Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe
Resource
win7-20240508-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe
-
Size
520KB
-
MD5
5f119ebca2bd45462586d1f23ebc96e7
-
SHA1
13fb25ba9b4c45183f4b47f5a30d1b37b5bb87e6
-
SHA256
888bfca6697bdc4f737184570da45068759915e40c3533695167d8058a161f5b
-
SHA512
6bb64475cff4b0f026ecd745776276ca40b8f809d29eed7c87832631e5ddc043898cc10de024e43d160f1ac2dfa08f81b53c3cc77cfadf3db71a94986155a2de
-
SSDEEP
12288:gj8fuxR21t5i8f+SgQpgh2tlh/WsshiNZ:gj8fuK1GY+NyghG5shiN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2484 55B1.tmp 2436 560F.tmp 3140 568C.tmp 1868 5719.tmp 3064 5776.tmp 4052 5803.tmp 3568 5851.tmp 4584 58AF.tmp 2220 593C.tmp 1448 59A9.tmp 4724 5A16.tmp 1480 5A93.tmp 964 5B10.tmp 4352 5B9D.tmp 3540 5BFB.tmp 904 5C58.tmp 5020 5CC6.tmp 1800 5D43.tmp 1008 5DC0.tmp 1952 5E0E.tmp 2160 5E8B.tmp 3528 5F18.tmp 3576 5F95.tmp 2272 6012.tmp 2000 608F.tmp 4564 60DD.tmp 2404 6169.tmp 1056 61D7.tmp 4468 6225.tmp 672 6283.tmp 1044 6300.tmp 2312 635D.tmp 2340 63BB.tmp 1776 6409.tmp 3172 6477.tmp 1424 64D4.tmp 1996 6532.tmp 2436 6590.tmp 3352 65DE.tmp 4112 663C.tmp 4152 668A.tmp 4196 66E8.tmp 3272 6736.tmp 3064 6793.tmp 388 67F1.tmp 2828 684F.tmp 3820 68AD.tmp 2188 690A.tmp 2168 6959.tmp 4584 69A7.tmp 4640 69F5.tmp 1548 6A53.tmp 1780 6AA1.tmp 4724 6AFE.tmp 872 6B5C.tmp 1480 6BAA.tmp 3096 6C08.tmp 1912 6C66.tmp 4108 6CC4.tmp 2268 6D21.tmp 1040 6D6F.tmp 5004 6DCD.tmp 1624 6E2B.tmp 2300 6E79.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 2484 1324 2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe 83 PID 1324 wrote to memory of 2484 1324 2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe 83 PID 1324 wrote to memory of 2484 1324 2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe 83 PID 2484 wrote to memory of 2436 2484 55B1.tmp 84 PID 2484 wrote to memory of 2436 2484 55B1.tmp 84 PID 2484 wrote to memory of 2436 2484 55B1.tmp 84 PID 2436 wrote to memory of 3140 2436 560F.tmp 85 PID 2436 wrote to memory of 3140 2436 560F.tmp 85 PID 2436 wrote to memory of 3140 2436 560F.tmp 85 PID 3140 wrote to memory of 1868 3140 568C.tmp 86 PID 3140 wrote to memory of 1868 3140 568C.tmp 86 PID 3140 wrote to memory of 1868 3140 568C.tmp 86 PID 1868 wrote to memory of 3064 1868 5719.tmp 88 PID 1868 wrote to memory of 3064 1868 5719.tmp 88 PID 1868 wrote to memory of 3064 1868 5719.tmp 88 PID 3064 wrote to memory of 4052 3064 5776.tmp 90 PID 3064 wrote to memory of 4052 3064 5776.tmp 90 PID 3064 wrote to memory of 4052 3064 5776.tmp 90 PID 4052 wrote to memory of 3568 4052 5803.tmp 91 PID 4052 wrote to memory of 3568 4052 5803.tmp 91 PID 4052 wrote to memory of 3568 4052 5803.tmp 91 PID 3568 wrote to memory of 4584 3568 5851.tmp 93 PID 3568 wrote to memory of 4584 3568 5851.tmp 93 PID 3568 wrote to memory of 4584 3568 5851.tmp 93 PID 4584 wrote to memory of 2220 4584 58AF.tmp 94 PID 4584 wrote to memory of 2220 4584 58AF.tmp 94 PID 4584 wrote to memory of 2220 4584 58AF.tmp 94 PID 2220 wrote to memory of 1448 2220 593C.tmp 95 PID 2220 wrote to memory of 1448 2220 593C.tmp 95 PID 2220 wrote to memory of 1448 2220 593C.tmp 95 PID 1448 wrote to memory of 4724 1448 59A9.tmp 96 PID 1448 wrote to memory of 4724 1448 59A9.tmp 96 PID 1448 wrote to memory of 4724 1448 59A9.tmp 96 PID 4724 wrote to memory of 1480 4724 5A16.tmp 97 PID 4724 wrote to memory of 1480 4724 5A16.tmp 97 PID 4724 wrote to memory of 1480 4724 5A16.tmp 97 PID 1480 wrote to memory of 964 1480 5A93.tmp 98 PID 1480 wrote to memory of 964 1480 5A93.tmp 98 PID 1480 wrote to memory of 964 1480 5A93.tmp 98 PID 964 wrote to memory of 4352 964 5B10.tmp 99 PID 964 wrote to memory of 4352 964 5B10.tmp 99 PID 964 wrote to memory of 4352 964 5B10.tmp 99 PID 4352 wrote to memory of 3540 4352 5B9D.tmp 100 PID 4352 wrote to memory of 3540 4352 5B9D.tmp 100 PID 4352 wrote to memory of 3540 4352 5B9D.tmp 100 PID 3540 wrote to memory of 904 3540 5BFB.tmp 101 PID 3540 wrote to memory of 904 3540 5BFB.tmp 101 PID 3540 wrote to memory of 904 3540 5BFB.tmp 101 PID 904 wrote to memory of 5020 904 5C58.tmp 102 PID 904 wrote to memory of 5020 904 5C58.tmp 102 