Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe
Resource
win7-20240220-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe
-
Size
520KB
-
MD5
7e04858347be55977dcba9ecb6095de6
-
SHA1
20e2194974afac333a6fec8c3e875d08ac0f8b0c
-
SHA256
4a556f139e8ebf9d875fd8218a275b1f698150e7c6d454cc52cb07071a7b4a3a
-
SHA512
e8b633a0604d548b2f6ca99ebf086183797e556a2efa4809cc3f7d435653db1574e23e1aea0eeee50532539cb220e22f48c0a9c921a0be27216be395bcf4e449
-
SSDEEP
6144:lLvd/XzCjUIF1UuXLyQjmOH+JjLuhNE1cJlPrh2GzvMbcnttNtc+9XUj39sH3dZ:roRXOQjmOyCN/Pt2G1pt3UDSNZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1696 3345.tmp 4472 33A3.tmp 464 3420.tmp 4736 34AC.tmp 740 350A.tmp 956 3577.tmp 4588 35D5.tmp 4000 3642.tmp 4396 36B0.tmp 4936 370E.tmp 8 375C.tmp 4620 37AA.tmp 1732 3808.tmp 4804 3856.tmp 4104 38A4.tmp 4048 38F2.tmp 1644 3940.tmp 3328 398E.tmp 756 39EC.tmp 404 3A4A.tmp 4636 3AA7.tmp 1480 3B15.tmp 3852 3B92.tmp 2908 3BE0.tmp 3704 3C3E.tmp 5032 3CBB.tmp 4748 3D09.tmp 4908 3D86.tmp 4252 3E03.tmp 432 3E70.tmp 1620 3ECE.tmp 3644 3F2C.tmp 3740 3F89.tmp 4852 3FD8.tmp 2764 4026.tmp 1608 4074.tmp 2900 40C2.tmp 4460 4120.tmp 3736 417D.tmp 4468 41FA.tmp 2348 4268.tmp 3212 42C6.tmp 2464 4314.tmp 2844 4371.tmp 3864 43CF.tmp 4708 442D.tmp 652 447B.tmp 2220 44C9.tmp 916 4527.tmp 1524 4575.tmp 548 45D3.tmp 4276 4631.tmp 4496 467F.tmp 4352 46DC.tmp 452 473A.tmp 740 4788.tmp 2204 47E6.tmp 4152 4844.tmp 3136 48A2.tmp 3564 48F0.tmp 3592 493E.tmp 4060 49AB.tmp 4036 4A19.tmp 1648 4A67.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 1696 3156 2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe 83 PID 3156 wrote to memory of 1696 3156 2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe 83 PID 3156 wrote to memory of 1696 3156 2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe 83 PID 1696 wrote to memory of 4472 1696 3345.tmp 84 PID 1696 wrote to memory of 4472 1696 3345.tmp 84 PID 1696 wrote to memory of 4472 1696 3345.tmp 84 PID 4472 wrote to memory of 464 4472 33A3.tmp 86 PID 4472 wrote to memory of 464 4472 33A3.tmp 86 PID 4472 wrote to memory of 464 4472 33A3.tmp 86 PID 464 wrote to memory of 4736 464 3420.tmp 88 PID 464 wrote to memory of 4736 464 3420.tmp 88 PID 464 wrote to memory of 4736 464 3420.tmp 88 PID 4736 wrote to memory of 740 4736 34AC.tmp 89 PID 4736 wrote to memory of 740 4736 34AC.tmp 89 PID 4736 wrote to memory of 740 4736 34AC.tmp 89 PID 740 wrote to memory of 956 740 350A.tmp 90 PID 740 wrote to memory of 956 740 350A.tmp 90 PID 740 wrote to memory of 956 740 350A.tmp 90 PID 956 wrote to memory of 4588 956 3577.tmp 92 PID 956 wrote to memory of 4588 956 3577.tmp 92 PID 956 wrote to memory of 4588 956 3577.tmp 92 PID 4588 wrote to memory of 4000 4588 35D5.tmp 93 PID 4588 wrote to memory of 4000 4588 35D5.tmp 93 PID 4588 wrote to memory of 4000 4588 35D5.tmp 93 PID 4000 wrote to memory of 4396 4000 3642.tmp 94 PID 4000 wrote to memory of 4396 4000 3642.tmp 94 PID 4000 wrote to memory of 4396 4000 3642.tmp 94 PID 4396 wrote to memory of 4936 4396 36B0.tmp 95 PID 4396 wrote to memory of 4936 4396 36B0.tmp 95 PID 4396 wrote to memory of 4936 4396 36B0.tmp 95 PID 4936 wrote to memory of 8 4936 370E.tmp 96 PID 4936 wrote to memory of 8 4936 370E.tmp 96 PID 4936 wrote to memory of 8 4936 370E.tmp 96 PID 8 wrote to memory of 4620 8 375C.tmp 97 PID 8 wrote to memory of 4620 8 375C.tmp 97 PID 8 wrote to memory of 4620 8 375C.tmp 97 PID 4620 wrote to memory of 1732 4620 37AA.tmp 98 PID 4620 wrote to memory of 1732 4620 37AA.tmp 98 PID 4620 wrote to memory of 1732 4620 37AA.tmp 98 PID 1732 wrote to memory of 4804 1732 3808.tmp 99 PID 1732 wrote to memory of 4804 1732 3808.tmp 99 PID 1732 wrote to memory of 4804 1732 3808.tmp 99 PID 4804 wrote to memory of 4104 4804 3856.tmp 100 PID 4804 wrote to memory of 4104 4804 3856.tmp 100 PID 4804 wrote to memory of 4104 4804 3856.tmp 100 PID 4104 wrote to memory of 4048 4104 38A4.tmp 101 PID 4104 wrote to memory of 4048 4104 38A4.tmp 101 PID 4104 wrote to memory of 4048 4104 38A4.tmp 101 PID 4048 wrote to memory of 1644 4048 38F2.tmp 102 PID 4048 wrote to memory of 1644 4048 38F2.tmp 102 PID 4048 wrote to memory of 1644 4048 38F2.tmp 102 PID 1644 wrote to memory of 3328 1644 3940.tmp 103 PID 1644 wrote to memory of 3328 1644 3940.tmp 103 PID 1644 wrote to memory of 3328 1644 3940.tmp 103 PID 3328 wrote to memory of 756 3328 398E.tmp 104 PID 3328 wrote to memory of 756 3328 398E.tmp 104 PID 3328 wrote to memory of 756 3328 398E.tmp 104 PID 756 wrote to memory of 404 756 39EC.tmp 105 PID 756 wrote to memory of 404 756 39EC.tmp 105 PID 756 wrote to memory of 404 756 39EC.tmp 105 PID 404 wrote to memory of 4636 404 3A4A.tmp 106 PID 404 wrote to memory of 4636 404 3A4A.tmp 106 PID 404 wrote to memory of 4636 404 3A4A.tmp 106 PID 4636 wrote to memory of 1480 4636 3AA7.