Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe
-
Size
488KB
-
MD5
00ba9d53354cfb2fdc114f2e3f26d1f6
-
SHA1
ecfaf9fdc599e56fac74336f66ab56d07262823a
-
SHA256
de97d8203fc6cd86950f0def70a552907192d7feac5d1d4d3fae892048b7120b
-
SHA512
2eff9735df4d052e1e995410d685b00aa0c68086e1313209a020a0ec3474b3854fee31c71146e9a393dc0eca285bdbd6c62516933ab1e81bc0512d3ab9ea0991
-
SSDEEP
12288:/U5rCOTeiDZCrcsZnImyT1dsbrnHXLNZ:/UQOJDZCrcAnIdRWvbN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3700 4E10.tmp 4408 4E8D.tmp 4932 4F0A.tmp 404 4FB6.tmp 4256 5023.tmp 1920 50A0.tmp 1284 512D.tmp 4456 51C9.tmp 4476 5237.tmp 4284 52F2.tmp 2740 538E.tmp 5096 541B.tmp 1608 5488.tmp 4556 5505.tmp 3676 55A2.tmp 4624 560F.tmp 5068 566D.tmp 2508 56DA.tmp 3584 5748.tmp 696 57A5.tmp 624 5803.tmp 4644 5861.tmp 3636 58AF.tmp 1264 590D.tmp 2836 597A.tmp 3020 59E7.tmp 4108 5A45.tmp 3964 5AE1.tmp 2480 5B3F.tmp 2876 5BDB.tmp 4592 5CA7.tmp 1400 5D24.tmp 2020 5DC0.tmp 3228 5E4C.tmp 3080 5E9B.tmp 1784 5EE9.tmp 1468 5F56.tmp 3392 5FA4.tmp 3204 5FF2.tmp 4652 6040.tmp 4424 609E.tmp 4740 6169.tmp 1756 6215.tmp 3284 6273.tmp 1204 62E0.tmp 1500 633E.tmp 2476 638C.tmp 216 63FA.tmp 4588 6467.tmp 3064 64D4.tmp 4660 6542.tmp 4952 65AF.tmp 4256 661C.tmp 884 667A.tmp 1508 66D8.tmp 1464 6726.tmp 2764 6793.tmp 4456 67F1.tmp 4068 684F.tmp 3928 689D.tmp 4284 690A.tmp 1208 6978.tmp 2988 69D6.tmp 4304 6A33.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4116 wrote to memory of 3700 4116 2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe 82 PID 4116 wrote to memory of 3700 4116 2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe 82 PID 4116 wrote to memory of 3700 4116 2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe 82 PID 3700 wrote to memory of 4408 3700 4E10.tmp 83 PID 3700 wrote to memory of 4408 3700 4E10.tmp 83 PID 3700 wrote to memory of 4408 3700 4E10.tmp 83 PID 4408 wrote to memory of 4932 4408 4E8D.tmp 85 PID 4408 wrote to memory of 4932 4408 4E8D.tmp 85 PID 4408 wrote to memory of 4932 4408 4E8D.tmp 85 PID 4932 wrote to memory of 404 4932 4F0A.tmp 88 PID 4932 wrote to memory of 404 4932 4F0A.tmp 88 PID 4932 wrote to memory of 404 4932 4F0A.tmp 88 PID 404 wrote to memory of 4256 404 4FB6.tmp 89 PID 404 wrote to memory of 4256 404 4FB6.tmp 89 PID 404 wrote to memory of 4256 404 4FB6.tmp 89 PID 4256 wrote to memory of 1920 4256 5023.tmp 90 PID 4256 wrote to memory of 1920 4256 5023.tmp 90 PID 4256 wrote to memory of 1920 4256 5023.tmp 90 PID 1920 wrote to memory of 1284 1920 50A0.tmp 91 PID 1920 wrote to memory of 1284 1920 50A0.tmp 91 PID 1920 wrote to memory of 1284 1920 50A0.tmp 91 PID 1284 wrote to memory of 4456 1284 512D.tmp 92 PID 1284 wrote to memory of 4456 1284 512D.tmp 92 PID 1284 wrote to memory of 4456 1284 512D.tmp 92 PID 4456 wrote to memory of 4476 4456 51C9.tmp 93 PID 4456 wrote to memory of 4476 4456 51C9.tmp 93 PID 4456 wrote to memory of 4476 4456 51C9.tmp 93 PID 4476 wrote to memory of 4284 4476 5237.tmp 94 PID 4476 wrote to memory of 4284 4476 5237.tmp 94 PID 4476 wrote to memory of 4284 4476 5237.tmp 94 PID 4284 wrote to memory of 2740 4284 52F2.tmp 95 PID 4284 wrote to memory of 2740 4284 52F2.tmp 95 PID 4284 wrote to memory of 2740 4284 52F2.tmp 95 PID 2740 wrote to memory of 5096 2740 538E.tmp 96 PID 2740 wrote to memory of 5096 2740 538E.tmp 96 PID 2740 wrote to memory of 5096 2740 538E.tmp 96 PID 5096 wrote to memory of 1608 5096 541B.tmp 97 PID 5096 wrote to memory of 1608 5096 541B.tmp 97 PID 5096 wrote to memory of 1608 5096 541B.tmp 97 PID 1608 wrote to memory of 4556 1608 5488.tmp 98 PID 1608 wrote to memory of 4556 1608 5488.tmp 98 PID 1608 wrote to memory of 4556 1608 5488.tmp 98 PID 4556 wrote to memory of 3676 4556 5505.tmp 99 PID 4556 wrote to memory of 3676 4556 5505.tmp 99 PID 4556 wrote to memory of 3676 4556 5505.tmp 99 PID 3676 wrote to memory of 4624 3676 55A2.tmp 100 PID 3676 wrote to memory of 4624 3676 55A2.tmp 100 PID 3676 wrote to memory of 4624 3676 55A2.tmp 100 PID 4624 wrote to memory of 5068 4624 560F.tmp 101 PID 4624 wrote to memory of 