PID 904 wrote to memory of 5020 904 5C58.tmp 102 PID 5020 wrote to memory of 1800 5020 5CC6.tmp 103 PID 5020 wrote to memory of 1800 5020 5CC6.tmp 103 PID 5020 wrote to memory of 1800 5020 5CC6.tmp 103 PID 1800 wrote to memory of 1008 1800 5D43.tmp 104 PID 1800 wrote to memory of 1008 1800 5D43.tmp 104 PID 1800 wrote to memory of 1008 1800 5D43.tmp 104 PID 1008 wrote to memory of 1952 1008 5DC0.tmp 105 PID 1008 wrote to memory of 1952 1008 5DC0.tmp 105 PID 1008 wrote to memory of 1952 1008 5DC0.tmp 105 PID 1952 wrote to memory of 2160 1952 5E0E.tmp 108 PID 1952 wrote to memory of 2160 1952 5E0E.tmp 108 PID 1952 wrote to memory of 2160 1952 5E0E.tmp 108 PID 2160 wrote to memory of 3528 2160 5E8B.tmp 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5f119ebca2bd45462586d1f23ebc96e7_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\55B1.tmp"C:\Users\Admin\AppData\Local\Temp\55B1.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\568C.tmp"C:\Users\Admin\AppData\Local\Temp\568C.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\5719.tmp"C:\Users\Admin\AppData\Local\Temp\5719.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\5851.tmp"C:\Users\Admin\AppData\Local\Temp\5851.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\58AF.tmp"C:\Users\Admin\AppData\Local\Temp\58AF.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\593C.tmp"C:\Users\Admin\AppData\Local\Temp\593C.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\59A9.tmp"C:\Users\Admin\AppData\Local\Temp\59A9.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\5A16.tmp"C:\Users\Admin\AppData\Local\Temp\5A16.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\5A93.tmp"C:\Users\Admin\AppData\Local\Temp\5A93.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\5B10.tmp"C:\Users\Admin\AppData\Local\Temp\5B10.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\5BFB.tmp"C:\Users\Admin\AppData\Local\Temp\5BFB.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\5C58.tmp"C:\Users\Admin\AppData\Local\Temp\5C58.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\5D43.tmp"C:\Users\Admin\AppData\Local\Temp\5D43.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp"C:\Users\Admin\AppData\Local\Temp\5F18.tmp"23⤵
- Executes dropped EXE
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\5F95.tmp"C:\Users\Admin\AppData\Local\Temp\5F95.tmp"24⤵
- Executes dropped EXE
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\6012.tmp"C:\Users\Admin\AppData\Local\Temp\6012.tmp"25⤵
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\608F.tmp"C:\Users\Admin\AppData\Local\Temp\608F.tmp"26⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\60DD.tmp"C:\Users\Admin\AppData\Local\Temp\60DD.tmp"27⤵
- Executes dropped EXE
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\6169.tmp"C:\Users\Admin\AppData\Local\Temp\6169.tmp"28⤵
- Executes dropped EXE
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\61D7.tmp"C:\Users\Admin\AppData\Local\Temp\61D7.tmp"29⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\6225.tmp"C:\Users\Admin\AppData\Local\Temp\6225.tmp"30⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\6283.tmp"C:\Users\Admin\AppData\Local\Temp\6283.tmp"31⤵
- Executes dropped EXE
PID:672 -
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"32⤵
- Executes dropped EXE
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\635D.tmp"C:\Users\Admin\AppData\Local\Temp\635D.tmp"33⤵
- Executes dropped EXE
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\63BB.tmp"C:\Users\Admin\AppData\Local\Temp\63BB.tmp"34⤵
- Executes dropped EXE
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\6409.tmp"C:\Users\Admin\AppData\Local\Temp\6409.tmp"35⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\6477.tmp"C:\Users\Admin\AppData\Local\Temp\6477.tmp"36⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"37⤵
- Executes dropped EXE
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\6532.tmp"C:\Users\Admin\AppData\Local\Temp\6532.tmp"38⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\6590.tmp"C:\Users\Admin\AppData\Local\Temp\6590.tmp"39⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\65DE.tmp"C:\Users\Admin\AppData\Local\Temp\65DE.tmp"40⤵
