Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 19:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe
-
Size
536KB
-
MD5
d513f32e23539f569616fff18e675a69
-
SHA1
fadddffdc8f000f4fed3b73093983907a743f872
-
SHA256
ba106fea70d3fa749212f5554339c8f46fafa329506c9c0393bf09fef4b4e7b1
-
SHA512
96e054d211148c942b7ca11080089651738b07227ea221a0a24e232d0344eb61dc6339ea815709b1b0b52fed6950a18848057282311c45c0d715cb19f1f4add3
-
SSDEEP
12288:wU5rCOTeiUZCZ2cQIQjIOaLV/ie+iQ5BDL9u1CuA7vIZxVJ0ZT9:wUQOJUc2cQPIOakBDIRJ0ZT9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 376 4055.tmp 1492 40E1.tmp 1828 415E.tmp 4356 41FA.tmp 1784 4297.tmp 712 4314.tmp 4776 43DF.tmp 2644 449A.tmp 4604 4517.tmp 3344 45B4.tmp 3920 465F.tmp 760 470B.tmp 1360 47A8.tmp 4768 4853.tmp 1960 48E0.tmp 2464 49BB.tmp 5084 4A57.tmp 3752 4B13.tmp 1048 4B9F.tmp 2980 4C4B.tmp 1940 4CB8.tmp 1208 4D55.tmp 1924 4DF1.tmp 4024 4E6E.tmp 4496 4F1A.tmp 4488 4F97.tmp 4380 5033.tmp 1364 50C0.tmp 2736 513D.tmp 4424 5208.tmp 2704 52E3.tmp 1996 538E.tmp 4596 540B.tmp 5016 5469.tmp 908 54F6.tmp 4248 5554.tmp 3468 55C1.tmp 4544 562E.tmp 4868 569C.tmp 2160 5709.tmp 3056 5776.tmp 1184 57F3.tmp 776 5861.tmp 4128 58BF.tmp 996 590D.tmp 2348 597A.tmp 3104 59D8.tmp 372 5A45.tmp 1228 5AB3.tmp 1900 5B01.tmp 388 5B4F.tmp 1208 5B9D.tmp 2040 5BEB.tmp 4024 5C49.tmp 1936 5CA7.tmp 4580 5D04.tmp 1928 5D52.tmp 2220 5DA1.tmp 1896 5DFE.tmp 2484 5E4C.tmp 2336 5EAA.tmp 1668 5EF8.tmp 4424 5F56.tmp 1576 5FA4.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 376 2296 2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe 83 PID 2296 wrote to memory of 376 2296 2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe 83 PID 2296 wrote to memory of 376 2296 2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe 83 PID 376 wrote to memory of 1492 376 4055.tmp 84 PID 376 wrote to memory of 1492 376 4055.tmp 84 PID 376 wrote to memory of 1492 376 4055.tmp 84 PID 1492 wrote to memory of 1828 1492 40E1.tmp 85 PID 1492 wrote to memory of 1828 1492 40E1.tmp 85 PID 1492 wrote to memory of 1828 1492 40E1.tmp 85 PID 1828 wrote to memory of 4356 1828 415E.tmp 87 PID 1828 wrote to memory of 4356 1828 415E.tmp 87 PID 1828 wrote to memory of 4356 1828 415E.tmp 87 PID 4356 wrote to memory of 1784 4356 41FA.tmp 89 PID 4356 wrote to memory of 1784 4356 41FA.tmp 89 PID 4356 wrote to memory of 1784 4356 41FA.tmp 89 PID 1784 wrote to memory of 712 1784 4297.tmp 90 PID 1784 wrote to memory of 712 1784 4297.tmp 90 PID 1784 wrote to memory of 712 1784 4297.tmp 90 PID 712 wrote to memory of 4776 712 4314.tmp 91 PID 712 wrote to memory of 4776 712 4314.tmp 91 PID 712 wrote to memory of 4776 712 4314.tmp 91 PID 4776 wrote to memory of 2644 4776 43DF.tmp 93 PID 4776 wrote to memory of 2644 4776 43DF.tmp 93 PID 4776 wrote to memory of 2644 4776 43DF.tmp 93 PID 2644 wrote to memory of 4604 2644 449A.tmp 94 PID 2644 wrote to memory of 4604 2644 449A.tmp 94 PID 2644 wrote to memory of 4604 2644 449A.tmp 94 PID 4604 wrote to memory of 3344 4604 4517.tmp 95 PID 4604 wrote to memory of 3344 4604 4517.tmp 95 PID 4604 wrote to memory of 3344 4604 4517.tmp 95 PID 3344 wrote to memory of 3920 3344 45B4.tmp 96 PID 3344 wrote to memory of 3920 3344 45B4.tmp 96 PID 3344 wrote to memory of 3920 3344 45B4.tmp 96 PID 3920 wrote to memory of 760 3920 465F.tmp 97 PID 3920 wrote to memory of 760 3920 465F.tmp 97 PID 3920 wrote to memory of 760 3920 465F.tmp 97 PID 760 wrote to memory of 1360 760 470B.tmp 98 PID 760 wrote to memory of 1360 760 470B.tmp 98 PID 760 wrote to memory of 1360 760 470B.tmp 98 PID 1360 wrote to memory of 4768 1360 47A8.tmp 99 PID 1360 wrote to memory of 4768 1360 47A8.tmp 99 PID 1360 wrote to memory of 4768 1360 47A8.tmp 99 PID 4768 wrote to memory of 1960 4768 4853.tmp 100 PID 4768 wrote to memory of 1960 4768 4853.tmp 100 PID 4768 wrote to memory of 1960 4768 4853.tmp 100 PID 1960 wrote to memory of 2464 1960 48E0.tmp 101 PID 1960 wrote to memory of 2464 1960 48E0.tmp 101 PID 1960 wrote to memory of 2464 1960 48E0.tmp 101 PID 2464 wrote to memory of 5084 2464 49BB.tmp 102 PID 2464 wrote to memory of 5084 2464 49BB.tmp 102 PID 2464 wrote to memory of 5084 2464 49BB.tmp 102 PID 5084 wrote to memory of 3752 5084 4A57.tmp 105 PID 5084 wrote to memory of 3752 5084 