Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 07:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe
Resource
win10v2004-20240226-en
2 signatures
150 seconds
General
-
Target
2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe
-
Size
541KB
-
MD5
032b4cd9390d7c97815968630352860f
-
SHA1
ce272434f0806e696f064177ba17f23983df506f
-
SHA256
0b424662f8d1f03e806c9fc2513d2563e74bd6e52475d33447805d0de9904ad4
-
SHA512
9fbca360ad8e72af64b06e1e494698881aa0c2c5c8964e54288a118f03cfcd52c4d8116b257efcfdfb04c91f3ee0290da2a5576d031858d89d84a50b14e3dfef
-
SSDEEP
12288:UU5rCOTeifkEMzro+q6qhnHKKyK0sfarC4VdjSBYSnrZa73ctO:UUQOJf9MY+q60HKKybsfbMUTnrU73ctO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4480 143.tmp 540 2D9.tmp 3444 3C4.tmp 2100 49F.tmp 4896 599.tmp 1188 DC6.tmp 1176 F5D.tmp 4888 1076.tmp 4988 11DD.tmp 3712 13B2.tmp 3540 14BC.tmp 1792 15A6.tmp 3708 172D.tmp 2096 18B3.tmp 2124 197E.tmp 1076 1AA7.tmp 2256 1B63.tmp 2324 1C4D.tmp 1648 1D28.tmp 936 1E12.tmp 4564 1F3B.tmp 1716 2035.tmp 3676 2100.tmp 1352 2239.tmp 3684 2313.tmp 2228 23CF.tmp 2988 249A.tmp 3648 25F2.tmp 4032 26BD.tmp 1120 2778.tmp 3844 2853.tmp 1772 2A86.tmp 3048 2B22.tmp 396 2BBE.tmp 4372 2C4B.tmp 3180 2CD7.tmp 548 2D83.tmp 2036 2E10.tmp 4168 2E8D.tmp 3652 2F29.tmp 4364 2FA6.tmp 1492 3071.tmp 408 30EE.tmp 4836 31F8.tmp 1500 32C3.tmp 1804 336F.tmp 1708 343A.tmp 1368 3505.tmp 2108 35D0.tmp 856 367C.tmp 4896 3767.tmp 1976 3880.tmp 1876 397A.tmp 3968 3AE1.tmp 4568 3C0A.tmp 4988 3CA6.tmp 5108 3D62.tmp 872 3E5C.tmp 2304 3F08.tmp 2076 3FB4.tmp 4560 406F.tmp 3764 4179.tmp 2792 4215.tmp 936 431F.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4752 wrote to memory of 4480 4752 2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe 89 PID 4752 wrote to memory of 4480 4752 2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe 89 PID 4752 wrote to memory of 4480 4752 2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe 89 PID 4480 wrote to memory of 540 4480 143.tmp 90 PID 4480 wrote to memory of 540 4480 143.tmp 90 PID 4480 wrote to memory of 540 4480 143.tmp 90 PID 540 wrote to memory of 3444 540 2D9.tmp 91 PID 540 wrote to memory of 3444 540 2D9.tmp 91 PID 540 wrote to memory of 3444 540 2D9.tmp 91 PID 3444 wrote to memory of 2100 3444 3C4.tmp 92 PID 3444 wrote to memory of 2100 3444 3C4.tmp 92 PID 3444 wrote to memory of 2100 3444 3C4.tmp 92 PID 2100 wrote to memory of 4896 2100 49F.tmp 93 PID 2100 wrote to memory of 4896 2100 49F.tmp 93 PID 2100 wrote to memory of 4896 2100 49F.tmp 93 PID 4896 wrote to memory of 1188 4896 599.tmp 94 PID 4896 wrote to memory of 1188 4896 599.tmp 94 PID 4896 wrote to memory of 1188 4896 599.tmp 94 PID 1188 wrote to memory of 1176 1188 DC6.tmp 95 PID 1188 wrote to memory of 1176 1188 DC6.tmp 95 PID 1188 wrote to memory of 1176 1188 DC6.tmp 95 PID 1176 wrote to memory of 4888 1176 F5D.tmp 96 PID 1176 wrote to memory of 4888 1176 F5D.tmp 96 PID 1176 wrote to memory of 4888 1176 F5D.tmp 96 PID 4888 wrote to memory of 4988 4888 1076.tmp 97 PID 4888 wrote to memory of 4988 4888 1076.tmp 97 PID 4888 wrote to memory of 4988 4888 1076.tmp 97 PID 4988 wrote to memory of 3712 4988 11DD.tmp 98 PID 4988 wrote to memory of 3712 4988 11DD.tmp 98 PID 4988 wrote to memory of 3712 4988 11DD.tmp 98 PID 3712 wrote to memory of 3540 3712 13B2.tmp 99 PID 3712 wrote to memory of 3540 3712 13B2.tmp 99 PID 3712 wrote to memory of 3540 3712 13B2.tmp 99 PID 3540 wrote to memory of 1792 3540 14BC.tmp 100 PID 3540 wrote to memory of 1792 3540 14BC.tmp 100 PID 3540 wrote to memory of 1792 3540 14BC.tmp 100 PID 1792 wrote to memory of 3708 1792 15A6.tmp 101 PID 1792 wrote to memory of 3708 1792 15A6.tmp 101 PID 1792 wrote to memory of 3708 1792 15A6.tmp 101 PID 3708 wrote to memory of 2096 3708 172D.tmp 102 PID 3708 