5068 4624 560F.tmp 101 PID 4624 wrote to memory of 5068 4624 560F.tmp 101 PID 5068 wrote to memory of 2508 5068 566D.tmp 102 PID 5068 wrote to memory of 2508 5068 566D.tmp 102 PID 5068 wrote to memory of 2508 5068 566D.tmp 102 PID 2508 wrote to memory of 3584 2508 56DA.tmp 103 PID 2508 wrote to memory of 3584 2508 56DA.tmp 103 PID 2508 wrote to memory of 3584 2508 56DA.tmp 103 PID 3584 wrote to memory of 696 3584 5748.tmp 104 PID 3584 wrote to memory of 696 3584 5748.tmp 104 PID 3584 wrote to memory of 696 3584 5748.tmp 104 PID 696 wrote to memory of 624 696 57A5.tmp 105 PID 696 wrote to memory of 624 696 57A5.tmp 105 PID 696 wrote to memory of 624 696 57A5.tmp 105 PID 624 wrote to memory of 4644 624 5803.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-28_00ba9d53354cfb2fdc114f2e3f26d1f6_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\4E10.tmp"C:\Users\Admin\AppData\Local\Temp\4E10.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\4E8D.tmp"C:\Users\Admin\AppData\Local\Temp\4E8D.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\5023.tmp"C:\Users\Admin\AppData\Local\Temp\5023.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\50A0.tmp"C:\Users\Admin\AppData\Local\Temp\50A0.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\512D.tmp"C:\Users\Admin\AppData\Local\Temp\512D.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\51C9.tmp"C:\Users\Admin\AppData\Local\Temp\51C9.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\5237.tmp"C:\Users\Admin\AppData\Local\Temp\5237.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\52F2.tmp"C:\Users\Admin\AppData\Local\Temp\52F2.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\538E.tmp"C:\Users\Admin\AppData\Local\Temp\538E.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\541B.tmp"C:\Users\Admin\AppData\Local\Temp\541B.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\5488.tmp"C:\Users\Admin\AppData\Local\Temp\5488.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\55A2.tmp"C:\Users\Admin\AppData\Local\Temp\55A2.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\566D.tmp"C:\Users\Admin\AppData\Local\Temp\566D.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\5748.tmp"C:\Users\Admin\AppData\Local\Temp\5748.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\57A5.tmp"C:\Users\Admin\AppData\Local\Temp\57A5.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"23⤵
- Executes dropped EXE
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\58AF.tmp"C:\Users\Admin\AppData\Local\Temp\58AF.tmp"24⤵
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\590D.tmp"C:\Users\Admin\AppData\Local\Temp\590D.tmp"25⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"26⤵
- Executes dropped EXE
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\59E7.tmp"C:\Users\Admin\AppData\Local\Temp\59E7.tmp"27⤵
- Executes dropped EXE
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\5A45.tmp"C:\Users\Admin\AppData\Local\Temp\5A45.tmp"28⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"29⤵
- Executes dropped EXE
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"30⤵
- Executes dropped EXE
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"31⤵
- Executes dropped EXE
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"32⤵
- Executes dropped EXE
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\5D24.tmp"C:\Users\Admin\AppData\Local\Temp\5D24.tmp"33⤵
- Executes dropped EXE
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"34⤵
- Executes dropped EXE
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"35⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"36⤵
- Executes dropped EXE
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"37⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\5F56.tmp"C:\Users\Admin\AppData\Local\Temp\5F56.tmp"38⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"39⤵
- Executes dropped EXE
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"40⤵
- Executes dropped EXE
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\6040.tmp"C:\Users\Admin\AppData\Local\Temp\6040.tmp"41⤵