4A57.tmp 105 PID 5084 wrote to memory of 3752 5084 4A57.tmp 105 PID 3752 wrote to memory of 1048 3752 4B13.tmp 106 PID 3752 wrote to memory of 1048 3752 4B13.tmp 106 PID 3752 wrote to memory of 1048 3752 4B13.tmp 106 PID 1048 wrote to memory of 2980 1048 4B9F.tmp 107 PID 1048 wrote to memory of 2980 1048 4B9F.tmp 107 PID 1048 wrote to memory of 2980 1048 4B9F.tmp 107 PID 2980 wrote to memory of 1940 2980 4C4B.tmp 108 PID 2980 wrote to memory of 1940 2980 4C4B.tmp 108 PID 2980 wrote to memory of 1940 2980 4C4B.tmp 108 PID 1940 wrote to memory of 1208 1940 4CB8.tmp 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d513f32e23539f569616fff18e675a69_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\4055.tmp"C:\Users\Admin\AppData\Local\Temp\4055.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\40E1.tmp"C:\Users\Admin\AppData\Local\Temp\40E1.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\415E.tmp"C:\Users\Admin\AppData\Local\Temp\415E.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\41FA.tmp"C:\Users\Admin\AppData\Local\Temp\41FA.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\4297.tmp"C:\Users\Admin\AppData\Local\Temp\4297.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\4314.tmp"C:\Users\Admin\AppData\Local\Temp\4314.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\43DF.tmp"C:\Users\Admin\AppData\Local\Temp\43DF.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\449A.tmp"C:\Users\Admin\AppData\Local\Temp\449A.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\4517.tmp"C:\Users\Admin\AppData\Local\Temp\4517.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\45B4.tmp"C:\Users\Admin\AppData\Local\Temp\45B4.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\465F.tmp"C:\Users\Admin\AppData\Local\Temp\465F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\470B.tmp"C:\Users\Admin\AppData\Local\Temp\470B.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\47A8.tmp"C:\Users\Admin\AppData\Local\Temp\47A8.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\4853.tmp"C:\Users\Admin\AppData\Local\Temp\4853.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\48E0.tmp"C:\Users\Admin\AppData\Local\Temp\48E0.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\49BB.tmp"C:\Users\Admin\AppData\Local\Temp\49BB.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\4A57.tmp"C:\Users\Admin\AppData\Local\Temp\4A57.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\4B13.tmp"C:\Users\Admin\AppData\Local\Temp\4B13.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\4C4B.tmp"C:\Users\Admin\AppData\Local\Temp\4C4B.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\4CB8.tmp"C:\Users\Admin\AppData\Local\Temp\4CB8.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\4D55.tmp"C:\Users\Admin\AppData\Local\Temp\4D55.tmp"23⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"24⤵
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"25⤵
- Executes dropped EXE
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"26⤵
- Executes dropped EXE
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\4F97.tmp"C:\Users\Admin\AppData\Local\Temp\4F97.tmp"27⤵
- Executes dropped EXE
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\5033.tmp"C:\Users\Admin\AppData\Local\Temp\5033.tmp"28⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\50C0.tmp"C:\Users\Admin\AppData\Local\Temp\50C0.tmp"29⤵
- Executes dropped EXE
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"30⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\5208.tmp"C:\Users\Admin\AppData\Local\Temp\5208.tmp"31⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\52E3.tmp"C:\Users\Admin\AppData\Local\Temp\52E3.tmp"32⤵
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\538E.tmp"C:\Users\Admin\AppData\Local\Temp\538E.tmp"33⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\540B.tmp"C:\Users\Admin\AppData\Local\Temp\540B.tmp"34⤵
- Executes dropped EXE
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\5469.tmp"C:\Users\Admin\AppData\Local\Temp\5469.tmp"35⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\54F6.tmp"C:\Users\Admin\AppData\Local\Temp\54F6.tmp"36⤵
- Executes dropped EXE
PID:908 -
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"37⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"38⤵