wrote to memory of 2096 3708 172D.tmp 102 PID 3708 wrote to memory of 2096 3708 172D.tmp 102 PID 2096 wrote to memory of 2124 2096 18B3.tmp 103 PID 2096 wrote to memory of 2124 2096 18B3.tmp 103 PID 2096 wrote to memory of 2124 2096 18B3.tmp 103 PID 2124 wrote to memory of 1076 2124 197E.tmp 104 PID 2124 wrote to memory of 1076 2124 197E.tmp 104 PID 2124 wrote to memory of 1076 2124 197E.tmp 104 PID 1076 wrote to memory of 2256 1076 1AA7.tmp 105 PID 1076 wrote to memory of 2256 1076 1AA7.tmp 105 PID 1076 wrote to memory of 2256 1076 1AA7.tmp 105 PID 2256 wrote to memory of 2324 2256 1B63.tmp 106 PID 2256 wrote to memory of 2324 2256 1B63.tmp 106 PID 2256 wrote to memory of 2324 2256 1B63.tmp 106 PID 2324 wrote to memory of 1648 2324 1C4D.tmp 107 PID 2324 wrote to memory of 1648 2324 1C4D.tmp 107 PID 2324 wrote to memory of 1648 2324 1C4D.tmp 107 PID 1648 wrote to memory of 936 1648 1D28.tmp 108 PID 1648 wrote to memory of 936 1648 1D28.tmp 108 PID 1648 wrote to memory of 936 1648 1D28.tmp 108 PID 936 wrote to memory of 4564 936 1E12.tmp 109 PID 936 wrote to memory of 4564 936 1E12.tmp 109 PID 936 wrote to memory of 4564 936 1E12.tmp 109 PID 4564 wrote to memory of 1716 4564 1F3B.tmp 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_032b4cd9390d7c97815968630352860f_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\143.tmp"C:\Users\Admin\AppData\Local\Temp\143.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\2D9.tmp"C:\Users\Admin\AppData\Local\Temp\2D9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\3C4.tmp"C:\Users\Admin\AppData\Local\Temp\3C4.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\49F.tmp"C:\Users\Admin\AppData\Local\Temp\49F.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\599.tmp"C:\Users\Admin\AppData\Local\Temp\599.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\DC6.tmp"C:\Users\Admin\AppData\Local\Temp\DC6.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\F5D.tmp"C:\Users\Admin\AppData\Local\Temp\F5D.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\1076.tmp"C:\Users\Admin\AppData\Local\Temp\1076.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\11DD.tmp"C:\Users\Admin\AppData\Local\Temp\11DD.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\13B2.tmp"C:\Users\Admin\AppData\Local\Temp\13B2.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\14BC.tmp"C:\Users\Admin\AppData\Local\Temp\14BC.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\15A6.tmp"C:\Users\Admin\AppData\Local\Temp\15A6.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\172D.tmp"C:\Users\Admin\AppData\Local\Temp\172D.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\18B3.tmp"C:\Users\Admin\AppData\Local\Temp\18B3.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\197E.tmp"C:\Users\Admin\AppData\Local\Temp\197E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\1AA7.tmp"C:\Users\Admin\AppData\Local\Temp\1AA7.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\1B63.tmp"C:\Users\Admin\AppData\Local\Temp\1B63.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\1C4D.tmp"C:\Users\Admin\AppData\Local\Temp\1C4D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\1D28.tmp"C:\Users\Admin\AppData\Local\Temp\1D28.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\1E12.tmp"C:\Users\Admin\AppData\Local\Temp\1E12.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\1F3B.tmp"C:\Users\Admin\AppData\Local\Temp\1F3B.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\2035.tmp"C:\Users\Admin\AppData\Local\Temp\2035.tmp"23⤵
- Executes dropped EXE
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\2100.tmp"C:\Users\Admin\AppData\Local\Temp\2100.tmp"24⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\2239.tmp"C:\Users\Admin\AppData\Local\Temp\2239.tmp"25⤵
