Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 19:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe
Resource
win7-20240419-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe
-
Size
712KB
-
MD5
309fe5ce3b6acebfe750d6a761db2a12
-
SHA1
2711e8e55faf7fb741f806608d615e3c71bbc6a2
-
SHA256
5b83687e313c21afc3d7b436aa3fc57505278f71f32369208b46aee2fbd08ad3
-
SHA512
830772d56e8795e2efe6f905e5d472191797e988dd4b2459fa1be9386a8de13ba0f83eb5024a4ba3bc52a2b76f3ef11dcaf37e8acdddfedc6fcfcb0f6673e036
-
SSDEEP
12288:FU5rCOTeiDopEzLeviDjAKucgSKHMmngn7M3av//LNZdCvq5TJLCvY90D8/LVBl3:FUQOJDHzFDNaSKjavHLNnCvq5TJLCvYR
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2344 4EEB.tmp 5004 4F78.tmp 2452 5043.tmp 3540 512D.tmp 880 5302.tmp 5068 539E.tmp 4544 543A.tmp 4116 54D7.tmp 4340 5554.tmp 2948 55F0.tmp 3916 568C.tmp 2868 56F9.tmp 4060 57C5.tmp 3664 5861.tmp 5020 591C.tmp 4736 59A9.tmp 3956 5A36.tmp 1340 5AE1.tmp 3440 5B8D.tmp 2968 5C1A.tmp 1596 5CA7.tmp 4992 5D24.tmp 4440 5DA1.tmp 4108 5E0E.tmp 1504 5E6C.tmp 404 5F18.tmp 1096 5FA4.tmp 5052 6021.tmp 2440 60CD.tmp 4944 6169.tmp 4620 6215.tmp 1844 62D1.tmp 3800 636D.tmp 3888 63BB.tmp 3728 6419.tmp 3324 6477.tmp 3920 64D4.tmp 1368 6542.tmp 1400 659F.tmp 1080 65FD.tmp 3104 665B.tmp 5072 66B9.tmp 4200 6716.tmp 1964 6784.tmp 2164 67E2.tmp 1148 6830.tmp 2584 688D.tmp 2084 68DC.tmp 2460 692A.tmp 4224 6997.tmp 3476 6A04.tmp 5080 6A72.tmp 3604 6ADF.tmp 1936 6B3D.tmp 4100 6B9B.tmp 2300 6BF8.tmp 4320 6C66.tmp 3492 6CC4.tmp 2948 6D21.tmp 4792 6D7F.tmp 1104 6DEC.tmp 2868 6E3B.tmp 4060 6EA8.tmp 4628 6EF6.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 2344 388 2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe 82 PID 388 wrote to memory of 2344 388 2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe 82 PID 388 wrote to memory of 2344 388 2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe 82 PID 2344 wrote to memory of 5004 2344 4EEB.tmp 83 PID 2344 wrote to memory of 5004 2344 4EEB.tmp 83 PID 2344 wrote to memory of 5004 2344 4EEB.tmp 83 PID 5004 wrote to memory of 2452 5004 4F78.tmp 85 PID 5004 wrote to memory of 2452 5004 4F78.tmp 85 PID 5004 wrote to memory of 2452 5004 4F78.tmp 85 PID 2452 wrote to memory of 3540 2452 5043.tmp 86 PID 2452 wrote to memory of 3540 2452 5043.tmp 86 PID 2452 wrote to memory of 3540 2452 5043.tmp 86 PID 3540 wrote to memory of 880 3540 512D.tmp 88 PID 3540 wrote to memory of 880 3540 512D.tmp 88 PID 3540 wrote to memory of 880 3540 512D.tmp 88 PID 880 wrote to memory of 5068 880 5302.tmp 89 PID 880 wrote to memory of 5068 880 5302.tmp 89 PID 880 wrote to memory of 5068 880 5302.tmp 89 PID 5068 wrote to memory of 4544 5068 539E.tmp 91 PID 5068 wrote to memory of 4544 5068 539E.tmp 91 PID 5068 wrote to memory of 4544 5068 539E.tmp 91 PID 4544 wrote to memory of 4116 4544 543A.tmp 92 PID 4544 wrote to memory of 4116 4544 543A.tmp 92 PID 4544 wrote to memory of 4116 4544 543A.tmp 92 PID 4116 wrote to memory of 4340 4116 54D7.tmp 93 PID 4116 wrote to memory of 4340 4116 54D7.tmp 93 PID 4116 wrote to memory of 4340 4116 54D7.tmp 93 PID 4340 wrote to memory of 2948 4340 5554.tmp 94 PID 4340 wrote to memory of 2948 4340 5554.tmp 94 PID 4340 wrote to memory of 2948 4340 5554.tmp 94 PID 2948 wrote to memory of 3916 2948 55F0.tmp 95 PID 2948 wrote to memory of 3916 2948 55F0.tmp 95 PID 2948 wrote to memory of 3916 2948 55F0.tmp 95 PID 3916 wrote to memory of 2868 3916 568C.tmp 96 PID 3916 wrote to memory of 2868 3916 568C.tmp 96 PID 3916 wrote to memory of 2868 3916 568C.tmp 96 PID 2868 wrote to memory of 4060 2868 56F9.tmp 97 PID 2868 wrote to memory of 4060 2868 56F9.tmp 97 PID 2868 wrote to memory of 4060 2868 56F9.tmp 97 PID 4060 wrote to memory of 3664 4060 57C5.tmp 98 PID 4060 wrote to memory of 3664 4060 57C5.tmp 98 PID 4060 wrote to memory of 3664 4060 57C5.tmp 98 PID 3664 wrote to memory of 5020 3664 5861.tmp 99 PID 3664 wrote to memory of 5020 3664 5861.tmp 99 PID 3664 wrote to memory of 5020 3664 5861.tmp 99 PID 5020 wrote to memory of 4736 5020 591C.tmp 100 PID 5020 wrote to memory of 4736 5020 591C.tmp 100 PID 5020 wrote to memory of 4736 5020 591C.tmp 100 PID 4736 wrote to memory of 3956 4736 59A9.tmp 101 PID 4736 wrote to