Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 11:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
Resource
win7-20240215-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe
-
Size
488KB
-
MD5
d3e1a9168a025fbcf6e139cca0e0b55b
-
SHA1
2fbd4bd20dde86667a58724546611f1a556fa646
-
SHA256
e0b81eee4c54b7a6acd4ceb10a12506dca4c6b38d7408182d10d3e1a5cf9b970
-
SHA512
0689031eb2a50270bf73b16f5d0c08a9f69c0acbe2a423d64dbe741b303df66ccb10810c6a199a7465c9a43cb0e74d4d84ad28ad28641489b78c29c185e44045
-
SSDEEP
12288:/U5rCOTeiDIv4BTtHTrkB6tGygfLCyiBRFNZ:/UQOJDIgtJtGygf2yiB3N
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3544 54A8.tmp 3052 5525.tmp 2008 55A2.tmp 3116 566D.tmp 2744 56EA.tmp 1652 5776.tmp 2364 5822.tmp 2840 58CE.tmp 2620 593C.tmp 4224 59D8.tmp 2148 5A55.tmp 5080 5AF1.tmp 4036 5B6E.tmp 5104 5BEB.tmp 4988 5C78.tmp 4364 5CF5.tmp 4956 5D91.tmp 4228 5E2D.tmp 4548 5E8B.tmp 3716 5EF8.tmp 3148 5F75.tmp 3816 5FF2.tmp 1564 6060.tmp 3344 60EC.tmp 4936 613A.tmp 4848 61E6.tmp 2820 6254.tmp 640 62D1.tmp 852 635D.tmp 4296 63FA.tmp 4824 6457.tmp 4732 64D4.tmp 4568 6571.tmp 2784 65BF.tmp 3244 661C.tmp 3832 667A.tmp 1852 66D8.tmp 828 6736.tmp 1284 6793.tmp 1548 6801.tmp 4000 685F.tmp 4140 68BC.tmp 208 691A.tmp 4492 6978.tmp 2060 69E5.tmp 2892 6A43.tmp 4132 6AA1.tmp 3296 6B0E.tmp 904 6B5C.tmp 5056 6BBA.tmp 4768 6C27.tmp 4716 6C95.tmp 3248 6CE3.tmp 3456 6D41.tmp 764 6D9E.tmp 3228 6DEC.tmp 1428 6E4A.tmp 1140 6EB8.tmp 3512 6F25.tmp 2840 6F83.tmp 1688 6FD1.tmp 2960 702F.tmp 3812 707D.tmp 4840 70DA.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3544 2884 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 82 PID 2884 wrote to memory of 3544 2884 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 82 PID 2884 wrote to memory of 3544 2884 2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe 82 PID 3544 wrote to memory of 3052 3544 54A8.tmp 83 PID 3544 wrote to memory of 3052 3544 54A8.tmp 83 PID 3544 wrote to memory of 3052 3544 54A8.tmp 83 PID 3052 wrote to memory of 2008 3052 5525.tmp 85 PID 3052 wrote to memory of 2008 3052 5525.tmp 85 PID 3052 wrote to memory of 2008 3052 5525.tmp 85 PID 2008 wrote to memory of 3116 2008 55A2.tmp 87 PID 2008 wrote to memory of 3116 2008 55A2.tmp 87 PID 2008 wrote to memory of 3116 2008 55A2.tmp 87 PID 3116 wrote to memory of 2744 3116 566D.tmp 88 PID 3116 wrote to memory of 2744 3116 566D.tmp 88 PID 3116 wrote to memory of 2744 3116 566D.tmp 88 PID 2744 wrote to memory of 1652 2744 56EA.tmp 90 PID 2744 wrote to memory of 1652 2744 56EA.tmp 90 PID 2744 wrote to memory of 1652 2744 56EA.tmp 90 PID 1652 wrote to memory of 2364 1652 5776.tmp 91 PID 1652 wrote to memory of 2364 1652 5776.tmp 91 PID 1652 wrote to memory of 2364 1652 5776.tmp 91 PID 2364 wrote to memory of 2840 2364 5822.tmp 92 PID 2364 wrote to memory of 2840 2364 5822.tmp 92 PID 2364 wrote to memory of 2840 2364 5822.tmp 92 PID 2840 wrote to memory of 2620 2840 58CE.tmp 93 PID 2840 wrote to memory of 2620 2840 58CE.tmp 93 PID 2840 wrote to memory of 2620 2840 58CE.tmp 93 PID 2620 wrote to memory of 4224 2620 593C.tmp 94 PID 2620 wrote to memory of 4224 2620 593C.tmp 94 PID 2620 wrote to memory of 4224 2620 593C.tmp 94 PID 4224 wrote to memory of 2148 4224 59D8.tmp 95 PID 4224 wrote to memory of 2148 4224 59D8.tmp 95 PID 4224 wrote to memory of 2148 4224 59D8.tmp 95 PID 2148 wrote to memory of 5080 2148 5A55.tmp 96 PID 2148 wrote to memory of 5080 2148 5A55.tmp 96 PID 2148 wrote to memory of 5080 2148 5A55.tmp 96 PID 5080 wrote to memory of 4036 5080 5AF1.tmp 97 PID 5080 wrote to memory of 4036 5080 5AF1.tmp 97 PID 5080 wrote to memory of 4036 5080 5AF1.tmp 97 PID 4036 wrote to memory of 5104 4036 5B6E.tmp 98 PID 4036 wrote to memory of 5104 4036 5B6E.tmp 98 PID 4036 wrote to memory of 5104 4036 5B6E.tmp 98 PID 5104 wrote to memory of 4988 5104 5BEB.tmp 99 PID 5104 wrote to memory of 4988 5104 5BEB.tmp 99 PID 5104 wrote to memory of 4988 5104 5BEB.tmp 99 PID 4988 wrote to memory of 4364 4988 5C78.tmp 100 PID 4988 wrote to memory of 4364 4988 5C78.tmp 100 PID 4988 wrote to memory of 4364 4988 5C78.tmp 100 PID 4364 wrote to memory of 4956 4364 5CF5.tmp 101 PID 4364 wrote to memory of 4956 4364 5CF5.tmp 101 