- Executes dropped EXE
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\663C.tmp"C:\Users\Admin\AppData\Local\Temp\663C.tmp"41⤵
- Executes dropped EXE
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\668A.tmp"C:\Users\Admin\AppData\Local\Temp\668A.tmp"42⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\66E8.tmp"C:\Users\Admin\AppData\Local\Temp\66E8.tmp"43⤵
- Executes dropped EXE
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\6736.tmp"C:\Users\Admin\AppData\Local\Temp\6736.tmp"44⤵
- Executes dropped EXE
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\6793.tmp"C:\Users\Admin\AppData\Local\Temp\6793.tmp"45⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\67F1.tmp"C:\Users\Admin\AppData\Local\Temp\67F1.tmp"46⤵
- Executes dropped EXE
PID:388 -
C:\Users\Admin\AppData\Local\Temp\684F.tmp"C:\Users\Admin\AppData\Local\Temp\684F.tmp"47⤵
- Executes dropped EXE
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"48⤵
- Executes dropped EXE
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\690A.tmp"C:\Users\Admin\AppData\Local\Temp\690A.tmp"49⤵
- Executes dropped EXE
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\6959.tmp"C:\Users\Admin\AppData\Local\Temp\6959.tmp"50⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\69A7.tmp"C:\Users\Admin\AppData\Local\Temp\69A7.tmp"51⤵
- Executes dropped EXE
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\69F5.tmp"C:\Users\Admin\AppData\Local\Temp\69F5.tmp"52⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\6A53.tmp"C:\Users\Admin\AppData\Local\Temp\6A53.tmp"53⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"54⤵
- Executes dropped EXE
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"55⤵
- Executes dropped EXE
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"56⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"57⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\6C08.tmp"C:\Users\Admin\AppData\Local\Temp\6C08.tmp"58⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\6C66.tmp"C:\Users\Admin\AppData\Local\Temp\6C66.tmp"59⤵
- Executes dropped EXE
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"C:\Users\Admin\AppData\Local\Temp\6CC4.tmp"60⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\6D21.tmp"C:\Users\Admin\AppData\Local\Temp\6D21.tmp"61⤵
- Executes dropped EXE
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"62⤵
- Executes dropped EXE
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"63⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"64⤵
- Executes dropped EXE
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\6E79.tmp"C:\Users\Admin\AppData\Local\Temp\6E79.tmp"65⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\6ED7.tmp"C:\Users\Admin\AppData\Local\Temp\6ED7.tmp"66⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\6F35.tmp"C:\Users\Admin\AppData\Local\Temp\6F35.tmp"67⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\6F92.tmp"C:\Users\Admin\AppData\Local\Temp\6F92.tmp"68⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\6FE0.tmp"C:\Users\Admin\AppData\Local\Temp\6FE0.tmp"69⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\703E.tmp"C:\Users\Admin\AppData\Local\Temp\703E.tmp"70⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"71⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"72⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"73⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\71A6.tmp"C:\Users\Admin\AppData\Local\Temp\71A6.tmp"74⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\71F4.tmp"C:\Users\Admin\AppData\Local\Temp\71F4.tmp"75⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\7251.tmp"C:\Users\Admin\AppData\Local\Temp\7251.tmp"76⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\72AF.tmp"C:\Users\Admin\AppData\Local\Temp\72AF.tmp"77⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\730D.tmp"C:\Users\Admin\AppData\Local\Temp\730D.tmp"78⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\735B.tmp"C:\Users\Admin\AppData\Local\Temp\735B.tmp"79⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