- Executes dropped EXE
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\2313.tmp"C:\Users\Admin\AppData\Local\Temp\2313.tmp"26⤵
- Executes dropped EXE
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\23CF.tmp"C:\Users\Admin\AppData\Local\Temp\23CF.tmp"27⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\249A.tmp"C:\Users\Admin\AppData\Local\Temp\249A.tmp"28⤵
- Executes dropped EXE
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\25F2.tmp"C:\Users\Admin\AppData\Local\Temp\25F2.tmp"29⤵
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\26BD.tmp"C:\Users\Admin\AppData\Local\Temp\26BD.tmp"30⤵
- Executes dropped EXE
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\2778.tmp"C:\Users\Admin\AppData\Local\Temp\2778.tmp"31⤵
- Executes dropped EXE
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\2853.tmp"C:\Users\Admin\AppData\Local\Temp\2853.tmp"32⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\2A86.tmp"C:\Users\Admin\AppData\Local\Temp\2A86.tmp"33⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\2B22.tmp"C:\Users\Admin\AppData\Local\Temp\2B22.tmp"34⤵
- Executes dropped EXE
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\2BBE.tmp"C:\Users\Admin\AppData\Local\Temp\2BBE.tmp"35⤵
- Executes dropped EXE
PID:396 -
C:\Users\Admin\AppData\Local\Temp\2C4B.tmp"C:\Users\Admin\AppData\Local\Temp\2C4B.tmp"36⤵
- Executes dropped EXE
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\2CD7.tmp"C:\Users\Admin\AppData\Local\Temp\2CD7.tmp"37⤵
- Executes dropped EXE
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\2D83.tmp"C:\Users\Admin\AppData\Local\Temp\2D83.tmp"38⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Local\Temp\2E10.tmp"C:\Users\Admin\AppData\Local\Temp\2E10.tmp"39⤵
- Executes dropped EXE
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"40⤵
- Executes dropped EXE
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\2F29.tmp"C:\Users\Admin\AppData\Local\Temp\2F29.tmp"41⤵
- Executes dropped EXE
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\2FA6.tmp"C:\Users\Admin\AppData\Local\Temp\2FA6.tmp"42⤵
- Executes dropped EXE
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\3071.tmp"C:\Users\Admin\AppData\Local\Temp\3071.tmp"43⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\30EE.tmp"C:\Users\Admin\AppData\Local\Temp\30EE.tmp"44⤵
- Executes dropped EXE
PID:408 -
C:\Users\Admin\AppData\Local\Temp\31F8.tmp"C:\Users\Admin\AppData\Local\Temp\31F8.tmp"45⤵
- Executes dropped EXE
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\32C3.tmp"C:\Users\Admin\AppData\Local\Temp\32C3.tmp"46⤵
- Executes dropped EXE
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\336F.tmp"C:\Users\Admin\AppData\Local\Temp\336F.tmp"47⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\343A.tmp"C:\Users\Admin\AppData\Local\Temp\343A.tmp"48⤵
- Executes dropped EXE
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\3505.tmp"C:\Users\Admin\AppData\Local\Temp\3505.tmp"49⤵
- Executes dropped EXE
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\35D0.tmp"C:\Users\Admin\AppData\Local\Temp\35D0.tmp"50⤵
- Executes dropped EXE
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\367C.tmp"C:\Users\Admin\AppData\Local\Temp\367C.tmp"51⤵
- Executes dropped EXE
PID:856 -
C:\Users\Admin\AppData\Local\Temp\3767.tmp"C:\Users\Admin\AppData\Local\Temp\3767.tmp"52⤵
- Executes dropped EXE
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\3880.tmp"C:\Users\Admin\AppData\Local\Temp\3880.tmp"53⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\397A.tmp"C:\Users\Admin\AppData\Local\Temp\397A.tmp"54⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\3AE1.tmp"C:\Users\Admin\AppData\Local\Temp\3AE1.tmp"55⤵
- Executes dropped EXE
