Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 19:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe
-
Size
520KB
-
MD5
100cc81bf7e71e892398ea04cc0961b1
-
SHA1
5f078c4b9f16cfdcdd639480c6ed74143c192b3f
-
SHA256
f91ba608bf8d486c2649e84c006677fb3e8f2b438b56d6e774b0f1599e0f79cd
-
SHA512
f88feb931f1f6060dc1b0448a5417f8cbd9301f7b72d35f666181bba1631faf00188b72276388bdaece43a43cb59d97dc203c1a95bb05a121aa9c4db4628fdf3
-
SSDEEP
12288:gj8fuxR21t5i8fOnkfv37qPAPhpl8fDrLNZ:gj8fuK1GYOyv3GPIeDHN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3864 52C3.tmp 3488 5360.tmp 1472 53DD.tmp 2456 545A.tmp 2052 54D7.tmp 2444 5554.tmp 2776 55C1.tmp 32 564E.tmp 4632 56BB.tmp 4652 5728.tmp 1792 5796.tmp 3096 57E4.tmp 3064 5861.tmp 704 58CE.tmp 3476 592C.tmp 3536 597A.tmp 2828 59C8.tmp 1192 5A36.tmp 2012 5A84.tmp 2032 5B01.tmp 2940 5B7E.tmp 436 5BDB.tmp 1560 5C49.tmp 1132 5CC6.tmp 724 5D24.tmp 1772 5D72.tmp 3068 5DCF.tmp 1616 5E1E.tmp 3392 5E7B.tmp 2056 5EC9.tmp 4560 5F37.tmp 1456 5FB4.tmp 4436 6021.tmp 1316 606F.tmp 3040 60BD.tmp 3156 611B.tmp 2624 6179.tmp 4308 61C7.tmp 652 6215.tmp 2360 6263.tmp 744 62C1.tmp 2636 631F.tmp 4972 637D.tmp 2076 63DA.tmp 4656 6438.tmp 972 6496.tmp 4644 64F4.tmp 4844 6542.tmp 1220 6590.tmp 4012 65DE.tmp 4788 663C.tmp 1784 668A.tmp 4376 66D8.tmp 4440 6726.tmp 3820 6774.tmp 4132 67C2.tmp 2596 6810.tmp 3616 685F.tmp 4228 68AD.tmp 3468 68FB.tmp 4848 6949.tmp 4672 6997.tmp 3444 69E5.tmp 4232 6A33.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3864 1704 2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe 82 PID 1704 wrote to memory of 3864 1704 2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe 82 PID 1704 wrote to memory of 3864 1704 2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe 82 PID 3864 wrote to memory of 3488 3864 52C3.tmp 83 PID 3864 wrote to memory of 3488 3864 52C3.tmp 83 PID 3864 wrote to memory of 3488 3864 52C3.tmp 83 PID 3488 wrote to memory of 1472 3488 5360.tmp 84 PID 3488 wrote to memory of 1472 3488 5360.tmp 84 PID 3488 wrote to memory of 1472 3488 5360.tmp 84 PID 1472 wrote to memory of 2456 1472 53DD.tmp 85 PID 1472 wrote to memory of 2456 1472 53DD.tmp 85 PID 1472 wrote to memory of 2456 1472 53DD.tmp 85 PID 2456 wrote to memory of 2052 2456 545A.tmp 86 PID 2456 wrote to memory of 2052 2456 545A.tmp 86 PID 2456 wrote to memory of 2052 2456 545A.tmp 86 PID 2052 wrote to memory of 2444 2052 54D7.tmp 87 PID 2052 wrote to memory of 2444 2052 54D7.tmp 87 PID 2052 wrote to memory of 2444 2052 54D7.tmp 87 PID 2444 wrote to memory of 2776 2444 5554.tmp 88 PID 2444 wrote to memory of 2776 2444 5554.tmp 88 PID 2444 wrote to memory of 2776 2444 5554.tmp 88 PID 2776 wrote to memory of 32 2776 55C1.tmp 89 PID 2776 wrote to memory of 32 2776 55C1.tmp 89 PID 2776 wrote to memory of 32 2776 55C1.tmp 89 PID 32 wrote to memory of 4632 32 564E.tmp 90 PID 32 wrote to memory of 4632 32 564E.tmp 90 PID 32 wrote to memory of 4632 32 564E.tmp 90 PID 4632 wrote to memory of 4652 4632 56BB.tmp 91 PID 4632 wrote to memory of 4652 4632 56BB.tmp 91 PID 4632 wrote to memory of 4652 4632 56BB.tmp 91 PID 4652 wrote to memory of 1792 4652 5728.tmp 92 PID 4652 wrote to memory of 1792 4652 5728.tmp 92 PID 4652 wrote to memory of 1792 4652 5728.tmp 92 PID 1792 wrote to memory of 3096 1792 5796.tmp 93 PID 1792 wrote to memory of 3096 1792 5796.tmp 93 PID 1792 wrote to memory of 3096 1792 5796.tmp 93 PID 3096 wrote to memory of 3064 3096 57E4.tmp 94 PID 3096 wrote to memory of 3064 3096 57E4.tmp 94 PID 3096 wrote to memory of 3064 3096 57E4.tmp 94 PID 3064 wrote to memory of 704 3064 5861.tmp 95 PID 3064 wrote to memory of 704 3064 5861.tmp 95 PID 3064 wrote to memory of 704 3064 5861.tmp 95 PID 704 wrote to memory of 3476 704 58CE.tmp 96 PID 704 wrote to memory of 3476 704 58CE.tmp 96 PID 704 wrote to memory of 3476 704 58CE.tmp 96 PID 3476 wrote to memory of 3536 3476 592C.tmp 97 PID 3476 wrote to memory of 3536 3476 592C.tmp 97 PID 3476 wrote to memory of 3536 3476 592C.tmp 97 PID 3536 wrote to memory of 2828 3536 597A.tmp 98 PID 3536 wrote to memory of 2828 3536 597A.tmp 98 PID 3536 wrote to memory of 2828 3536 597A.tmp 98 PID 2828 wrote to memory of 1192 2828 59C8.tmp 99 PID 2828 wrote to memory of 1192 