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_7e04858347be55977dcba9ecb6095de6_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\3345.tmp"C:\Users\Admin\AppData\Local\Temp\3345.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\33A3.tmp"C:\Users\Admin\AppData\Local\Temp\33A3.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\3420.tmp"C:\Users\Admin\AppData\Local\Temp\3420.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\34AC.tmp"C:\Users\Admin\AppData\Local\Temp\34AC.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\350A.tmp"C:\Users\Admin\AppData\Local\Temp\350A.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\3577.tmp"C:\Users\Admin\AppData\Local\Temp\3577.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\35D5.tmp"C:\Users\Admin\AppData\Local\Temp\35D5.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\3642.tmp"C:\Users\Admin\AppData\Local\Temp\3642.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\36B0.tmp"C:\Users\Admin\AppData\Local\Temp\36B0.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\370E.tmp"C:\Users\Admin\AppData\Local\Temp\370E.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\375C.tmp"C:\Users\Admin\AppData\Local\Temp\375C.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\37AA.tmp"C:\Users\Admin\AppData\Local\Temp\37AA.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\3808.tmp"C:\Users\Admin\AppData\Local\Temp\3808.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3856.tmp"C:\Users\Admin\AppData\Local\Temp\3856.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\38A4.tmp"C:\Users\Admin\AppData\Local\Temp\38A4.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\38F2.tmp"C:\Users\Admin\AppData\Local\Temp\38F2.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\3940.tmp"C:\Users\Admin\AppData\Local\Temp\3940.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\398E.tmp"C:\Users\Admin\AppData\Local\Temp\398E.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\39EC.tmp"C:\Users\Admin\AppData\Local\Temp\39EC.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\3A4A.tmp"C:\Users\Admin\AppData\Local\Temp\3A4A.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\3AA7.tmp"C:\Users\Admin\AppData\Local\Temp\3AA7.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\3B15.tmp"C:\Users\Admin\AppData\Local\Temp\3B15.tmp"23⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\3B92.tmp"C:\Users\Admin\AppData\Local\Temp\3B92.tmp"24⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\3BE0.tmp"C:\Users\Admin\AppData\Local\Temp\3BE0.tmp"25⤵
- Executes dropped EXE
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3C3E.tmp"C:\Users\Admin\AppData\Local\Temp\3C3E.tmp"26⤵
- Executes dropped EXE
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\3CBB.tmp"C:\Users\Admin\AppData\Local\Temp\3CBB.tmp"27⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\3D09.tmp"C:\Users\Admin\AppData\Local\Temp\3D09.tmp"28⤵
- Executes dropped EXE
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\3D86.tmp"C:\Users\Admin\AppData\Local\Temp\3D86.tmp"29⤵
- Executes dropped EXE
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\3E03.tmp"C:\Users\Admin\AppData\Local\Temp\3E03.tmp"30⤵
- Executes dropped EXE
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\3E70.tmp"C:\Users\Admin\AppData\Local\Temp\3E70.tmp"31⤵
- Executes dropped EXE
PID:432 -
C:\Users\Admin\AppData\Local\Temp\3ECE.tmp"C:\Users\Admin\AppData\Local\Temp\3ECE.tmp"32⤵
- Executes dropped EXE
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\3F2C.tmp"C:\Users\Admin\AppData\Local\Temp\3F2C.tmp"33⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\3F89.tmp"C:\Users\Admin\AppData\Local\Temp\3F89.tmp"34⤵
- Executes dropped EXE
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\3FD8.tmp"C:\Users\Admin\AppData\Local\Temp\3FD8.tmp"35⤵
- Executes dropped EXE
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\4026.tmp"C:\Users\Admin\AppData\Local\Temp\4026.tmp"36⤵
- Executes dropped EXE
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\4074.tmp"C:\Users\Admin\AppData\Local\Temp\4074.tmp"37⤵