memory of 3956 4736 59A9.tmp 101 PID 4736 wrote to memory of 3956 4736 59A9.tmp 101 PID 3956 wrote to memory of 1340 3956 5A36.tmp 102 PID 3956 wrote to memory of 1340 3956 5A36.tmp 102 PID 3956 wrote to memory of 1340 3956 5A36.tmp 102 PID 1340 wrote to memory of 3440 1340 5AE1.tmp 103 PID 1340 wrote to memory of 3440 1340 5AE1.tmp 103 PID 1340 wrote to memory of 3440 1340 5AE1.tmp 103 PID 3440 wrote to memory of 2968 3440 5B8D.tmp 104 PID 3440 wrote to memory of 2968 3440 5B8D.tmp 104 PID 3440 wrote to memory of 2968 3440 5B8D.tmp 104 PID 2968 wrote to memory of 1596 2968 5C1A.tmp 105 PID 2968 wrote to memory of 1596 2968 5C1A.tmp 105 PID 2968 wrote to memory of 1596 2968 5C1A.tmp 105 PID 1596 wrote to memory of 4992 1596 5CA7.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_309fe5ce3b6acebfe750d6a761db2a12_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\4EEB.tmp"C:\Users\Admin\AppData\Local\Temp\4EEB.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\4F78.tmp"C:\Users\Admin\AppData\Local\Temp\4F78.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\5043.tmp"C:\Users\Admin\AppData\Local\Temp\5043.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\512D.tmp"C:\Users\Admin\AppData\Local\Temp\512D.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\5302.tmp"C:\Users\Admin\AppData\Local\Temp\5302.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\539E.tmp"C:\Users\Admin\AppData\Local\Temp\539E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\543A.tmp"C:\Users\Admin\AppData\Local\Temp\543A.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\54D7.tmp"C:\Users\Admin\AppData\Local\Temp\54D7.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\55F0.tmp"C:\Users\Admin\AppData\Local\Temp\55F0.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\568C.tmp"C:\Users\Admin\AppData\Local\Temp\568C.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\56F9.tmp"C:\Users\Admin\AppData\Local\Temp\56F9.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\57C5.tmp"C:\Users\Admin\AppData\Local\Temp\57C5.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\59A9.tmp"C:\Users\Admin\AppData\Local\Temp\59A9.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\5A36.tmp"C:\Users\Admin\AppData\Local\Temp\5A36.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\5B8D.tmp"C:\Users\Admin\AppData\Local\Temp\5B8D.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\5D24.tmp"C:\Users\Admin\AppData\Local\Temp\5D24.tmp"23⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"24⤵
- Executes dropped EXE
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"25⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\5E6C.tmp"C:\Users\Admin\AppData\Local\Temp\5E6C.tmp"26⤵
- Executes dropped EXE
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp"C:\Users\Admin\AppData\Local\Temp\5F18.tmp"27⤵
- Executes dropped EXE
PID:404 -
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"28⤵
- Executes dropped EXE
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\6021.tmp"C:\Users\Admin\AppData\Local\Temp\6021.tmp"29⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\60CD.tmp"C:\Users\Admin\AppData\Local\Temp\60CD.tmp"30⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\6169.tmp"C:\Users\Admin\AppData\Local\Temp\6169.tmp"31⤵
- Executes dropped EXE
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\6215.tmp"C:\Users\Admin\AppData\Local\Temp\6215.tmp"32⤵
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\62D1.tmp"C:\Users\Admin\AppData\Local\Temp\62D1.tmp"33⤵
- Executes dropped EXE
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\636D.tmp"C:\Users\Admin\AppData\Local\Temp\636D.tmp"34⤵
- Executes dropped EXE
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\63BB.tmp"C:\Users\Admin\AppData\Local\Temp\63BB.tmp"35⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\6419.tmp"C:\Users\Admin\AppData\Local\Temp\6419.tmp"36⤵
- Executes dropped EXE
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\6477.tmp"C:\Users\Admin\AppData\Local\Temp\6477.tmp"37⤵
- Executes dropped EXE
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"38⤵
- Executes dropped EXE
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\6542.tmp"C:\Users\Admin\AppData\Local\Temp\6542.tmp"39⤵