2828 59C8.tmp 99 PID 2828 wrote to memory of 1192 2828 59C8.tmp 99 PID 1192 wrote to memory of 2012 1192 5A36.tmp 100 PID 1192 wrote to memory of 2012 1192 5A36.tmp 100 PID 1192 wrote to memory of 2012 1192 5A36.tmp 100 PID 2012 wrote to memory of 2032 2012 5A84.tmp 101 PID 2012 wrote to memory of 2032 2012 5A84.tmp 101 PID 2012 wrote to memory of 2032 2012 5A84.tmp 101 PID 2032 wrote to memory of 2940 2032 5B01.tmp 102 PID 2032 wrote to memory of 2940 2032 5B01.tmp 102 PID 2032 wrote to memory of 2940 2032 5B01.tmp 102 PID 2940 wrote to memory of 436 2940 5B7E.tmp 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_100cc81bf7e71e892398ea04cc0961b1_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\52C3.tmp"C:\Users\Admin\AppData\Local\Temp\52C3.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\5360.tmp"C:\Users\Admin\AppData\Local\Temp\5360.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\53DD.tmp"C:\Users\Admin\AppData\Local\Temp\53DD.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\545A.tmp"C:\Users\Admin\AppData\Local\Temp\545A.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\54D7.tmp"C:\Users\Admin\AppData\Local\Temp\54D7.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\564E.tmp"C:\Users\Admin\AppData\Local\Temp\564E.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Users\Admin\AppData\Local\Temp\56BB.tmp"C:\Users\Admin\AppData\Local\Temp\56BB.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\5728.tmp"C:\Users\Admin\AppData\Local\Temp\5728.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\5796.tmp"C:\Users\Admin\AppData\Local\Temp\5796.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\57E4.tmp"C:\Users\Admin\AppData\Local\Temp\57E4.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\592C.tmp"C:\Users\Admin\AppData\Local\Temp\592C.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\59C8.tmp"C:\Users\Admin\AppData\Local\Temp\59C8.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\5A36.tmp"C:\Users\Admin\AppData\Local\Temp\5A36.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\5A84.tmp"C:\Users\Admin\AppData\Local\Temp\5A84.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\5B01.tmp"C:\Users\Admin\AppData\Local\Temp\5B01.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"23⤵
- Executes dropped EXE
PID:436 -
C:\Users\Admin\AppData\Local\Temp\5C49.tmp"C:\Users\Admin\AppData\Local\Temp\5C49.tmp"24⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"25⤵
- Executes dropped EXE
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\5D24.tmp"C:\Users\Admin\AppData\Local\Temp\5D24.tmp"26⤵
- Executes dropped EXE
PID:724 -
C:\Users\Admin\AppData\Local\Temp\5D72.tmp"C:\Users\Admin\AppData\Local\Temp\5D72.tmp"27⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\5DCF.tmp"C:\Users\Admin\AppData\Local\Temp\5DCF.tmp"28⤵
- Executes dropped EXE
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\5E1E.tmp"C:\Users\Admin\AppData\Local\Temp\5E1E.tmp"29⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\5E7B.tmp"C:\Users\Admin\AppData\Local\Temp\5E7B.tmp"30⤵
- Executes dropped EXE
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"31⤵
- Executes dropped EXE
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\5F37.tmp"C:\Users\Admin\AppData\Local\Temp\5F37.tmp"32⤵
- Executes dropped EXE
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\5FB4.tmp"C:\Users\Admin\AppData\Local\Temp\5FB4.tmp"33⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\6021.tmp"C:\Users\Admin\AppData\Local\Temp\6021.tmp"34⤵
- Executes dropped EXE
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\606F.tmp"C:\Users\Admin\AppData\Local\Temp\606F.tmp"35⤵
- Executes dropped EXE
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\60BD.tmp"C:\Users\Admin\AppData\Local\Temp\60BD.tmp"36⤵
- Executes dropped EXE
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\611B.tmp"C:\Users\Admin\AppData\Local\Temp\611B.tmp"37⤵
- Executes dropped EXE
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\6179.tmp"C:\Users\Admin\AppData\Local\Temp\6179.tmp"38⤵
- Executes dropped EXE
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\61C7.tmp"C:\Users\Admin\AppData\Local\Temp\61C7.tmp"39⤵
- Executes dropped EXE
