Temp\7697.tmp"90⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"91⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\7753.tmp"C:\Users\Admin\AppData\Local\Temp\7753.tmp"92⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\77C0.tmp"C:\Users\Admin\AppData\Local\Temp\77C0.tmp"93⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\781E.tmp"C:\Users\Admin\AppData\Local\Temp\781E.tmp"94⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\787C.tmp"C:\Users\Admin\AppData\Local\Temp\787C.tmp"95⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\78D9.tmp"C:\Users\Admin\AppData\Local\Temp\78D9.tmp"96⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\7937.tmp"C:\Users\Admin\AppData\Local\Temp\7937.tmp"97⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"98⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\7A02.tmp"C:\Users\Admin\AppData\Local\Temp\7A02.tmp"99⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\7A50.tmp"C:\Users\Admin\AppData\Local\Temp\7A50.tmp"100⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"101⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"102⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"103⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"104⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\7C25.tmp"C:\Users\Admin\AppData\Local\Temp\7C25.tmp"105⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\7C73.tmp"C:\Users\Admin\AppData\Local\Temp\7C73.tmp"106⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"107⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"108⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"109⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\7DDB.tmp"C:\Users\Admin\AppData\Local\Temp\7DDB.tmp"110⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\7E29.tmp"C:\Users\Admin\AppData\Local\Temp\7E29.tmp"111⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\7E86.tmp"C:\Users\Admin\AppData\Local\Temp\7E86.tmp"112⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\7ED5.tmp"C:\Users\Admin\AppData\Local\Temp\7ED5.tmp"113⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\7F32.tmp"C:\Users\Admin\AppData\Local\Temp\7F32.tmp"114⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\7F90.tmp"C:\Users\Admin\AppData\Local\Temp\7F90.tmp"115⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"116⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\804C.tmp"C:\Users\Admin\AppData\Local\Temp\804C.tmp"117⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\809A.tmp"C:\Users\Admin\AppData\Local\Temp\809A.tmp"118⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\80E8.tmp"C:\Users\Admin\AppData\Local\Temp\80E8.tmp"119⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"120⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\81A3.tmp"C:\Users\Admin\AppData\Local\Temp\81A3.tmp"121⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\81F1.tmp"C:\Users\Admin\AppData\Local\Temp\81F1.tmp"122⤵PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-