Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe
Resource
win7-20240508-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe
-
Size
529KB
-
MD5
46ffc2d68eaecd0c2ef32d2fe553770f
-
SHA1
59ff6c9166ffa34f6a270bcf6a5e7c882cf538f6
-
SHA256
66657418a8a6c836b744d2ecf4cf9b66ea819fb4557b67c503300eab6b77a96c
-
SHA512
dc18d53e8f0444cf585119dca9dc1396f355bb2f67d6354c8a8e4a3a8be9c180707fe328bda767504acdb329d880e56542eaaa959ce4ced65171cf74a5b0864e
-
SSDEEP
12288:NU5rCOTeij/1/q+WFW6ZiNLTSz4TZwlH4Hp:NUQOJjtS+W/Uqz4TSlH4Hp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4008 378B.tmp 2876 3836.tmp 5084 38C3.tmp 3952 3950.tmp 4840 39FC.tmp 3936 3A69.tmp 4592 3AE6.tmp 4032 3B44.tmp 1268 3BB1.tmp 3148 3C0F.tmp 4496 3C9B.tmp 4820 3CF9.tmp 1108 3D67.tmp 4092 3DC4.tmp 4356 3E22.tmp 2508 3E80.tmp 2096 3EFD.tmp 2976 3F5B.tmp 448 3FB8.tmp 1900 4016.tmp 2072 4074.tmp 3084 40C2.tmp 4288 4120.tmp 5080 417D.tmp 1812 41CC.tmp 2236 4239.tmp 2688 42A6.tmp 3096 4304.tmp 2856 4362.tmp 2620 43EE.tmp 1516 446B.tmp 4456 44C9.tmp 1684 4527.tmp 224 4594.tmp 3536 45E2.tmp 4568 4640.tmp 4436 468E.tmp 1152 46EC.tmp 4724 473A.tmp 4004 4788.tmp 1420 47E6.tmp 4128 4834.tmp 924 4892.tmp 1868 48E0.tmp 3240 493E.tmp 5104 499C.tmp 4764 4A09.tmp 4728 4A67.tmp 1604 4AE4.tmp 4644 4B41.tmp 4356 4B9F.tmp 3268 4BED.tmp 5052 4C3B.tmp 1476 4C99.tmp 2976 4CE7.tmp 448 4D45.tmp 1036 4DA3.tmp 1000 4E01.tmp 1328 4E4F.tmp 1660 4EAC.tmp 3540 4F0A.tmp 4536 4F68.tmp 4920 4FB6.tmp 2944 5014.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 644 wrote to memory of 4008 644 2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe 83 PID 644 wrote to memory of 4008 644 2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe 83 PID 644 wrote to memory of 4008 644 2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe 83 PID 4008 wrote to memory of 2876 4008 378B.tmp 84 PID 4008 wrote to memory of 2876 4008 378B.tmp 84 PID 4008 wrote to memory of 2876 4008 378B.tmp 84 PID 2876 wrote to memory of 5084 2876 3836.tmp 85 PID 2876 wrote to memory of 5084 2876 3836.tmp 85 PID 2876 wrote to memory of 5084 2876 3836.tmp 85 PID 5084 wrote to memory of 3952 5084 38C3.tmp 87 PID 5084 wrote to memory of 3952 5084 38C3.tmp 87 PID 5084 wrote to memory of 3952 5084 38C3.tmp 87 PID 3952 wrote to memory of 4840 3952 3950.tmp 88 PID 3952 wrote to memory of 4840 3952 3950.tmp 88 PID 3952 wrote to memory of 4840 3952 3950.tmp 88 PID 4840 wrote to memory of 3936 4840 39FC.tmp 90 PID 4840 wrote to memory of 3936 4840 39FC.tmp 90 PID 4840 wrote to memory of 3936 4840 39FC.tmp 90 PID 3936 wrote to memory of 4592 3936 3A69.tmp 92 PID 3936 wrote to memory of 4592 3936 3A69.tmp 92 PID 3936 wrote to memory of 4592 3936 3A69.tmp 92 PID 4592 wrote to memory of 4032 4592 3AE6.tmp 93 PID 4592 wrote to memory of 4032 4592 3AE6.tmp 93 PID 4592 wrote to memory of 4032 4592 3AE6.tmp 93 PID 4032 wrote to memory of 1268 4032 3B44.tmp 94 PID 4032 wrote to memory of 1268 4032 3B44.tmp 94 PID 4032 wrote to memory of 1268 4032 3B44.tmp 94 PID 1268 wrote to memory of 3148 1268 3BB1.tmp 95 PID 1268 wrote to memory of 3148 1268 3BB1.tmp 95 PID 1268 wrote to memory of 3148 1268 3BB1.tmp 95 PID 3148 wrote to memory of 4496 3148 3C0F.tmp 96 PID 3148 wrote to memory of 4496 3148 3C0F.tmp 96 PID 3148 wrote to memory of 4496 3148 3C0F.tmp 96 PID 4496 wrote to memory of 4820 4496 3C9B.tmp 97 PID 4496 wrote to memory of 4820 4496 3C9B.tmp 97 PID 4496 wrote to memory of 4820 4496 3C9B.tmp 97 PID 4820 wrote to memory of 1108 4820 3CF9.tmp 98 PID 4820 wrote to memory of 1108 4820 3CF9.tmp 98 PID 4820 wrote to memory of 1108 4820 3CF9.tmp 98 PID 1108 wrote to memory of 4092 1108 3D67.tmp 99 PID 1108 wrote to memory of 4092 1108 3D67.tmp 99 PID 1108 wrote to memory of 4092 1108 3D67.tmp 99 PID 4092 wrote to memory of 4356 4092 3DC4.tmp 100 PID 4092 wrote to memory of 4356 4092 3DC4.tmp 100 PID 4092 wrote to memory of 4356 4092 3DC4.tmp 100 PID 4356 wrote to memory of 2508 4356 3E22.tmp 101 PID 4356 wrote to memory of 2508 4356 3E22.tmp 101 PID 4356 wrote to memory of 2508 4356 3E22.tmp 101 PID 2508 wrote to memory of 2096 2508 3E80.tmp 102 PID 2508 wrote to memory of 2096 2508 3E80.tmp 102 PID 2508 wrote to memory of 2096 2508 3E80.tmp 102 PID 2096 wrote to memory of 2976 2096 3EFD.tmp 103 PID 2096 wrote to memory of 2976 2096 3EFD.tmp 103 PID 2096 wrote to memory of 2976 2096 3EFD.tmp 103 PID 2976 wrote to memory of 448 2976 3F5B.tmp 104 PID 2976 wrote to memory of 448 2976 3F5B.tmp 104 PID 2976 wrote to memory of 448 2976 3F5B.tmp 104 PID 448 wrote to memory of 1900 448 3FB8.tmp 105 PID 448 wrote to memory of 1900 448 3FB8.tmp 105 PID 448 wrote to memory of 1900 448 3FB8.tmp 105 PID 1900 wrote to memory of 2072 1900 4016.tmp 106 PID 1900 wrote to memory of 2072 1900 4016.tmp 106 PID 1900 wrote to memory of 2072 1900 4016.tmp 106 PID 2072 wrote to memory of 3084 2072 4074.