Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe
-
Size
541KB
-
MD5
25055d6f31d7f3207f52185f7acbc509
-
SHA1
bd2ee37e01ebf37de77a0e45612e54681eac84a1
-
SHA256
3bf7258f282d52341775e6d8dbf771724382ed96eb07a82493d76d9968815101
-
SHA512
4ac4ea96679389928072cbdd376a768fd98c415e87b4f2c4aa426031dc4ba69255c0a195c8bb4955b61f66d5de1dcdeffb2598e957e99df895297e34020c48ab
-
SSDEEP
12288:UU5rCOTeif3ErcO+WOnXo+dUNXgUKgHVdVH4HvrZa73ctO:UUQOJf3mx+WihGNrr1ArU73ctO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2992 3122.tmp 3996 318F.tmp 5356 31ED.tmp 6048 324B.tmp 5632 32A9.tmp 1144 3316.tmp 1012 3374.tmp 1112 33E1.tmp 3568 343F.tmp 5776 349D.tmp 5384 34FA.tmp 2336 3568.tmp 5604 35B6.tmp 5300 3604.tmp 1856 3652.tmp 5232 36A0.tmp 3324 36EE.tmp 4312 373C.tmp 692 379A.tmp 1424 37F8.tmp 672 3856.tmp 4484 38A4.tmp 812 3902.tmp 2228 3950.tmp 5568 399E.tmp 4880 39EC.tmp 5100 3A2A.tmp 5480 3A88.tmp 532 3AE6.tmp 2628 3B34.tmp 3664 3B82.tmp 2164 3BD0.tmp 4240 3C4D.tmp 5464 3C9B.tmp 860 3CDA.tmp 640 3D28.tmp 856 3D76.tmp 724 3DC4.tmp 3308 3E12.tmp 3808 3E61.tmp 5124 3EAF.tmp 5196 3EFD.tmp 2812 3F5B.tmp 6052 3FE7.tmp 5416 4074.tmp 1448 417D.tmp 5548 41EB.tmp 1936 4258.tmp 2536 42B6.tmp 1664 4314.tmp 5200 4371.tmp 3740 43CF.tmp 4700 442D.tmp 2428 448B.tmp 6140 44E8.tmp 4764 4546.tmp 5016 45A4.tmp 1804 4602.tmp 2608 4650.tmp 2280 469E.tmp 1472 46EC.tmp 872 473A.tmp 992 4798.tmp 1148 47E6.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4920 wrote to memory of 2992 4920 2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe 81 PID 4920 wrote to memory of 2992 4920 2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe 81 PID 4920 wrote to memory of 2992 4920 2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe 81 PID 2992 wrote to memory of 3996 2992 3122.tmp 82 PID 2992 wrote to memory of 3996 2992 3122.tmp 82 PID 2992 wrote to memory of 3996 2992 3122.tmp 82 PID 3996 wrote to memory of 5356 3996 318F.tmp 83 PID 3996 wrote to memory of 5356 3996 318F.tmp 83 PID 3996 wrote to memory of 5356 3996 318F.tmp 83 PID 5356 wrote to memory of 6048 5356 31ED.tmp 85 PID 5356 wrote to memory of 6048 5356 31ED.tmp 85 PID 5356 wrote to memory of 6048 5356 31ED.tmp 85 PID 6048 wrote to memory of 5632 6048 324B.tmp 87 PID 6048 wrote to memory of 5632 6048 324B.tmp 87 PID 6048 wrote to memory of 5632 6048 324B.tmp 87 PID 5632 wrote to memory of 1144 5632 32A9.tmp 89 PID 5632 wrote to memory of 1144 5632 32A9.tmp 89 PID 5632 wrote to memory of 1144 5632 32A9.tmp 89 PID 1144 wrote to memory of 1012 1144 3316.tmp 90 PID 1144 wrote to memory of 1012 1144 3316.tmp 90 PID 1144 wrote to memory of 1012 1144 3316.tmp 90 PID 1012 wrote to memory of 1112 1012 3374.tmp 91 PID 1012 wrote to memory of 1112 1012 3374.tmp 91 PID 1012 wrote to memory of 1112 1012 3374.tmp 91 PID 1112 wrote to memory of 3568 1112 33E1.tmp 92 PID 1112 wrote to memory of 3568 1112 33E1.tmp 92 PID 1112 wrote to memory of 3568 1112 33E1.tmp 92 PID 3568 wrote to memory of 5776 3568 343F.tmp 93 PID 3568 wrote to memory of 5776 3568 343F.tmp 93 PID 3568 wrote to memory of 5776 3568 343F.tmp 93 PID 5776 wrote to memory of 5384 5776 349D.tmp 94 PID 5776 wrote to memory of 5384 5776 349D.tmp 94 PID 5776 wrote to memory of 5384 5776 349D.tmp 94 PID 5384 wrote to memory of 2336 5384 34FA.tmp 95 PID 5384 wrote to memory of 2336 5384 34FA.tmp 95 PID 5384 wrote to memory of 2336 5384 34FA.tmp 95 PID 2336 wrote to memory of 5604 2336 3568.tmp 96 PID 2336 wrote to memory of 5604 2336 3568.tmp 96 PID 2336 wrote to memory of 5604 2336 3568.tmp 96 PID 5604 wrote to memory of 5300 5604 35B6.tmp 97 PID 5604 wrote to memory of 5300 5604 35B6.tmp 97 PID 5604 wrote to memory of 5300 5604 35B6.tmp 97 PID 5300 wrote to memory of 1856 5300 3604.tmp 98 PID 5300 wrote to memory of 1856 5300 3604.tmp 98 PID 5300 wrote to memory of 1856 5300 3604.tmp 98 PID 1856 wrote to memory of 5232 1856 3652.tmp 99 PID 1856 wrote to memory of 5232 1856 3652.tmp 99 PID 1856 wrote to memory of 5232 1856 3652.tmp 99 PID 5232 wrote to memory of 3324 5232 36A0.tmp 100 PID 5232 wrote to memory of 3324 5232 36A0.tmp 100 PID 5232 wrote to memory of 3324 5232 36A0.tmp 100 PID 3324 wrote to memory of 4312 3324 36EE.tmp 101 PID 3324 wrote to memory of 4312 3324 36EE.tmp 101 PID 3324 wrote to memory of 4312 3324 36EE.tmp 101 PID 4312 wrote to memory of 692 4312 373C.tmp 102 PID 4312 wrote to memory of 692 4312 373C.tmp 102 PID 4312 wrote to memory of 692 4312 373C.tmp 102 PID 692 wrote to memory of 1424 692 379A.tmp 103 PID 692 wrote to memory of 1424 692 379A.tmp 103 PID 692 wrote to memory of 1424 692 379A.tmp 103 PID 1424 wrote to memory of 672 1424 37F8.tmp 104 PID 1424 wrote to memory of 672 1424 37F8.tmp 104 PID 1424 wrote to memory of 672 1424 37F8.tmp 104 PID 672 wrote to memory of 4484 672 3856.tmp 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_25055d6f31d7f3207f52185f7acbc509_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\3122.tmp"C:\Users\Admin\AppData\Local\Temp\3122.