- Executes dropped EXE
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\659F.tmp"C:\Users\Admin\AppData\Local\Temp\659F.tmp"40⤵
- Executes dropped EXE
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\65FD.tmp"C:\Users\Admin\AppData\Local\Temp\65FD.tmp"41⤵
- Executes dropped EXE
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\665B.tmp"C:\Users\Admin\AppData\Local\Temp\665B.tmp"42⤵
- Executes dropped EXE
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\66B9.tmp"C:\Users\Admin\AppData\Local\Temp\66B9.tmp"43⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\6716.tmp"C:\Users\Admin\AppData\Local\Temp\6716.tmp"44⤵
- Executes dropped EXE
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\6784.tmp"C:\Users\Admin\AppData\Local\Temp\6784.tmp"45⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\67E2.tmp"C:\Users\Admin\AppData\Local\Temp\67E2.tmp"46⤵
- Executes dropped EXE
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\6830.tmp"C:\Users\Admin\AppData\Local\Temp\6830.tmp"47⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\688D.tmp"C:\Users\Admin\AppData\Local\Temp\688D.tmp"48⤵
- Executes dropped EXE
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\68DC.tmp"C:\Users\Admin\AppData\Local\Temp\68DC.tmp"49⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\692A.tmp"C:\Users\Admin\AppData\Local\Temp\692A.tmp"50⤵
- Executes dropped EXE
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\6997.tmp"C:\Users\Admin\AppData\Local\Temp\6997.tmp"51⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\6A04.tmp"C:\Users\Admin\AppData\Local\Temp\6A04.tmp"52⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\6A72.tmp"C:\Users\Admin\AppData\Local\Temp\6A72.tmp"53⤵
- Executes dropped EXE
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"54⤵
- Executes dropped EXE
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"55⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\6B9B.tmp"C:\Users\Admin\AppData\Local\Temp\6B9B.tmp"56⤵
- Executes dropped EXE
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\6BF8.tmp"C:\Users\Admin\AppData\Local\Temp\6BF8.tmp"57⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\6C66.tmp"C:\Users\Admin\AppData\Local\Temp\6C66.tmp"58⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"59⤵
- Executes dropped EXE
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\6D21.tmp"C:\Users\Admin\AppData\Local\Temp\6D21.tmp"60⤵
- Executes dropped EXE
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"61⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"62⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"63⤵
- Executes dropped EXE
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"64⤵
- Executes dropped EXE
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"65⤵
- Executes dropped EXE
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\6F63.tmp"C:\Users\Admin\AppData\Local\Temp\6F63.tmp"66⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"67⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\702F.tmp"C:\Users\Admin\AppData\Local\Temp\702F.tmp"68⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"69⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\70FA.tmp"C:\Users\Admin\AppData\Local\Temp\70FA.tmp"70⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"71⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\71B5.tmp"C:\Users\Admin\AppData\Local\Temp\71B5.tmp"72⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\7213.tmp"C:\Users\Admin\AppData\Local\Temp\7213.tmp"73⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\7271.tmp"C:\Users\Admin\AppData\Local\Temp\7271.tmp"74⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\72DE.tmp"C:\Users\Admin\AppData\Local\Temp\72DE.tmp"75⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"76⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\73B9.tmp"C:\Users\Admin\AppData\Local\Temp\73B9.tmp"77⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\7417.tmp"C:\Users\Admin\AppData\Local\Temp\7417.tmp"78⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\7465.tmp"C:\Users\Admin\AppData\Local\Temp\7465.tmp"79⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