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_46ffc2d68eaecd0c2ef32d2fe553770f_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\378B.tmp"C:\Users\Admin\AppData\Local\Temp\378B.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\3836.tmp"C:\Users\Admin\AppData\Local\Temp\3836.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\38C3.tmp"C:\Users\Admin\AppData\Local\Temp\38C3.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\3950.tmp"C:\Users\Admin\AppData\Local\Temp\3950.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\39FC.tmp"C:\Users\Admin\AppData\Local\Temp\39FC.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\3A69.tmp"C:\Users\Admin\AppData\Local\Temp\3A69.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\3AE6.tmp"C:\Users\Admin\AppData\Local\Temp\3AE6.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\3B44.tmp"C:\Users\Admin\AppData\Local\Temp\3B44.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\3BB1.tmp"C:\Users\Admin\AppData\Local\Temp\3BB1.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\3C0F.tmp"C:\Users\Admin\AppData\Local\Temp\3C0F.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\3D67.tmp"C:\Users\Admin\AppData\Local\Temp\3D67.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\3DC4.tmp"C:\Users\Admin\AppData\Local\Temp\3DC4.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\3E22.tmp"C:\Users\Admin\AppData\Local\Temp\3E22.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\3E80.tmp"C:\Users\Admin\AppData\Local\Temp\3E80.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\3EFD.tmp"C:\Users\Admin\AppData\Local\Temp\3EFD.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\3F5B.tmp"C:\Users\Admin\AppData\Local\Temp\3F5B.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3FB8.tmp"C:\Users\Admin\AppData\Local\Temp\3FB8.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\4016.tmp"C:\Users\Admin\AppData\Local\Temp\4016.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\4074.tmp"C:\Users\Admin\AppData\Local\Temp\4074.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\40C2.tmp"C:\Users\Admin\AppData\Local\Temp\40C2.tmp"23⤵
- Executes dropped EXE
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\4120.tmp"C:\Users\Admin\AppData\Local\Temp\4120.tmp"24⤵
- Executes dropped EXE
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\417D.tmp"C:\Users\Admin\AppData\Local\Temp\417D.tmp"25⤵
- Executes dropped EXE
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\41CC.tmp"C:\Users\Admin\AppData\Local\Temp\41CC.tmp"26⤵
- Executes dropped EXE
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\4239.tmp"C:\Users\Admin\AppData\Local\Temp\4239.tmp"27⤵
- Executes dropped EXE
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\42A6.tmp"C:\Users\Admin\AppData\Local\Temp\42A6.tmp"28⤵
- Executes dropped EXE
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\4304.tmp"C:\Users\Admin\AppData\Local\Temp\4304.tmp"29⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\4362.tmp"C:\Users\Admin\AppData\Local\Temp\4362.tmp"30⤵
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\43EE.tmp"C:\Users\Admin\AppData\Local\Temp\43EE.tmp"31⤵
- Executes dropped EXE
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\446B.tmp"C:\Users\Admin\AppData\Local\Temp\446B.tmp"32⤵
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\44C9.tmp"C:\Users\Admin\AppData\Local\Temp\44C9.tmp"33⤵
- Executes dropped EXE
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\4527.tmp"C:\Users\Admin\AppData\Local\Temp\4527.tmp"34⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\4594.tmp"C:\Users\Admin\AppData\Local\Temp\4594.tmp"35⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Local\Temp\45E2.tmp"C:\Users\Admin\AppData\Local\Temp\45E2.tmp"36⤵
- Executes dropped EXE
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\4640.tmp"C:\Users\Admin\AppData\Local\Temp\4640.tmp"37⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\468E.tmp"C:\Users\Admin\AppData\Local\Temp\468E.tmp"38⤵