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\318F.tmp"C:\Users\Admin\AppData\Local\Temp\318F.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\31ED.tmp"C:\Users\Admin\AppData\Local\Temp\31ED.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\324B.tmp"C:\Users\Admin\AppData\Local\Temp\324B.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\32A9.tmp"C:\Users\Admin\AppData\Local\Temp\32A9.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5632 -
C:\Users\Admin\AppData\Local\Temp\3316.tmp"C:\Users\Admin\AppData\Local\Temp\3316.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\3374.tmp"C:\Users\Admin\AppData\Local\Temp\3374.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\33E1.tmp"C:\Users\Admin\AppData\Local\Temp\33E1.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\343F.tmp"C:\Users\Admin\AppData\Local\Temp\343F.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\349D.tmp"C:\Users\Admin\AppData\Local\Temp\349D.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\34FA.tmp"C:\Users\Admin\AppData\Local\Temp\34FA.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\3568.tmp"C:\Users\Admin\AppData\Local\Temp\3568.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\35B6.tmp"C:\Users\Admin\AppData\Local\Temp\35B6.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\3604.tmp"C:\Users\Admin\AppData\Local\Temp\3604.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\3652.tmp"C:\Users\Admin\AppData\Local\Temp\3652.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\36A0.tmp"C:\Users\Admin\AppData\Local\Temp\36A0.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\36EE.tmp"C:\Users\Admin\AppData\Local\Temp\36EE.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\373C.tmp"C:\Users\Admin\AppData\Local\Temp\373C.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\379A.tmp"C:\Users\Admin\AppData\Local\Temp\379A.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\37F8.tmp"C:\Users\Admin\AppData\Local\Temp\37F8.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\3856.tmp"C:\Users\Admin\AppData\Local\Temp\3856.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\38A4.tmp"C:\Users\Admin\AppData\Local\Temp\38A4.tmp"23⤵
- Executes dropped EXE
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\3902.tmp"C:\Users\Admin\AppData\Local\Temp\3902.tmp"24⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\3950.tmp"C:\Users\Admin\AppData\Local\Temp\3950.tmp"25⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\399E.tmp"C:\Users\Admin\AppData\Local\Temp\399E.tmp"26⤵
- Executes dropped EXE
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\39EC.tmp"C:\Users\Admin\AppData\Local\Temp\39EC.tmp"27⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\3A2A.tmp"C:\Users\Admin\AppData\Local\Temp\3A2A.tmp"28⤵
- Executes dropped EXE
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\3A88.tmp"C:\Users\Admin\AppData\Local\Temp\3A88.tmp"29⤵
- Executes dropped EXE
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\3AE6.tmp"C:\Users\Admin\AppData\Local\Temp\3AE6.tmp"30⤵
- Executes dropped EXE
PID:532 -
C:\Users\Admin\AppData\Local\Temp\3B34.tmp"C:\Users\Admin\AppData\Local\Temp\3B34.tmp"31⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3B82.tmp"C:\Users\Admin\AppData\Local\Temp\3B82.tmp"32⤵
- Executes dropped EXE
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\3BD0.tmp"C:\Users\Admin\AppData\Local\Temp\3BD0.tmp"33⤵
- Executes dropped EXE
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\3C4D.tmp"C:\Users\Admin\AppData\Local\Temp\3C4D.tmp"34⤵
- Executes dropped EXE
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"35⤵
- Executes dropped EXE
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\3CDA.tmp"C:\Users\Admin\AppData\Local\Temp\3CDA.tmp"36⤵
- Executes dropped EXE
PID:860 -
C:\Users\Admin\AppData\Local\Temp\3D28.tmp"C:\Users\Admin\AppData\Local\Temp\3D28.tmp"37⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Temp\3D76.tmp"C:\Users\Admin\AppData\Local\Temp\3D76.tmp"38⤵
