Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe
Resource
win7-20231129-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe
-
Size
520KB
-
MD5
ec90e462a665d19375fc3005f970b691
-
SHA1
f40a5089a8cd6a3e247bf7071a0b802c607c3104
-
SHA256
96b3f8e5b275aac1b16c21f239b1ce2b4a70566564a55561f90da94c2a69cc1c
-
SHA512
bd9816b319569b94fa425cb07f7065c763b577e7a47bfc8d884965000b22c71c1b70b6cb89d32600581b4d9b82cc0485f770aeec705b7886094f800380c8421f
-
SSDEEP
12288:roRXOQjmOyS0ELE9OawpNu0e099H39QTzWrTaNZ:rogQ9yoLPawTuLaHczSTaN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1104 564E.tmp 4796 56DA.tmp 2916 5728.tmp 2208 5776.tmp 1772 57E4.tmp 4132 5842.tmp 3932 5890.tmp 2288 58DE.tmp 744 593C.tmp 244 598A.tmp 2500 59E7.tmp 3036 5A45.tmp 4088 5AA3.tmp 3164 5B30.tmp 4728 5B7E.tmp 532 5BDB.tmp 1348 5C2A.tmp 1840 5C78.tmp 4568 5CC6.tmp 3180 5D33.tmp 4424 5D81.tmp 4936 5DDF.tmp 756 5E4C.tmp 3104 5E9B.tmp 3108 5F18.tmp 1560 5F66.tmp 4564 5FE3.tmp 3664 6031.tmp 2680 607F.tmp 4560 60CD.tmp 5004 611B.tmp 4880 6169.tmp 840 61B7.tmp 2892 6206.tmp 220 6254.tmp 2944 62B1.tmp 4964 6300.tmp 4504 634E.tmp 5016 639C.tmp 4068 63EA.tmp 3536 6438.tmp 3924 6486.tmp 3412 64D4.tmp 2692 6522.tmp 1988 6571.tmp 4380 65BF.tmp 2824 660D.tmp 2704 665B.tmp 1684 66A9.tmp 1352 66F7.tmp 3948 6745.tmp 4588 6793.tmp 8 67E2.tmp 3636 683F.tmp 4776 688D.tmp 1944 68DC.tmp 4368 692A.tmp 3272 6978.tmp 1104 69C6.tmp 372 6A24.tmp 208 6A72.tmp 1792 6AC0.tmp 2012 6B0E.tmp 4848 6B6C.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 1104 3272 2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe 143 PID 3272 wrote to memory of 1104 3272 2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe 143 PID 3272 wrote to memory of 1104 3272 2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe 143 PID 1104 wrote to memory of 4796 1104 564E.tmp 82 PID 1104 wrote to memory of 4796 1104 564E.tmp 82 PID 1104 wrote to memory of 4796 1104 564E.tmp 82 PID 4796 wrote to memory of 2916 4796 56DA.tmp 83 PID 4796 wrote to memory of 2916 4796 56DA.tmp 83 PID 4796 wrote to memory of 2916 4796 56DA.tmp 83 PID 2916 wrote to memory of 2208 2916 5728.tmp 84 PID 2916 wrote to memory of 2208 2916 5728.tmp 84 PID 2916 wrote to memory of 2208 2916 5728.tmp 84 PID 2208 wrote to memory of 1772 2208 5776.tmp 85 PID 2208 wrote to memory of 1772 2208 5776.tmp 85 PID 2208 wrote to memory of 1772 2208 5776.tmp 85 PID 1772 wrote to memory of 4132 1772 57E4.tmp 86 PID 1772 wrote to memory of 4132 1772 57E4.tmp 86 PID 1772 wrote to memory of 4132 1772 57E4.tmp 86 PID 4132 wrote to memory of 3932 4132 5842.tmp 87 PID 4132 wrote to memory of 3932 4132 5842.tmp 87 PID 4132 wrote to memory of 3932 4132 5842.tmp 87 PID 3932 wrote to memory of 2288 3932 5890.tmp 88 PID 3932 wrote to memory of 2288 3932 5890.tmp 88 PID 3932 wrote to memory of 2288 3932 5890.tmp 88 PID 2288 wrote to memory of 744 2288 58DE.tmp 89 PID 2288 wrote to memory of 744 2288 58DE.tmp 89 PID 2288 wrote to memory of 744 2288 58DE.tmp 89 PID 744 wrote to memory of 244 744 593C.tmp 90 PID 744 wrote to memory of 244 744 593C.tmp 90 PID 744 wrote to memory of 244 744 593C.tmp 90 PID 244 wrote to memory of 2500 244 598A.tmp 91 PID 244 wrote to memory of 2500 244 598A.tmp 91 PID 244 wrote to memory of 2500 244 598A.tmp 91 PID 2500 wrote to memory of 3036 2500 59E7.tmp 92 PID 2500 wrote to memory of 3036 2500 59E7.tmp 92 PID 2500 wrote to memory of 3036 2500 59E7.tmp 92 PID 3036 wrote to memory of 4088 3036 5A45.tmp 93 PID 3036 wrote to memory of 4088 3036 5A45.tmp 93 PID 3036 wrote to memory of 4088 3036 5A45.tmp 93 PID 4088 wrote to memory of 3164 4088 5AA3.tmp 94 PID 4088 wrote to memory of 3164 4088 5AA3.tmp 94 PID 4088 wrote to memory of 3164 4088 5AA3.tmp 94 PID 3164 wrote to memory of 4728 3164 5B30.tmp 95 PID 3164 wrote to memory of 4728 3164 5B30.tmp 95 PID 3164 wrote to memory of 4728 3164 5B30.tmp 95 PID 4728 wrote to memory of 532 4728 5B7E.tmp 96 PID 4728 wrote to memory of 532 4728 5B7E.tmp 96 PID 4728 wrote to memory of 532 4728 5B7E.tmp 96 PID 532 wrote to memory of 1348 532 5BDB.tmp 97 PID 532 wrote to memory of 1348 532 5BDB.tmp 