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\6215.tmp"C:\Users\Admin\AppData\Local\Temp\6215.tmp"40⤵
- Executes dropped EXE
PID:652 -
C:\Users\Admin\AppData\Local\Temp\6263.tmp"C:\Users\Admin\AppData\Local\Temp\6263.tmp"41⤵
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\62C1.tmp"C:\Users\Admin\AppData\Local\Temp\62C1.tmp"42⤵
- Executes dropped EXE
PID:744 -
C:\Users\Admin\AppData\Local\Temp\631F.tmp"C:\Users\Admin\AppData\Local\Temp\631F.tmp"43⤵
- Executes dropped EXE
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\637D.tmp"C:\Users\Admin\AppData\Local\Temp\637D.tmp"44⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\63DA.tmp"C:\Users\Admin\AppData\Local\Temp\63DA.tmp"45⤵
- Executes dropped EXE
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"46⤵
- Executes dropped EXE
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\6496.tmp"C:\Users\Admin\AppData\Local\Temp\6496.tmp"47⤵
- Executes dropped EXE
PID:972 -
C:\Users\Admin\AppData\Local\Temp\64F4.tmp"C:\Users\Admin\AppData\Local\Temp\64F4.tmp"48⤵
- Executes dropped EXE
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\6542.tmp"C:\Users\Admin\AppData\Local\Temp\6542.tmp"49⤵
- Executes dropped EXE
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\6590.tmp"C:\Users\Admin\AppData\Local\Temp\6590.tmp"50⤵
- Executes dropped EXE
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\65DE.tmp"C:\Users\Admin\AppData\Local\Temp\65DE.tmp"51⤵
- Executes dropped EXE
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\663C.tmp"C:\Users\Admin\AppData\Local\Temp\663C.tmp"52⤵
- Executes dropped EXE
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\668A.tmp"C:\Users\Admin\AppData\Local\Temp\668A.tmp"53⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\66D8.tmp"C:\Users\Admin\AppData\Local\Temp\66D8.tmp"54⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"55⤵
- Executes dropped EXE
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\6774.tmp"C:\Users\Admin\AppData\Local\Temp\6774.tmp"56⤵
- Executes dropped EXE
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\67C2.tmp"C:\Users\Admin\AppData\Local\Temp\67C2.tmp"57⤵
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\6810.tmp"C:\Users\Admin\AppData\Local\Temp\6810.tmp"58⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"59⤵
- Executes dropped EXE
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"60⤵
- Executes dropped EXE
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\68FB.tmp"C:\Users\Admin\AppData\Local\Temp\68FB.tmp"61⤵
- Executes dropped EXE
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\6949.tmp"C:\Users\Admin\AppData\Local\Temp\6949.tmp"62⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\6997.tmp"C:\Users\Admin\AppData\Local\Temp\6997.tmp"63⤵
- Executes dropped EXE
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\69E5.tmp"C:\Users\Admin\AppData\Local\Temp\69E5.tmp"64⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\6A33.tmp"C:\Users\Admin\AppData\Local\Temp\6A33.tmp"65⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"66⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"67⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"68⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"69⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"70⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\6C37.tmp"C:\Users\Admin\AppData\Local\Temp\6C37.tmp"71⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\6C85.tmp"C:\Users\Admin\AppData\Local\Temp\6C85.tmp"72⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"73⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\6D21.tmp"C:\Users\Admin\AppData\Local\Temp\6D21.tmp"74⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"75⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"76⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\6E1B.tmp"C:\Users\Admin\AppData\Local\Temp\6E1B.tmp"77⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\6E79.tmp"C:\Users\Admin\AppData\Local\Temp\6E79.tmp"78⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\6ED7.tmp"C:\Users\Admin\AppData\Local\Temp\6ED7.tmp"79⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\6F35.tmp"C:\Users\Admin\AppData