PID 4364 wrote to memory of 4956 4364 5CF5.tmp 101 PID 4956 wrote to memory of 4228 4956 5D91.tmp 102 PID 4956 wrote to memory of 4228 4956 5D91.tmp 102 PID 4956 wrote to memory of 4228 4956 5D91.tmp 102 PID 4228 wrote to memory of 4548 4228 5E2D.tmp 103 PID 4228 wrote to memory of 4548 4228 5E2D.tmp 103 PID 4228 wrote to memory of 4548 4228 5E2D.tmp 103 PID 4548 wrote to memory of 3716 4548 5E8B.tmp 104 PID 4548 wrote to memory of 3716 4548 5E8B.tmp 104 PID 4548 wrote to memory of 3716 4548 5E8B.tmp 104 PID 3716 wrote to memory of 3148 3716 5EF8.tmp 105 PID 3716 wrote to memory of 3148 3716 5EF8.tmp 105 PID 3716 wrote to memory of 3148 3716 5EF8.tmp 105 PID 3148 wrote to memory of 3816 3148 5F75.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_d3e1a9168a025fbcf6e139cca0e0b55b_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\54A8.tmp"C:\Users\Admin\AppData\Local\Temp\54A8.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\5525.tmp"C:\Users\Admin\AppData\Local\Temp\5525.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\55A2.tmp"C:\Users\Admin\AppData\Local\Temp\55A2.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\566D.tmp"C:\Users\Admin\AppData\Local\Temp\566D.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\56EA.tmp"C:\Users\Admin\AppData\Local\Temp\56EA.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\5822.tmp"C:\Users\Admin\AppData\Local\Temp\5822.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\593C.tmp"C:\Users\Admin\AppData\Local\Temp\593C.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\59D8.tmp"C:\Users\Admin\AppData\Local\Temp\59D8.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\5A55.tmp"C:\Users\Admin\AppData\Local\Temp\5A55.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\5AF1.tmp"C:\Users\Admin\AppData\Local\Temp\5AF1.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\5C78.tmp"C:\Users\Admin\AppData\Local\Temp\5C78.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\5CF5.tmp"C:\Users\Admin\AppData\Local\Temp\5CF5.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\5D91.tmp"C:\Users\Admin\AppData\Local\Temp\5D91.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\5E2D.tmp"C:\Users\Admin\AppData\Local\Temp\5E2D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\5F75.tmp"C:\Users\Admin\AppData\Local\Temp\5F75.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"23⤵
- Executes dropped EXE
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\6060.tmp"C:\Users\Admin\AppData\Local\Temp\6060.tmp"24⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\60EC.tmp"C:\Users\Admin\AppData\Local\Temp\60EC.tmp"25⤵
- Executes dropped EXE
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\613A.tmp"C:\Users\Admin\AppData\Local\Temp\613A.tmp"26⤵
- Executes dropped EXE
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\61E6.tmp"C:\Users\Admin\AppData\Local\Temp\61E6.tmp"27⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\6254.tmp"C:\Users\Admin\AppData\Local\Temp\6254.tmp"28⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\62D1.tmp"C:\Users\Admin\AppData\Local\Temp\62D1.tmp"29⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Temp\635D.tmp"C:\Users\Admin\AppData\Local\Temp\635D.tmp"30⤵
- Executes dropped EXE
PID:852 -
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"31⤵
- Executes dropped EXE
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\6457.tmp"C:\Users\Admin\AppData\Local\Temp\6457.tmp"32⤵
- Executes dropped EXE
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"33⤵
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"34⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\65BF.tmp"C:\Users\Admin\AppData\Local\Temp\65BF.tmp"35⤵
- Executes dropped EXE
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\661C.tmp"C:\Users\Admin\AppData\Local\Temp\661C.tmp"36⤵
- Executes dropped EXE
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\667A.tmp"C:\Users\Admin\AppData\Local\Temp\667A.tmp"37⤵
- Executes dropped EXE
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\66D8.tmp"C:\Users\Admin\AppData\Local\Temp\66D8.tmp"38⤵
- Executes dropped EXE
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\6736.tmp"C:\Users\Admin\AppData\Local\Temp\6736.tmp"39⤵