97 PID 532 wrote to memory of 1348 532 5BDB.tmp 97 PID 1348 wrote to memory of 1840 1348 5C2A.tmp 98 PID 1348 wrote to memory of 1840 1348 5C2A.tmp 98 PID 1348 wrote to memory of 1840 1348 5C2A.tmp 98 PID 1840 wrote to memory of 4568 1840 5C78.tmp 99 PID 1840 wrote to memory of 4568 1840 5C78.tmp 99 PID 1840 wrote to memory of 4568 1840 5C78.tmp 99 PID 4568 wrote to memory of 3180 4568 5CC6.tmp 100 PID 4568 wrote to memory of 3180 4568 5CC6.tmp 100 PID 4568 wrote to memory of 3180 4568 5CC6.tmp 100 PID 3180 wrote to memory of 4424 3180 5D33.tmp 101 PID 3180 wrote to memory of 4424 3180 5D33.tmp 101 PID 3180 wrote to memory of 4424 3180 5D33.tmp 101 PID 4424 wrote to memory of 4936 4424 5D81.tmp 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ec90e462a665d19375fc3005f970b691_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\564E.tmp"C:\Users\Admin\AppData\Local\Temp\564E.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\5728.tmp"C:\Users\Admin\AppData\Local\Temp\5728.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\57E4.tmp"C:\Users\Admin\AppData\Local\Temp\57E4.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\5842.tmp"C:\Users\Admin\AppData\Local\Temp\5842.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\5890.tmp"C:\Users\Admin\AppData\Local\Temp\5890.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\58DE.tmp"C:\Users\Admin\AppData\Local\Temp\58DE.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\593C.tmp"C:\Users\Admin\AppData\Local\Temp\593C.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\598A.tmp"C:\Users\Admin\AppData\Local\Temp\598A.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\59E7.tmp"C:\Users\Admin\AppData\Local\Temp\59E7.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\5A45.tmp"C:\Users\Admin\AppData\Local\Temp\5A45.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\5B30.tmp"C:\Users\Admin\AppData\Local\Temp\5B30.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\5C78.tmp"C:\Users\Admin\AppData\Local\Temp\5C78.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\5D33.tmp"C:\Users\Admin\AppData\Local\Temp\5D33.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\5D81.tmp"C:\Users\Admin\AppData\Local\Temp\5D81.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\5DDF.tmp"C:\Users\Admin\AppData\Local\Temp\5DDF.tmp"23⤵
- Executes dropped EXE
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"24⤵
- Executes dropped EXE
PID:756 -
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"25⤵
- Executes dropped EXE
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp"C:\Users\Admin\AppData\Local\Temp\5F18.tmp"26⤵
- Executes dropped EXE
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\5F66.tmp"C:\Users\Admin\AppData\Local\Temp\5F66.tmp"27⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"28⤵
- Executes dropped EXE
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\6031.tmp"C:\Users\Admin\AppData\Local\Temp\6031.tmp"29⤵
- Executes dropped EXE
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\607F.tmp"C:\Users\Admin\AppData\Local\Temp\607F.tmp"30⤵
- Executes dropped EXE
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\60CD.tmp"C:\Users\Admin\AppData\Local\Temp\60CD.tmp"31⤵
- Executes dropped EXE
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\611B.tmp"C:\Users\Admin\AppData\Local\Temp\611B.tmp"32⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\6169.tmp"C:\Users\Admin\AppData\Local\Temp\6169.tmp"33⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\61B7.tmp"C:\Users\Admin\AppData\Local\Temp\61B7.tmp"34⤵
- Executes dropped EXE
PID:840 -
C:\Users\Admin\AppData\Local\Temp\6206.tmp"C:\Users\Admin\AppData\Local\Temp\6206.tmp"35⤵
- Executes dropped EXE
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\6254.tmp"C:\Users\Admin\AppData\Local\Temp\6254.tmp"36⤵
- Executes dropped EXE
PID:220 -
C:\Users\Admin\AppData\Local\Temp\62B1.tmp"C:\Users\Admin\AppData\Local\Temp\62B1.tmp"37⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"38⤵
- Executes dropped EXE