- Executes dropped EXE
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\40C2.tmp"C:\Users\Admin\AppData\Local\Temp\40C2.tmp"38⤵
- Executes dropped EXE
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\4120.tmp"C:\Users\Admin\AppData\Local\Temp\4120.tmp"39⤵
- Executes dropped EXE
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\417D.tmp"C:\Users\Admin\AppData\Local\Temp\417D.tmp"40⤵
- Executes dropped EXE
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\41FA.tmp"C:\Users\Admin\AppData\Local\Temp\41FA.tmp"41⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\4268.tmp"C:\Users\Admin\AppData\Local\Temp\4268.tmp"42⤵
- Executes dropped EXE
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\42C6.tmp"C:\Users\Admin\AppData\Local\Temp\42C6.tmp"43⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\4314.tmp"C:\Users\Admin\AppData\Local\Temp\4314.tmp"44⤵
- Executes dropped EXE
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\4371.tmp"C:\Users\Admin\AppData\Local\Temp\4371.tmp"45⤵
- Executes dropped EXE
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\43CF.tmp"C:\Users\Admin\AppData\Local\Temp\43CF.tmp"46⤵
- Executes dropped EXE
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\442D.tmp"C:\Users\Admin\AppData\Local\Temp\442D.tmp"47⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\447B.tmp"C:\Users\Admin\AppData\Local\Temp\447B.tmp"48⤵
- Executes dropped EXE
PID:652 -
C:\Users\Admin\AppData\Local\Temp\44C9.tmp"C:\Users\Admin\AppData\Local\Temp\44C9.tmp"49⤵
- Executes dropped EXE
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\4527.tmp"C:\Users\Admin\AppData\Local\Temp\4527.tmp"50⤵
- Executes dropped EXE
PID:916 -
C:\Users\Admin\AppData\Local\Temp\4575.tmp"C:\Users\Admin\AppData\Local\Temp\4575.tmp"51⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\45D3.tmp"C:\Users\Admin\AppData\Local\Temp\45D3.tmp"52⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Local\Temp\4631.tmp"C:\Users\Admin\AppData\Local\Temp\4631.tmp"53⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\467F.tmp"C:\Users\Admin\AppData\Local\Temp\467F.tmp"54⤵
- Executes dropped EXE
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\46DC.tmp"C:\Users\Admin\AppData\Local\Temp\46DC.tmp"55⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\473A.tmp"C:\Users\Admin\AppData\Local\Temp\473A.tmp"56⤵
- Executes dropped EXE
PID:452 -
C:\Users\Admin\AppData\Local\Temp\4788.tmp"C:\Users\Admin\AppData\Local\Temp\4788.tmp"57⤵
- Executes dropped EXE
PID:740 -
C:\Users\Admin\AppData\Local\Temp\47E6.tmp"C:\Users\Admin\AppData\Local\Temp\47E6.tmp"58⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\4844.tmp"C:\Users\Admin\AppData\Local\Temp\4844.tmp"59⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\48A2.tmp"C:\Users\Admin\AppData\Local\Temp\48A2.tmp"60⤵
- Executes dropped EXE
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\48F0.tmp"C:\Users\Admin\AppData\Local\Temp\48F0.tmp"61⤵
- Executes dropped EXE
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\493E.tmp"C:\Users\Admin\AppData\Local\Temp\493E.tmp"62⤵
- Executes dropped EXE
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\49AB.tmp"C:\Users\Admin\AppData\Local\Temp\49AB.tmp"63⤵
- Executes dropped EXE
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\4A19.tmp"C:\Users\Admin\AppData\Local\Temp\4A19.tmp"64⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\4A67.tmp"C:\Users\Admin\AppData\Local\Temp\4A67.tmp"65⤵
- Executes dropped EXE
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\4AC4.tmp"C:\Users\Admin\AppData\Local\Temp\4AC4.tmp"66⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\4B22.tmp"C:\Users\Admin\AppData\Local\Temp\4B22.tmp"67⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\4B70.tmp"C:\Users\Admin\AppData\Local\Temp\4B70.tmp"68⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\4BBE.tmp"C:\Users\Admin\AppData\Local\Temp\4BBE.tmp"69⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"70⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"71⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"72⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\4D35.tmp"C:\Users\Admin\AppData\Local\Temp\4D35.tmp"73⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\4D93.tmp"C:\Users\Admin\AppData\Local\Temp\4D93.tmp"74⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\4E01.tmp