- Executes dropped EXE
PID:828 -
C:\Users\Admin\AppData\Local\Temp\6793.tmp"C:\Users\Admin\AppData\Local\Temp\6793.tmp"40⤵
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\6801.tmp"C:\Users\Admin\AppData\Local\Temp\6801.tmp"41⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"42⤵
- Executes dropped EXE
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\68BC.tmp"C:\Users\Admin\AppData\Local\Temp\68BC.tmp"43⤵
- Executes dropped EXE
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\691A.tmp"C:\Users\Admin\AppData\Local\Temp\691A.tmp"44⤵
- Executes dropped EXE
PID:208 -
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"45⤵
- Executes dropped EXE
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\69E5.tmp"C:\Users\Admin\AppData\Local\Temp\69E5.tmp"46⤵
- Executes dropped EXE
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\6A43.tmp"C:\Users\Admin\AppData\Local\Temp\6A43.tmp"47⤵
- Executes dropped EXE
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"48⤵
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"49⤵
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"50⤵
- Executes dropped EXE
PID:904 -
C:\Users\Admin\AppData\Local\Temp\6BBA.tmp"C:\Users\Admin\AppData\Local\Temp\6BBA.tmp"51⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\6C27.tmp"C:\Users\Admin\AppData\Local\Temp\6C27.tmp"52⤵
- Executes dropped EXE
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\6C95.tmp"C:\Users\Admin\AppData\Local\Temp\6C95.tmp"53⤵
- Executes dropped EXE
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"54⤵
- Executes dropped EXE
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\6D41.tmp"C:\Users\Admin\AppData\Local\Temp\6D41.tmp"55⤵
- Executes dropped EXE
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"56⤵
- Executes dropped EXE
PID:764 -
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"57⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"58⤵
- Executes dropped EXE
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"59⤵
- Executes dropped EXE
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\6F25.tmp"C:\Users\Admin\AppData\Local\Temp\6F25.tmp"60⤵
- Executes dropped EXE
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\6F83.tmp"C:\Users\Admin\AppData\Local\Temp\6F83.tmp"61⤵
- Executes dropped EXE
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"62⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\702F.tmp"C:\Users\Admin\AppData\Local\Temp\702F.tmp"63⤵
- Executes dropped EXE
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\707D.tmp"C:\Users\Admin\AppData\Local\Temp\707D.tmp"64⤵
- Executes dropped EXE
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\70DA.tmp"C:\Users\Admin\AppData\Local\Temp\70DA.tmp"65⤵
- Executes dropped EXE
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\7138.tmp"C:\Users\Admin\AppData\Local\Temp\7138.tmp"66⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\71A6.tmp"C:\Users\Admin\AppData\Local\Temp\71A6.tmp"67⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\7213.tmp"C:\Users\Admin\AppData\Local\Temp\7213.tmp"68⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\7280.tmp"C:\Users\Admin\AppData\Local\Temp\7280.tmp"69⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\72DE.tmp"C:\Users\Admin\AppData\Local\Temp\72DE.tmp"70⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\733C.tmp"C:\Users\Admin\AppData\Local\Temp\733C.tmp"71⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\739A.tmp"C:\Users\Admin\AppData\Local\Temp\739A.tmp"72⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\73F7.tmp"C:\Users\Admin\AppData\Local\Temp\73F7.tmp"73⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\7455.tmp"C:\Users\Admin\AppData\Local\Temp\7455.tmp"74⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\74B3.tmp"C:\Users\Admin\AppData\Local\Temp\74B3.tmp"75⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"76⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\755F.tmp"C:\Users\Admin\AppData\Local\Temp\755F.tmp"77⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\75BC.tmp"C:\Users\Admin\AppData\Local\Temp\75BC.tmp"78⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