\73B9.tmp"C:\Users\Admin\AppData\Local\Temp\73B9.tmp"80⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\7417.tmp"C:\Users\Admin\AppData\Local\Temp\7417.tmp"81⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\7474.tmp"C:\Users\Admin\AppData\Local\Temp\7474.tmp"82⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\74D2.tmp"C:\Users\Admin\AppData\Local\Temp\74D2.tmp"83⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"84⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\758E.tmp"C:\Users\Admin\AppData\Local\Temp\758E.tmp"85⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\75EB.tmp"C:\Users\Admin\AppData\Local\Temp\75EB.tmp"86⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\7649.tmp"C:\Users\Admin\AppData\Local\Temp\7649.tmp"87⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\76A7.tmp"C:\Users\Admin\AppData\Local\Temp\76A7.tmp"88⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\7705.tmp"C:\Users\Admin\AppData\Local\Temp\7705.tmp"89⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"90⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\77C0.tmp"C:\Users\Admin\AppData\Local\Temp\77C0.tmp"91⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\781E.tmp"C:\Users\Admin\AppData\Local\Temp\781E.tmp"92⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\788B.tmp"C:\Users\Admin\AppData\Local\Temp\788B.tmp"93⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\78E9.tmp"C:\Users\Admin\AppData\Local\Temp\78E9.tmp"94⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\7947.tmp"C:\Users\Admin\AppData\Local\Temp\7947.tmp"95⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"96⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\7A02.tmp"C:\Users\Admin\AppData\Local\Temp\7A02.tmp"97⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\7A60.tmp"C:\Users\Admin\AppData\Local\Temp\7A60.tmp"98⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"C:\Users\Admin\AppData\Local\Temp\7AAE.tmp"99⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"C:\Users\Admin\AppData\Local\Temp\7AFC.tmp"100⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"101⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"102⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\7C06.tmp"C:\Users\Admin\AppData\Local\Temp\7C06.tmp"103⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\7C64.tmp"C:\Users\Admin\AppData\Local\Temp\7C64.tmp"104⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"105⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"106⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"107⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"108⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\7E29.tmp"C:\Users\Admin\AppData\Local\Temp\7E29.tmp"109⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\7E77.tmp"C:\Users\Admin\AppData\Local\Temp\7E77.tmp"110⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"111⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\7F23.tmp"C:\Users\Admin\AppData\Local\Temp\7F23.tmp"112⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\7F80.tmp"C:\Users\Admin\AppData\Local\Temp\7F80.tmp"113⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\7FDE.tmp"C:\Users\Admin\AppData\Local\Temp\7FDE.tmp"114⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\803C.tmp"C:\Users\Admin\AppData\Local\Temp\803C.tmp"115⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\809A.tmp"C:\Users\Admin\AppData\Local\Temp\809A.tmp"116⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\80F7.tmp"C:\Users\Admin\AppData\Local\Temp\80F7.tmp"117⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"118⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\81B3.tmp"C:\Users\Admin\AppData\Local\Temp\81B3.tmp"119⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"120⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\825F.tmp"C:\Users\Admin\AppData\Local\Temp\825F.tmp"121⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\82AD.tmp"C:\Users\Admin\AppData\Local\Temp\82AD.tmp"122⤵PID:3744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-