- Executes dropped EXE
PID:856 -
C:\Users\Admin\AppData\Local\Temp\3DC4.tmp"C:\Users\Admin\AppData\Local\Temp\3DC4.tmp"39⤵
- Executes dropped EXE
PID:724 -
C:\Users\Admin\AppData\Local\Temp\3E12.tmp"C:\Users\Admin\AppData\Local\Temp\3E12.tmp"40⤵
- Executes dropped EXE
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\3E61.tmp"C:\Users\Admin\AppData\Local\Temp\3E61.tmp"41⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\3EAF.tmp"C:\Users\Admin\AppData\Local\Temp\3EAF.tmp"42⤵
- Executes dropped EXE
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\3EFD.tmp"C:\Users\Admin\AppData\Local\Temp\3EFD.tmp"43⤵
- Executes dropped EXE
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\3F5B.tmp"C:\Users\Admin\AppData\Local\Temp\3F5B.tmp"44⤵
- Executes dropped EXE
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\3FE7.tmp"C:\Users\Admin\AppData\Local\Temp\3FE7.tmp"45⤵
- Executes dropped EXE
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\4074.tmp"C:\Users\Admin\AppData\Local\Temp\4074.tmp"46⤵
- Executes dropped EXE
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\417D.tmp"C:\Users\Admin\AppData\Local\Temp\417D.tmp"47⤵
- Executes dropped EXE
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\41EB.tmp"C:\Users\Admin\AppData\Local\Temp\41EB.tmp"48⤵
- Executes dropped EXE
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\4258.tmp"C:\Users\Admin\AppData\Local\Temp\4258.tmp"49⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\42B6.tmp"C:\Users\Admin\AppData\Local\Temp\42B6.tmp"50⤵
- Executes dropped EXE
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\4314.tmp"C:\Users\Admin\AppData\Local\Temp\4314.tmp"51⤵
- Executes dropped EXE
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\4371.tmp"C:\Users\Admin\AppData\Local\Temp\4371.tmp"52⤵
- Executes dropped EXE
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\43CF.tmp"C:\Users\Admin\AppData\Local\Temp\43CF.tmp"53⤵
- Executes dropped EXE
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\442D.tmp"C:\Users\Admin\AppData\Local\Temp\442D.tmp"54⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\448B.tmp"C:\Users\Admin\AppData\Local\Temp\448B.tmp"55⤵
- Executes dropped EXE
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\44E8.tmp"C:\Users\Admin\AppData\Local\Temp\44E8.tmp"56⤵
- Executes dropped EXE
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\4546.tmp"C:\Users\Admin\AppData\Local\Temp\4546.tmp"57⤵
- Executes dropped EXE
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\45A4.tmp"C:\Users\Admin\AppData\Local\Temp\45A4.tmp"58⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\4602.tmp"C:\Users\Admin\AppData\Local\Temp\4602.tmp"59⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\4650.tmp"C:\Users\Admin\AppData\Local\Temp\4650.tmp"60⤵
- Executes dropped EXE
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\469E.tmp"C:\Users\Admin\AppData\Local\Temp\469E.tmp"61⤵
- Executes dropped EXE
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\46EC.tmp"C:\Users\Admin\AppData\Local\Temp\46EC.tmp"62⤵
- Executes dropped EXE
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\473A.tmp"C:\Users\Admin\AppData\Local\Temp\473A.tmp"63⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\4798.tmp"C:\Users\Admin\AppData\Local\Temp\4798.tmp"64⤵
- Executes dropped EXE
PID:992 -
C:\Users\Admin\AppData\Local\Temp\47E6.tmp"C:\Users\Admin\AppData\Local\Temp\47E6.tmp"65⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\4844.tmp"C:\Users\Admin\AppData\Local\Temp\4844.tmp"66⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\4892.tmp"C:\Users\Admin\AppData\Local\Temp\4892.tmp"67⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\48E0.tmp"C:\Users\Admin\AppData\Local\Temp\48E0.tmp"68⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\492E.tmp"C:\Users\Admin\AppData\Local\Temp\492E.tmp"69⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\498C.tmp"C:\Users\Admin\AppData\Local\Temp\498C.tmp"70⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\49EA.tmp"C:\Users\Admin\AppData\Local\Temp\49EA.tmp"71⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\4A38.tmp"C:\Users\Admin\AppData\Local\Temp\4A38.tmp"72⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\4A96.tmp"C:\Users\Admin\AppData\Local\Temp\4A96.tmp"73⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\4AF3.tmp"C:\Users\Admin\AppData\Local\Temp\4AF3.tmp"74⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\4B51.tmp"C:\Users\Admin\AppData\Local\Temp\4B51.