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\3C0A.tmp"C:\Users\Admin\AppData\Local\Temp\3C0A.tmp"56⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\3CA6.tmp"C:\Users\Admin\AppData\Local\Temp\3CA6.tmp"57⤵
- Executes dropped EXE
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\3D62.tmp"C:\Users\Admin\AppData\Local\Temp\3D62.tmp"58⤵
- Executes dropped EXE
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\3E5C.tmp"C:\Users\Admin\AppData\Local\Temp\3E5C.tmp"59⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\3F08.tmp"C:\Users\Admin\AppData\Local\Temp\3F08.tmp"60⤵
- Executes dropped EXE
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\3FB4.tmp"C:\Users\Admin\AppData\Local\Temp\3FB4.tmp"61⤵
- Executes dropped EXE
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\406F.tmp"C:\Users\Admin\AppData\Local\Temp\406F.tmp"62⤵
- Executes dropped EXE
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\4179.tmp"C:\Users\Admin\AppData\Local\Temp\4179.tmp"63⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\4215.tmp"C:\Users\Admin\AppData\Local\Temp\4215.tmp"64⤵
- Executes dropped EXE
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\431F.tmp"C:\Users\Admin\AppData\Local\Temp\431F.tmp"65⤵
- Executes dropped EXE
PID:936 -
C:\Users\Admin\AppData\Local\Temp\43F9.tmp"C:\Users\Admin\AppData\Local\Temp\43F9.tmp"66⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\4541.tmp"C:\Users\Admin\AppData\Local\Temp\4541.tmp"67⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\45ED.tmp"C:\Users\Admin\AppData\Local\Temp\45ED.tmp"68⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\46A9.tmp"C:\Users\Admin\AppData\Local\Temp\46A9.tmp"69⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\4774.tmp"C:\Users\Admin\AppData\Local\Temp\4774.tmp"70⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\486E.tmp"C:\Users\Admin\AppData\Local\Temp\486E.tmp"71⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\4929.tmp"C:\Users\Admin\AppData\Local\Temp\4929.tmp"72⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\4A04.tmp"C:\Users\Admin\AppData\Local\Temp\4A04.tmp"73⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\4ACF.tmp"C:\Users\Admin\AppData\Local\Temp\4ACF.tmp"74⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\4B8B.tmp"C:\Users\Admin\AppData\Local\Temp\4B8B.tmp"75⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\4C46.tmp"C:\Users\Admin\AppData\Local\Temp\4C46.tmp"76⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\4D11.tmp"C:\Users\Admin\AppData\Local\Temp\4D11.tmp"77⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\4DBD.tmp"C:\Users\Admin\AppData\Local\Temp\4DBD.tmp"78⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\4E5A.tmp"C:\Users\Admin\AppData\Local\Temp\4E5A.tmp"79⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\4EE6.tmp"C:\Users\Admin\AppData\Local\Temp\4EE6.tmp"80⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\4FA2.tmp"C:\Users\Admin\AppData\Local\Temp\4FA2.tmp"81⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\502E.tmp"C:\Users\Admin\AppData\Local\Temp\502E.tmp"82⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\50BB.tmp"C:\Users\Admin\AppData\Local\Temp\50BB.tmp"83⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\5167.tmp"C:\Users\Admin\AppData\Local\Temp\5167.tmp"84⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\51D4.tmp"C:\Users\Admin\AppData\Local\Temp\51D4.tmp"85⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\52ED.tmp"C:\Users\Admin\AppData\Local\Temp\52ED.tmp"86⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\537A.tmp"C:\Users\Admin\AppData\Local\Temp\537A.tmp"87⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\53F7.tmp"C:\Users\Admin\AppData\Local\Temp\53F7.tmp"88⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