\74D2.tmp"C:\Users\Admin\AppData\Local\Temp\74D2.tmp"80⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\753F.tmp"C:\Users\Admin\AppData\Local\Temp\753F.tmp"81⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"82⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\760B.tmp"C:\Users\Admin\AppData\Local\Temp\760B.tmp"83⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\7668.tmp"C:\Users\Admin\AppData\Local\Temp\7668.tmp"84⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\76D6.tmp"C:\Users\Admin\AppData\Local\Temp\76D6.tmp"85⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\7733.tmp"C:\Users\Admin\AppData\Local\Temp\7733.tmp"86⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\7782.tmp"C:\Users\Admin\AppData\Local\Temp\7782.tmp"87⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\77DF.tmp"C:\Users\Admin\AppData\Local\Temp\77DF.tmp"88⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\783D.tmp"C:\Users\Admin\AppData\Local\Temp\783D.tmp"89⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\789B.tmp"C:\Users\Admin\AppData\Local\Temp\789B.tmp"90⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\78F9.tmp"C:\Users\Admin\AppData\Local\Temp\78F9.tmp"91⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\7966.tmp"C:\Users\Admin\AppData\Local\Temp\7966.tmp"92⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"93⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\7A02.tmp"C:\Users\Admin\AppData\Local\Temp\7A02.tmp"94⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\7A60.tmp"C:\Users\Admin\AppData\Local\Temp\7A60.tmp"95⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"96⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"97⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\7B79.tmp"C:\Users\Admin\AppData\Local\Temp\7B79.tmp"98⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"99⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"100⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"101⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\7D00.tmp"C:\Users\Admin\AppData\Local\Temp\7D00.tmp"102⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\7D5E.tmp"C:\Users\Admin\AppData\Local\Temp\7D5E.tmp"103⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7DAC.tmp"C:\Users\Admin\AppData\Local\Temp\7DAC.tmp"104⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\7E19.tmp"C:\Users\Admin\AppData\Local\Temp\7E19.tmp"105⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\7E77.tmp"C:\Users\Admin\AppData\Local\Temp\7E77.tmp"106⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"107⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\7F32.tmp"C:\Users\Admin\AppData\Local\Temp\7F32.tmp"108⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\7F90.tmp"C:\Users\Admin\AppData\Local\Temp\7F90.tmp"109⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"110⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\803C.tmp"C:\Users\Admin\AppData\Local\Temp\803C.tmp"111⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\809A.tmp"C:\Users\Admin\AppData\Local\Temp\809A.tmp"112⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\80E8.tmp"C:\Users\Admin\AppData\Local\Temp\80E8.tmp"113⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"114⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\81A3.tmp"C:\Users\Admin\AppData\Local\Temp\81A3.tmp"115⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"116⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\826E.tmp"C:\Users\Admin\AppData\Local\Temp\826E.tmp"117⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\82CC.tmp"C:\Users\Admin\AppData\Local\Temp\82CC.tmp"118⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\833A.tmp"C:\Users\Admin\AppData\Local\Temp\833A.tmp"119⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\8397.tmp"C:\Users\Admin\AppData\Local\Temp\8397.tmp"120⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\83F5.tmp"C:\Users\Admin\AppData\Local\Temp\83F5.tmp"121⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\8462.tmp"C:\Users\Admin\AppData\Local\Temp\8462.tmp"122⤵PID:4600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-