- Executes dropped EXE
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\46EC.tmp"C:\Users\Admin\AppData\Local\Temp\46EC.tmp"39⤵
- Executes dropped EXE
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\473A.tmp"C:\Users\Admin\AppData\Local\Temp\473A.tmp"40⤵
- Executes dropped EXE
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\4788.tmp"C:\Users\Admin\AppData\Local\Temp\4788.tmp"41⤵
- Executes dropped EXE
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\47E6.tmp"C:\Users\Admin\AppData\Local\Temp\47E6.tmp"42⤵
- Executes dropped EXE
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\4834.tmp"C:\Users\Admin\AppData\Local\Temp\4834.tmp"43⤵
- Executes dropped EXE
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\4892.tmp"C:\Users\Admin\AppData\Local\Temp\4892.tmp"44⤵
- Executes dropped EXE
PID:924 -
C:\Users\Admin\AppData\Local\Temp\48E0.tmp"C:\Users\Admin\AppData\Local\Temp\48E0.tmp"45⤵
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\493E.tmp"C:\Users\Admin\AppData\Local\Temp\493E.tmp"46⤵
- Executes dropped EXE
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\499C.tmp"C:\Users\Admin\AppData\Local\Temp\499C.tmp"47⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\4A09.tmp"C:\Users\Admin\AppData\Local\Temp\4A09.tmp"48⤵
- Executes dropped EXE
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\4A67.tmp"C:\Users\Admin\AppData\Local\Temp\4A67.tmp"49⤵
- Executes dropped EXE
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\4AE4.tmp"C:\Users\Admin\AppData\Local\Temp\4AE4.tmp"50⤵
- Executes dropped EXE
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\4B41.tmp"C:\Users\Admin\AppData\Local\Temp\4B41.tmp"51⤵
- Executes dropped EXE
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"52⤵
- Executes dropped EXE
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\4BED.tmp"C:\Users\Admin\AppData\Local\Temp\4BED.tmp"53⤵
- Executes dropped EXE
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"54⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\4C99.tmp"C:\Users\Admin\AppData\Local\Temp\4C99.tmp"55⤵
- Executes dropped EXE
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\4CE7.tmp"C:\Users\Admin\AppData\Local\Temp\4CE7.tmp"56⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\4D45.tmp"C:\Users\Admin\AppData\Local\Temp\4D45.tmp"57⤵
- Executes dropped EXE
PID:448 -
C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"58⤵
- Executes dropped EXE
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\4E01.tmp"C:\Users\Admin\AppData\Local\Temp\4E01.tmp"59⤵
- Executes dropped EXE
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"60⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"61⤵
- Executes dropped EXE
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"62⤵
- Executes dropped EXE
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\4F68.tmp"C:\Users\Admin\AppData\Local\Temp\4F68.tmp"63⤵
- Executes dropped EXE
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"64⤵
- Executes dropped EXE
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\5014.tmp"C:\Users\Admin\AppData\Local\Temp\5014.tmp"65⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\5062.tmp"C:\Users\Admin\AppData\Local\Temp\5062.tmp"66⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\50C0.tmp"C:\Users\Admin\AppData\Local\Temp\50C0.tmp"67⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\510E.tmp"C:\Users\Admin\AppData\Local\Temp\510E.tmp"68⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\515C.tmp"C:\Users\Admin\AppData\Local\Temp\515C.tmp"69⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\51AA.tmp"C:\Users\Admin\AppData\Local\Temp\51AA.tmp"70⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\5208.tmp"C:\Users\Admin\AppData\Local\Temp\5208.tmp"71⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\5266.tmp"C:\Users\Admin\AppData\Local\Temp\5266.tmp"72⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\52C3.tmp"C:\Users\Admin\AppData\Local\Temp\52C3.tmp"73⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\5311.tmp"C:\Users\Admin\AppData\Local\Temp\5311.tmp"74⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\536F.tmp"C:\Users\Admin\AppData\Local\Temp\536F.tmp"75⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\53CD.tmp"C:\Users\Admin\AppData\Local\Temp\53CD.tmp"76⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\542B.tmp"C:\Users\Admin\AppData\Local\Temp\542B.tmp"77⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\5479.tmp"C:\Users\Admin\AppData\Local\Temp\5479.tmp"78⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\54D7.tmp"C:\Users\Admin\AppData\Local\Temp\54D7.tmp"79⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\5534.tmp"C:\Users\Admin\AppData\Local\Temp\5534.tmp"80⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\5592.tmp"C:\Users\Admin\AppData\Local\Temp\5592.tmp"81⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\55F0.tmp"C:\Users\Admin\AppData\Local\Temp\55F0.tmp"82⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\564E.tmp"C:\Users\Admin\AppData\Local\Temp\564E.tmp"83⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\56BB.tmp"C:\Users\Admin\AppData\Local\Temp\56BB.tmp"84⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\5719.tmp"C:\Users\Admin\AppData\Local\Temp\5719.tmp"85⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"86⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\57D4.tmp"C:\Users\Admin\AppData\Local\Temp\57D4.tmp"87⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\5832.tmp"C:\Users\Admin\AppData\Local\Temp\5832.tmp"88⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\5890.tmp"C:\Users\Admin\AppData\Local\Temp\5890.tmp"89⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\58FD.tmp"C:\Users\Admin\AppData\Local\Temp\58FD.tmp"90⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\595B.tmp"C:\Users\Admin\AppData\Local\Temp\595B.tmp"91⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\59A9.tmp"C:\Users\Admin\AppData\Local\Temp\59A9.tmp"92⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\5A07.tmp"C:\Users\Admin\AppData\Local\Temp\5A07.tmp"93⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\5A64.tmp"C:\Users\Admin\AppData\Local\Temp\5A64.tmp"94⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\5AC2.tmp"C:\Users\Admin\AppData\Local\Temp\5AC2.tmp"95⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\5B20.tmp"C:\Users\Admin\AppData\Local\Temp\5B20.tmp"96⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"97⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"98⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\5C39.tmp"C:\Users\Admin\AppData\Local\Temp\5C39.tmp"99⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\5C87.tmp"C:\Users\Admin\AppData\Local\Temp\5C87.tmp"100⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\5CE5.tmp"C:\Users\Admin\AppData\Local\Temp\5CE5.tmp"101⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\5D43.tmp"C:\Users\Admin\AppData\Local\Temp\5D43.tmp"102⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"103⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"104⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"105⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"106⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"107⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\5F56.tmp"C:\Users\Admin\AppData\Local\Temp\5F56.tmp"108⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"109⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"110⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\6040.tmp"C:\Users\Admin\AppData\Local\Temp\6040.tmp"111⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\608F.tmp"C:\Users\Admin\AppData\Local\Temp\608F.tmp"112⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\60EC.tmp"C:\Users\Admin\AppData\Local\Temp\60EC.tmp"113⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\614A.tmp"C:\Users\Admin\AppData\Local\Temp\614A.tmp"114⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\61A8.tmp"C:\Users\Admin\AppData\Local\Temp\61A8.tmp"115⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\61F6.tmp"C:\Users\Admin\AppData\Local\Temp\61F6.tmp"116⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\6244.tmp"C:\Users\Admin\AppData\Local\Temp\6244.tmp"117⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\6292.tmp"C:\Users\Admin\AppData\Local\Temp\6292.tmp"118⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\62F0.tmp"C:\Users\Admin\AppData\Local\Temp\62F0.tmp"119⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\634E.tmp"C:\Users\Admin\AppData\Local\Temp\634E.tmp"120⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\639C.tmp"C:\Users\Admin\AppData\Local\Temp\639C.tmp"121⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"122⤵PID:4568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-