"C:\Users\Admin\AppData\Local\Temp\4E01.tmp"75⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"76⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"77⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"78⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\4F78.tmp"C:\Users\Admin\AppData\Local\Temp\4F78.tmp"79⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"80⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\5023.tmp"C:\Users\Admin\AppData\Local\Temp\5023.tmp"81⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\5081.tmp"C:\Users\Admin\AppData\Local\Temp\5081.tmp"82⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\50DF.tmp"C:\Users\Admin\AppData\Local\Temp\50DF.tmp"83⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"84⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\519A.tmp"C:\Users\Admin\AppData\Local\Temp\519A.tmp"85⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\51E9.tmp"C:\Users\Admin\AppData\Local\Temp\51E9.tmp"86⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\5237.tmp"C:\Users\Admin\AppData\Local\Temp\5237.tmp"87⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\5294.tmp"C:\Users\Admin\AppData\Local\Temp\5294.tmp"88⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\52E3.tmp"C:\Users\Admin\AppData\Local\Temp\52E3.tmp"89⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\5340.tmp"C:\Users\Admin\AppData\Local\Temp\5340.tmp"90⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\539E.tmp"C:\Users\Admin\AppData\Local\Temp\539E.tmp"91⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\53FC.tmp"C:\Users\Admin\AppData\Local\Temp\53FC.tmp"92⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\544A.tmp"C:\Users\Admin\AppData\Local\Temp\544A.tmp"93⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\54A8.tmp"C:\Users\Admin\AppData\Local\Temp\54A8.tmp"94⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"95⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\5563.tmp"C:\Users\Admin\AppData\Local\Temp\5563.tmp"96⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"97⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\561F.tmp"C:\Users\Admin\AppData\Local\Temp\561F.tmp"98⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\567C.tmp"C:\Users\Admin\AppData\Local\Temp\567C.tmp"99⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"100⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\5738.tmp"C:\Users\Admin\AppData\Local\Temp\5738.tmp"101⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\57A5.tmp"C:\Users\Admin\AppData\Local\Temp\57A5.tmp"102⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"103⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"104⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\58BF.tmp"C:\Users\Admin\AppData\Local\Temp\58BF.tmp"105⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"106⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"107⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\59D8.tmp"C:\Users\Admin\AppData\Local\Temp\59D8.tmp"108⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\5A26.tmp"C:\Users\Admin\AppData\Local\Temp\5A26.tmp"109⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\5A84.tmp"C:\Users\Admin\AppData\Local\Temp\5A84.tmp"110⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"111⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"112⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\5B8D.tmp"C:\Users\Admin\AppData\Local\Temp\5B8D.tmp"113⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"114⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\5C39.tmp"C:\Users\Admin\AppData\Local\Temp\5C39.tmp"115⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\5C87.tmp"C:\Users\Admin\AppData\Local\Temp\5C87.tmp"116⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"117⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\5D24.tmp"C:\Users\Admin\AppData\Local\Temp\5D24.tmp"118⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\5D72.tmp"C:\Users\Admin\AppData\Local\Temp\5D72.tmp"119⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\5DCF.tmp"C:\Users\Admin\AppData\Local\Temp\5DCF.tmp"120⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\5E1E.tmp"C:\Users\Admin\AppData\Local\Temp\5E1E.tmp"121⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\5E7B.tmp"C:\Users\Admin\AppData\Local\Temp\5E7B.tmp"122⤵PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-