- Executes dropped EXE
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\609E.tmp"C:\Users\Admin\AppData\Local\Temp\609E.tmp"42⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\6169.tmp"C:\Users\Admin\AppData\Local\Temp\6169.tmp"43⤵
- Executes dropped EXE
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\6215.tmp"C:\Users\Admin\AppData\Local\Temp\6215.tmp"44⤵
- Executes dropped EXE
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\6273.tmp"C:\Users\Admin\AppData\Local\Temp\6273.tmp"45⤵
- Executes dropped EXE
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\62E0.tmp"C:\Users\Admin\AppData\Local\Temp\62E0.tmp"46⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\633E.tmp"C:\Users\Admin\AppData\Local\Temp\633E.tmp"47⤵
- Executes dropped EXE
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\638C.tmp"C:\Users\Admin\AppData\Local\Temp\638C.tmp"48⤵
- Executes dropped EXE
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"49⤵
- Executes dropped EXE
PID:216 -
C:\Users\Admin\AppData\Local\Temp\6467.tmp"C:\Users\Admin\AppData\Local\Temp\6467.tmp"50⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"51⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\6542.tmp"C:\Users\Admin\AppData\Local\Temp\6542.tmp"52⤵
- Executes dropped EXE
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\65AF.tmp"C:\Users\Admin\AppData\Local\Temp\65AF.tmp"53⤵
- Executes dropped EXE
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\661C.tmp"C:\Users\Admin\AppData\Local\Temp\661C.tmp"54⤵
- Executes dropped EXE
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\667A.tmp"C:\Users\Admin\AppData\Local\Temp\667A.tmp"55⤵
- Executes dropped EXE
PID:884 -
C:\Users\Admin\AppData\Local\Temp\66D8.tmp"C:\Users\Admin\AppData\Local\Temp\66D8.tmp"56⤵
- Executes dropped EXE
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"57⤵
- Executes dropped EXE
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\6793.tmp"C:\Users\Admin\AppData\Local\Temp\6793.tmp"58⤵
- Executes dropped EXE
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\67F1.tmp"C:\Users\Admin\AppData\Local\Temp\67F1.tmp"59⤵
- Executes dropped EXE
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\684F.tmp"C:\Users\Admin\AppData\Local\Temp\684F.tmp"60⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\689D.tmp"C:\Users\Admin\AppData\Local\Temp\689D.tmp"61⤵
- Executes dropped EXE
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\690A.tmp"C:\Users\Admin\AppData\Local\Temp\690A.tmp"62⤵
- Executes dropped EXE
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"63⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\69D6.tmp"C:\Users\Admin\AppData\Local\Temp\69D6.tmp"64⤵
- Executes dropped EXE
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\6A33.tmp"C:\Users\Admin\AppData\Local\Temp\6A33.tmp"65⤵
- Executes dropped EXE
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"66⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"C:\Users\Admin\AppData\Local\Temp\6AEF.tmp"67⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"68⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"69⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\6C56.tmp"C:\Users\Admin\AppData\Local\Temp\6C56.tmp"70⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\6CB4.tmp"C:\Users\Admin\AppData\Local\Temp\6CB4.tmp"71⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\6D12.tmp"C:\Users\Admin\AppData\Local\Temp\6D12.tmp"72⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"73⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"74⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"75⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\6E98.tmp"C:\Users\Admin\AppData\Local\Temp\6E98.tmp"76⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"77⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\6F63.tmp"C:\Users\Admin\AppData\Local\Temp\6F63.tmp"78⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"79⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\701F.