\762A.tmp"C:\Users\Admin\AppData\Local\Temp\762A.tmp"79⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\7688.tmp"C:\Users\Admin\AppData\Local\Temp\7688.tmp"80⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"81⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\7743.tmp"C:\Users\Admin\AppData\Local\Temp\7743.tmp"82⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\77B0.tmp"C:\Users\Admin\AppData\Local\Temp\77B0.tmp"83⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\781E.tmp"C:\Users\Admin\AppData\Local\Temp\781E.tmp"84⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\787C.tmp"C:\Users\Admin\AppData\Local\Temp\787C.tmp"85⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\78D9.tmp"C:\Users\Admin\AppData\Local\Temp\78D9.tmp"86⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\7937.tmp"C:\Users\Admin\AppData\Local\Temp\7937.tmp"87⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"88⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\7A02.tmp"C:\Users\Admin\AppData\Local\Temp\7A02.tmp"89⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\7A70.tmp"C:\Users\Admin\AppData\Local\Temp\7A70.tmp"90⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"91⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\7B2B.tmp"C:\Users\Admin\AppData\Local\Temp\7B2B.tmp"92⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\7B89.tmp"C:\Users\Admin\AppData\Local\Temp\7B89.tmp"93⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"94⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"95⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\7C83.tmp"C:\Users\Admin\AppData\Local\Temp\7C83.tmp"96⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"97⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"98⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"99⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"100⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\7E19.tmp"C:\Users\Admin\AppData\Local\Temp\7E19.tmp"101⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\7E77.tmp"C:\Users\Admin\AppData\Local\Temp\7E77.tmp"102⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\7EE4.tmp"C:\Users\Admin\AppData\Local\Temp\7EE4.tmp"103⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"104⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"105⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"106⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\806B.tmp"C:\Users\Admin\AppData\Local\Temp\806B.tmp"107⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\80C9.tmp"C:\Users\Admin\AppData\Local\Temp\80C9.tmp"108⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\8117.tmp"C:\Users\Admin\AppData\Local\Temp\8117.tmp"109⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\8165.tmp"C:\Users\Admin\AppData\Local\Temp\8165.tmp"110⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\81C3.tmp"C:\Users\Admin\AppData\Local\Temp\81C3.tmp"111⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\8230.tmp"C:\Users\Admin\AppData\Local\Temp\8230.tmp"112⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\828E.tmp"C:\Users\Admin\AppData\Local\Temp\828E.tmp"113⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\82EB.tmp"C:\Users\Admin\AppData\Local\Temp\82EB.tmp"114⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\8349.tmp"C:\Users\Admin\AppData\Local\Temp\8349.tmp"115⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\83B7.tmp"C:\Users\Admin\AppData\Local\Temp\83B7.tmp"116⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\8405.tmp"C:\Users\Admin\AppData\Local\Temp\8405.tmp"117⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\8462.tmp"C:\Users\Admin\AppData\Local\Temp\8462.tmp"118⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\84C0.tmp"C:\Users\Admin\AppData\Local\Temp\84C0.tmp"119⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\852E.tmp"C:\Users\Admin\AppData\Local\Temp\852E.tmp"120⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\857C.tmp"C:\Users\Admin\AppData\Local\Temp\857C.tmp"121⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"122⤵PID:4188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-