\Local\Temp\6F35.tmp"80⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\6F83.tmp"C:\Users\Admin\AppData\Local\Temp\6F83.tmp"81⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"82⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\702F.tmp"C:\Users\Admin\AppData\Local\Temp\702F.tmp"83⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"84⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"85⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\7138.tmp"C:\Users\Admin\AppData\Local\Temp\7138.tmp"86⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\7196.tmp"C:\Users\Admin\AppData\Local\Temp\7196.tmp"87⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\71F4.tmp"C:\Users\Admin\AppData\Local\Temp\71F4.tmp"88⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\7251.tmp"C:\Users\Admin\AppData\Local\Temp\7251.tmp"89⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\72A0.tmp"C:\Users\Admin\AppData\Local\Temp\72A0.tmp"90⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\72FD.tmp"C:\Users\Admin\AppData\Local\Temp\72FD.tmp"91⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"92⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\73A9.tmp"C:\Users\Admin\AppData\Local\Temp\73A9.tmp"93⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7407.tmp"C:\Users\Admin\AppData\Local\Temp\7407.tmp"94⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\7465.tmp"C:\Users\Admin\AppData\Local\Temp\7465.tmp"95⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\74C2.tmp"C:\Users\Admin\AppData\Local\Temp\74C2.tmp"96⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\7520.tmp"C:\Users\Admin\AppData\Local\Temp\7520.tmp"97⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\757E.tmp"C:\Users\Admin\AppData\Local\Temp\757E.tmp"98⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\75DC.tmp"C:\Users\Admin\AppData\Local\Temp\75DC.tmp"99⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\762A.tmp"C:\Users\Admin\AppData\Local\Temp\762A.tmp"100⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\7688.tmp"C:\Users\Admin\AppData\Local\Temp\7688.tmp"101⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\76D6.tmp"C:\Users\Admin\AppData\Local\Temp\76D6.tmp"102⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\7733.tmp"C:\Users\Admin\AppData\Local\Temp\7733.tmp"103⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\7791.tmp"C:\Users\Admin\AppData\Local\Temp\7791.tmp"104⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\77EF.tmp"C:\Users\Admin\AppData\Local\Temp\77EF.tmp"105⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\784D.tmp"C:\Users\Admin\AppData\Local\Temp\784D.tmp"106⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\78AA.tmp"C:\Users\Admin\AppData\Local\Temp\78AA.tmp"107⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\7908.tmp"C:\Users\Admin\AppData\Local\Temp\7908.tmp"108⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\7956.tmp"C:\Users\Admin\AppData\Local\Temp\7956.tmp"109⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"110⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\7A12.tmp"C:\Users\Admin\AppData\Local\Temp\7A12.tmp"111⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\7A60.tmp"C:\Users\Admin\AppData\Local\Temp\7A60.tmp"112⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"113⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"114⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\7B79.tmp"C:\Users\Admin\AppData\Local\Temp\7B79.tmp"115⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"C:\Users\Admin\AppData\Local\Temp\7BC7.tmp"116⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\7C15.tmp"C:\Users\Admin\AppData\Local\Temp\7C15.tmp"117⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\7C64.tmp"C:\Users\Admin\AppData\Local\Temp\7C64.tmp"118⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"119⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"120⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\7D7D.tmp"C:\Users\Admin\AppData\Local\Temp\7D7D.tmp"121⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\7DDB.tmp"C:\Users\Admin\AppData\Local\Temp\7DDB.tmp"122⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-