tmp"75⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\4BAF.tmp"C:\Users\Admin\AppData\Local\Temp\4BAF.tmp"76⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"77⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\4C6A.tmp"C:\Users\Admin\AppData\Local\Temp\4C6A.tmp"78⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"79⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\4D26.tmp"C:\Users\Admin\AppData\Local\Temp\4D26.tmp"80⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\4D84.tmp"C:\Users\Admin\AppData\Local\Temp\4D84.tmp"81⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"82⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\4E3F.tmp"C:\Users\Admin\AppData\Local\Temp\4E3F.tmp"83⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\4E9D.tmp"C:\Users\Admin\AppData\Local\Temp\4E9D.tmp"84⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\4EFB.tmp"C:\Users\Admin\AppData\Local\Temp\4EFB.tmp"85⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\4F58.tmp"C:\Users\Admin\AppData\Local\Temp\4F58.tmp"86⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"87⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\5023.tmp"C:\Users\Admin\AppData\Local\Temp\5023.tmp"88⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\5081.tmp"C:\Users\Admin\AppData\Local\Temp\5081.tmp"89⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\50DF.tmp"C:\Users\Admin\AppData\Local\Temp\50DF.tmp"90⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"91⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\519A.tmp"C:\Users\Admin\AppData\Local\Temp\519A.tmp"92⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\51F8.tmp"C:\Users\Admin\AppData\Local\Temp\51F8.tmp"93⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\5256.tmp"C:\Users\Admin\AppData\Local\Temp\5256.tmp"94⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\52B4.tmp"C:\Users\Admin\AppData\Local\Temp\52B4.tmp"95⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\5311.tmp"C:\Users\Admin\AppData\Local\Temp\5311.tmp"96⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\536F.tmp"C:\Users\Admin\AppData\Local\Temp\536F.tmp"97⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\53CD.tmp"C:\Users\Admin\AppData\Local\Temp\53CD.tmp"98⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\543A.tmp"C:\Users\Admin\AppData\Local\Temp\543A.tmp"99⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\5498.tmp"C:\Users\Admin\AppData\Local\Temp\5498.tmp"100⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\54F6.tmp"C:\Users\Admin\AppData\Local\Temp\54F6.tmp"101⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"102⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\55B1.tmp"C:\Users\Admin\AppData\Local\Temp\55B1.tmp"103⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"104⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"105⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\56AB.tmp"C:\Users\Admin\AppData\Local\Temp\56AB.tmp"106⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\56F9.tmp"C:\Users\Admin\AppData\Local\Temp\56F9.tmp"107⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\5757.tmp"C:\Users\Admin\AppData\Local\Temp\5757.tmp"108⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\57B5.tmp"C:\Users\Admin\AppData\Local\Temp\57B5.tmp"109⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\5813.tmp"C:\Users\Admin\AppData\Local\Temp\5813.tmp"110⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\5870.tmp"C:\Users\Admin\AppData\Local\Temp\5870.tmp"111⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"112⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"113⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\596A.tmp"C:\Users\Admin\AppData\Local\Temp\596A.tmp"114⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\59B9.tmp"C:\Users\Admin\AppData\Local\Temp\59B9.tmp"115⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\5A07.tmp"C:\Users\Admin\AppData\Local\Temp\5A07.tmp"116⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\5A64.tmp"C:\Users\Admin\AppData\Local\Temp\5A64.tmp"117⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"118⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\5B10.tmp"C:\Users\Admin\AppData\Local\Temp\5B10.tmp"119⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"120⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"121⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"122⤵PID:4880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-