tmp"C:\Users\Admin\AppData\Local\Temp\701F.tmp"80⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"81⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"82⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"83⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\71B5.tmp"C:\Users\Admin\AppData\Local\Temp\71B5.tmp"84⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\7223.tmp"C:\Users\Admin\AppData\Local\Temp\7223.tmp"85⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\7290.tmp"C:\Users\Admin\AppData\Local\Temp\7290.tmp"86⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\72FD.tmp"C:\Users\Admin\AppData\Local\Temp\72FD.tmp"87⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\735B.tmp"C:\Users\Admin\AppData\Local\Temp\735B.tmp"88⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\73C8.tmp"C:\Users\Admin\AppData\Local\Temp\73C8.tmp"89⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\7426.tmp"C:\Users\Admin\AppData\Local\Temp\7426.tmp"90⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\7494.tmp"C:\Users\Admin\AppData\Local\Temp\7494.tmp"91⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"92⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\756E.tmp"C:\Users\Admin\AppData\Local\Temp\756E.tmp"93⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\75BC.tmp"C:\Users\Admin\AppData\Local\Temp\75BC.tmp"94⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\762A.tmp"C:\Users\Admin\AppData\Local\Temp\762A.tmp"95⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\7678.tmp"C:\Users\Admin\AppData\Local\Temp\7678.tmp"96⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\76C6.tmp"C:\Users\Admin\AppData\Local\Temp\76C6.tmp"97⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\7714.tmp"C:\Users\Admin\AppData\Local\Temp\7714.tmp"98⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"99⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\77C0.tmp"C:\Users\Admin\AppData\Local\Temp\77C0.tmp"100⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\781E.tmp"C:\Users\Admin\AppData\Local\Temp\781E.tmp"101⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\787C.tmp"C:\Users\Admin\AppData\Local\Temp\787C.tmp"102⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\78E9.tmp"C:\Users\Admin\AppData\Local\Temp\78E9.tmp"103⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\7956.tmp"C:\Users\Admin\AppData\Local\Temp\7956.tmp"104⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"105⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\79F3.tmp"C:\Users\Admin\AppData\Local\Temp\79F3.tmp"106⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\7A41.tmp"C:\Users\Admin\AppData\Local\Temp\7A41.tmp"107⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"108⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"109⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\7B4A.tmp"C:\Users\Admin\AppData\Local\Temp\7B4A.tmp"110⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"111⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\7C15.tmp"C:\Users\Admin\AppData\Local\Temp\7C15.tmp"112⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\7C73.tmp"C:\Users\Admin\AppData\Local\Temp\7C73.tmp"113⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"114⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\7D0F.tmp"C:\Users\Admin\AppData\Local\Temp\7D0F.tmp"115⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"116⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"117⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\7E09.tmp"C:\Users\Admin\AppData\Local\Temp\7E09.tmp"118⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\7E58.tmp"C:\Users\Admin\AppData\Local\Temp\7E58.tmp"119⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"120⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\7F13.tmp"C:\Users\Admin\AppData\Local\Temp\7F13.tmp"121⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\7F80.tmp"C:\Users\Admin\AppData\Local\Temp\7F80.tmp"122⤵PID:4688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-