- Executes dropped EXE
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\562E.tmp"C:\Users\Admin\AppData\Local\Temp\562E.tmp"39⤵
- Executes dropped EXE
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\569C.tmp"C:\Users\Admin\AppData\Local\Temp\569C.tmp"40⤵
- Executes dropped EXE
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\5709.tmp"C:\Users\Admin\AppData\Local\Temp\5709.tmp"41⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"42⤵
- Executes dropped EXE
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\57F3.tmp"C:\Users\Admin\AppData\Local\Temp\57F3.tmp"43⤵
- Executes dropped EXE
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"44⤵
- Executes dropped EXE
PID:776 -
C:\Users\Admin\AppData\Local\Temp\58BF.tmp"C:\Users\Admin\AppData\Local\Temp\58BF.tmp"45⤵
- Executes dropped EXE
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\590D.tmp"C:\Users\Admin\AppData\Local\Temp\590D.tmp"46⤵
- Executes dropped EXE
PID:996 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"47⤵
- Executes dropped EXE
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\59D8.tmp"C:\Users\Admin\AppData\Local\Temp\59D8.tmp"48⤵
- Executes dropped EXE
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\5A45.tmp"C:\Users\Admin\AppData\Local\Temp\5A45.tmp"49⤵
- Executes dropped EXE
PID:372 -
C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"50⤵
- Executes dropped EXE
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\5B01.tmp"C:\Users\Admin\AppData\Local\Temp\5B01.tmp"51⤵
- Executes dropped EXE
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\5B4F.tmp"C:\Users\Admin\AppData\Local\Temp\5B4F.tmp"52⤵
- Executes dropped EXE
PID:388 -
C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"53⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"54⤵
- Executes dropped EXE
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\5C49.tmp"C:\Users\Admin\AppData\Local\Temp\5C49.tmp"55⤵
- Executes dropped EXE
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"C:\Users\Admin\AppData\Local\Temp\5CA7.tmp"56⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\5D04.tmp"C:\Users\Admin\AppData\Local\Temp\5D04.tmp"57⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\5D52.tmp"C:\Users\Admin\AppData\Local\Temp\5D52.tmp"58⤵
- Executes dropped EXE
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"59⤵
- Executes dropped EXE
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"60⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"61⤵
- Executes dropped EXE
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"62⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"63⤵
- Executes dropped EXE
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\5F56.tmp"C:\Users\Admin\AppData\Local\Temp\5F56.tmp"64⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"65⤵
- Executes dropped EXE
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"66⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\6040.tmp"C:\Users\Admin\AppData\Local\Temp\6040.tmp"67⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\609E.tmp"C:\Users\Admin\AppData\Local\Temp\609E.tmp"68⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\60FC.tmp"C:\Users\Admin\AppData\Local\Temp\60FC.tmp"69⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\614A.tmp"C:\Users\Admin\AppData\Local\Temp\614A.tmp"70⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\61A8.tmp"C:\Users\Admin\AppData\Local\Temp\61A8.tmp"71⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\6206.tmp"C:\Users\Admin\AppData\Local\Temp\6206.tmp"72⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\6254.tmp"C:\Users\Admin\AppData\Local\Temp\6254.tmp"73⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\62B1.tmp"C:\Users\Admin\AppData\Local\Temp\62B1.tmp"74⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"75⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\634E.tmp"C:\Users\Admin\AppData\Local\Temp\634E.tmp"76⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\639C.tmp"C:\Users\Admin\AppData\Local\Temp\639C.tmp"77⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"78⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\6448.tmp"C:\Users\Admin\AppData\Local\Temp\6448.tmp"79⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