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\634E.tmp"C:\Users\Admin\AppData\Local\Temp\634E.tmp"39⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\639C.tmp"C:\Users\Admin\AppData\Local\Temp\639C.tmp"40⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\63EA.tmp"C:\Users\Admin\AppData\Local\Temp\63EA.tmp"41⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"42⤵
- Executes dropped EXE
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\6486.tmp"C:\Users\Admin\AppData\Local\Temp\6486.tmp"43⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"44⤵
- Executes dropped EXE
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\6522.tmp"C:\Users\Admin\AppData\Local\Temp\6522.tmp"45⤵
- Executes dropped EXE
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"46⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\65BF.tmp"C:\Users\Admin\AppData\Local\Temp\65BF.tmp"47⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\660D.tmp"C:\Users\Admin\AppData\Local\Temp\660D.tmp"48⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\665B.tmp"C:\Users\Admin\AppData\Local\Temp\665B.tmp"49⤵
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"50⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\66F7.tmp"C:\Users\Admin\AppData\Local\Temp\66F7.tmp"51⤵
- Executes dropped EXE
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\6745.tmp"C:\Users\Admin\AppData\Local\Temp\6745.tmp"52⤵
- Executes dropped EXE
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\6793.tmp"C:\Users\Admin\AppData\Local\Temp\6793.tmp"53⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\67E2.tmp"C:\Users\Admin\AppData\Local\Temp\67E2.tmp"54⤵
- Executes dropped EXE
PID:8 -
C:\Users\Admin\AppData\Local\Temp\683F.tmp"C:\Users\Admin\AppData\Local\Temp\683F.tmp"55⤵
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\688D.tmp"C:\Users\Admin\AppData\Local\Temp\688D.tmp"56⤵
- Executes dropped EXE
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\68DC.tmp"C:\Users\Admin\AppData\Local\Temp\68DC.tmp"57⤵
- Executes dropped EXE
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\692A.tmp"C:\Users\Admin\AppData\Local\Temp\692A.tmp"58⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"59⤵
- Executes dropped EXE
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\69C6.tmp"C:\Users\Admin\AppData\Local\Temp\69C6.tmp"60⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\6A24.tmp"C:\Users\Admin\AppData\Local\Temp\6A24.tmp"61⤵
- Executes dropped EXE
PID:372 -
C:\Users\Admin\AppData\Local\Temp\6A72.tmp"C:\Users\Admin\AppData\Local\Temp\6A72.tmp"62⤵
- Executes dropped EXE
PID:208 -
C:\Users\Admin\AppData\Local\Temp\6AC0.tmp"C:\Users\Admin\AppData\Local\Temp\6AC0.tmp"63⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"64⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\6B6C.tmp"C:\Users\Admin\AppData\Local\Temp\6B6C.tmp"65⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\6BBA.tmp"C:\Users\Admin\AppData\Local\Temp\6BBA.tmp"66⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\6C08.tmp"C:\Users\Admin\AppData\Local\Temp\6C08.tmp"67⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\6C56.tmp"C:\Users\Admin\AppData\Local\Temp\6C56.tmp"68⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\6CA4.tmp"C:\Users\Admin\AppData\Local\Temp\6CA4.tmp"69⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"70⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"71⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"72⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"73⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\6E1B.tmp"C:\Users\Admin\AppData\Local\Temp\6E1B.tmp"74⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\6E69.tmp"C:\Users\Admin\AppData\Local\Temp\6E69.tmp"75⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"76⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\6F06.tmp"C:\Users\Admin\AppData\Local\Temp\6F06.tmp"77⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\6F54.tmp"C:\Users\Admin\AppData\Local\Temp\6F54.tmp"78⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"79⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"80⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