\5474.tmp"C:\Users\Admin\AppData\Local\Temp\5474.tmp"89⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\5510.tmp"C:\Users\Admin\AppData\Local\Temp\5510.tmp"90⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\55AD.tmp"C:\Users\Admin\AppData\Local\Temp\55AD.tmp"91⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\5649.tmp"C:\Users\Admin\AppData\Local\Temp\5649.tmp"92⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\56D5.tmp"C:\Users\Admin\AppData\Local\Temp\56D5.tmp"93⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\5781.tmp"C:\Users\Admin\AppData\Local\Temp\5781.tmp"94⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\580E.tmp"C:\Users\Admin\AppData\Local\Temp\580E.tmp"95⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\589B.tmp"C:\Users\Admin\AppData\Local\Temp\589B.tmp"96⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\5918.tmp"C:\Users\Admin\AppData\Local\Temp\5918.tmp"97⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\59C3.tmp"C:\Users\Admin\AppData\Local\Temp\59C3.tmp"98⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\5A40.tmp"C:\Users\Admin\AppData\Local\Temp\5A40.tmp"99⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\5ADD.tmp"C:\Users\Admin\AppData\Local\Temp\5ADD.tmp"100⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\5B4A.tmp"C:\Users\Admin\AppData\Local\Temp\5B4A.tmp"101⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\5BC7.tmp"C:\Users\Admin\AppData\Local\Temp\5BC7.tmp"102⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\5CA2.tmp"C:\Users\Admin\AppData\Local\Temp\5CA2.tmp"103⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\5D1F.tmp"C:\Users\Admin\AppData\Local\Temp\5D1F.tmp"104⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\5DCB.tmp"C:\Users\Admin\AppData\Local\Temp\5DCB.tmp"105⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\5E67.tmp"C:\Users\Admin\AppData\Local\Temp\5E67.tmp"106⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\5EF4.tmp"C:\Users\Admin\AppData\Local\Temp\5EF4.tmp"107⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\5F80.tmp"C:\Users\Admin\AppData\Local\Temp\5F80.tmp"108⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\601C.tmp"C:\Users\Admin\AppData\Local\Temp\601C.tmp"109⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\6099.tmp"C:\Users\Admin\AppData\Local\Temp\6099.tmp"110⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\6116.tmp"C:\Users\Admin\AppData\Local\Temp\6116.tmp"111⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\61C2.tmp"C:\Users\Admin\AppData\Local\Temp\61C2.tmp"112⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\628D.tmp"C:\Users\Admin\AppData\Local\Temp\628D.tmp"113⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\6339.tmp"C:\Users\Admin\AppData\Local\Temp\6339.tmp"114⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\63C6.tmp"C:\Users\Admin\AppData\Local\Temp\63C6.tmp"115⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\6453.tmp"C:\Users\Admin\AppData\Local\Temp\6453.tmp"116⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\64DF.tmp"C:\Users\Admin\AppData\Local\Temp\64DF.tmp"117⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\655C.tmp"C:\Users\Admin\AppData\Local\Temp\655C.tmp"118⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\6637.tmp"C:\Users\Admin\AppData\Local\Temp\6637.tmp"119⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\66D3.tmp"C:\Users\Admin\AppData\Local\Temp\66D3.tmp"120⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\676F.tmp"C:\Users\Admin\AppData\Local\Temp\676F.tmp"121⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\681B.tmp"C:\Users\Admin\AppData\Local\Temp\681B.tmp"122⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-