\64A5.tmp"C:\Users\Admin\AppData\Local\Temp\64A5.tmp"80⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\6503.tmp"C:\Users\Admin\AppData\Local\Temp\6503.tmp"81⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"82⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\65BF.tmp"C:\Users\Admin\AppData\Local\Temp\65BF.tmp"83⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\661C.tmp"C:\Users\Admin\AppData\Local\Temp\661C.tmp"84⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\667A.tmp"C:\Users\Admin\AppData\Local\Temp\667A.tmp"85⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\66D8.tmp"C:\Users\Admin\AppData\Local\Temp\66D8.tmp"86⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"87⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\6784.tmp"C:\Users\Admin\AppData\Local\Temp\6784.tmp"88⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\67D2.tmp"C:\Users\Admin\AppData\Local\Temp\67D2.tmp"89⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\6820.tmp"C:\Users\Admin\AppData\Local\Temp\6820.tmp"90⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\686E.tmp"C:\Users\Admin\AppData\Local\Temp\686E.tmp"91⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\68CC.tmp"C:\Users\Admin\AppData\Local\Temp\68CC.tmp"92⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\692A.tmp"C:\Users\Admin\AppData\Local\Temp\692A.tmp"93⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"94⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\69C6.tmp"C:\Users\Admin\AppData\Local\Temp\69C6.tmp"95⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\6A14.tmp"C:\Users\Admin\AppData\Local\Temp\6A14.tmp"96⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\6A62.tmp"C:\Users\Admin\AppData\Local\Temp\6A62.tmp"97⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\6AB0.tmp"C:\Users\Admin\AppData\Local\Temp\6AB0.tmp"98⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"99⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\6B4D.tmp"C:\Users\Admin\AppData\Local\Temp\6B4D.tmp"100⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\6B9B.tmp"C:\Users\Admin\AppData\Local\Temp\6B9B.tmp"101⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"102⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\6C37.tmp"C:\Users\Admin\AppData\Local\Temp\6C37.tmp"103⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\6C95.tmp"C:\Users\Admin\AppData\Local\Temp\6C95.tmp"104⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"105⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\6D41.tmp"C:\Users\Admin\AppData\Local\Temp\6D41.tmp"106⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"107⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"108⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"109⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\6E98.tmp"C:\Users\Admin\AppData\Local\Temp\6E98.tmp"110⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"111⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\6F44.tmp"C:\Users\Admin\AppData\Local\Temp\6F44.tmp"112⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\6F92.tmp"C:\Users\Admin\AppData\Local\Temp\6F92.tmp"113⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\6FE0.tmp"C:\Users\Admin\AppData\Local\Temp\6FE0.tmp"114⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\702F.tmp"C:\Users\Admin\AppData\Local\Temp\702F.tmp"115⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\707D.tmp"C:\Users\Admin\AppData\Local\Temp\707D.tmp"116⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\70CB.tmp"C:\Users\Admin\AppData\Local\Temp\70CB.tmp"117⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\7119.tmp"C:\Users\Admin\AppData\Local\Temp\7119.tmp"118⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\7167.tmp"C:\Users\Admin\AppData\Local\Temp\7167.tmp"119⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\71B5.tmp"C:\Users\Admin\AppData\Local\Temp\71B5.tmp"120⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\7203.tmp"C:\Users\Admin\AppData\Local\Temp\7203.tmp"121⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\7251.tmp"C:\Users\Admin\AppData\Local\Temp\7251.tmp"122⤵PID:1824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-