\703E.tmp"C:\Users\Admin\AppData\Local\Temp\703E.tmp"81⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"82⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\70DA.tmp"C:\Users\Admin\AppData\Local\Temp\70DA.tmp"83⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\7129.tmp"C:\Users\Admin\AppData\Local\Temp\7129.tmp"84⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\7177.tmp"C:\Users\Admin\AppData\Local\Temp\7177.tmp"85⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\71D4.tmp"C:\Users\Admin\AppData\Local\Temp\71D4.tmp"86⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\7223.tmp"C:\Users\Admin\AppData\Local\Temp\7223.tmp"87⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\7271.tmp"C:\Users\Admin\AppData\Local\Temp\7271.tmp"88⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\72BF.tmp"C:\Users\Admin\AppData\Local\Temp\72BF.tmp"89⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\730D.tmp"C:\Users\Admin\AppData\Local\Temp\730D.tmp"90⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\735B.tmp"C:\Users\Admin\AppData\Local\Temp\735B.tmp"91⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\739A.tmp"C:\Users\Admin\AppData\Local\Temp\739A.tmp"92⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\73E8.tmp"C:\Users\Admin\AppData\Local\Temp\73E8.tmp"93⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"94⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\7484.tmp"C:\Users\Admin\AppData\Local\Temp\7484.tmp"95⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\74D2.tmp"C:\Users\Admin\AppData\Local\Temp\74D2.tmp"96⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\7520.tmp"C:\Users\Admin\AppData\Local\Temp\7520.tmp"97⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\756E.tmp"C:\Users\Admin\AppData\Local\Temp\756E.tmp"98⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\75CC.tmp"C:\Users\Admin\AppData\Local\Temp\75CC.tmp"99⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\761A.tmp"C:\Users\Admin\AppData\Local\Temp\761A.tmp"100⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\7668.tmp"C:\Users\Admin\AppData\Local\Temp\7668.tmp"101⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"102⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\7705.tmp"C:\Users\Admin\AppData\Local\Temp\7705.tmp"103⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"104⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\77B0.tmp"C:\Users\Admin\AppData\Local\Temp\77B0.tmp"105⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\77FF.tmp"C:\Users\Admin\AppData\Local\Temp\77FF.tmp"106⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\784D.tmp"C:\Users\Admin\AppData\Local\Temp\784D.tmp"107⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\789B.tmp"C:\Users\Admin\AppData\Local\Temp\789B.tmp"108⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\78E9.tmp"C:\Users\Admin\AppData\Local\Temp\78E9.tmp"109⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\7927.tmp"C:\Users\Admin\AppData\Local\Temp\7927.tmp"110⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\7985.tmp"C:\Users\Admin\AppData\Local\Temp\7985.tmp"111⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\79D3.tmp"C:\Users\Admin\AppData\Local\Temp\79D3.tmp"112⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\7A21.tmp"C:\Users\Admin\AppData\Local\Temp\7A21.tmp"113⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\7A70.tmp"C:\Users\Admin\AppData\Local\Temp\7A70.tmp"114⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"115⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"116⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"117⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"118⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\7BF6.tmp"C:\Users\Admin\AppData\Local\Temp\7BF6.tmp"119⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\7C44.tmp"C:\Users\Admin\AppData\Local\Temp\7C44.tmp"120⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"121⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"122⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-