Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe
Resource
win10v2004-20240611-en
2 signatures
150 seconds
General
-
Target
2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe
-
Size
530KB
-
MD5
87d995810c80cdee1bc9ffd38f15719f
-
SHA1
d4add943251487d2a40decd5cfca72dfc9e887af
-
SHA256
1704a86eae6ec13c1ec18288b728f32560868847b5e45ea4d5bb3ef3e31c9754
-
SHA512
045f26e0f7c0bda5ab44161b27685a0c21512f53bc3605f483d3dfd29781824230a36ed71c8f9b1649d0a4a64b704b56466772af2ffda374b2a9607c1ce53a70
-
SSDEEP
12288:AU5rCOTeio7uiTZf/0rr5AoomNZulFVg0M1:AUQOJo7FtBuNclFV/M1
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1468 318F.tmp 380 324B.tmp 3028 32A9.tmp 1336 3326.tmp 992 3383.tmp 2504 33F1.tmp 1444 344E.tmp 3004 34BC.tmp 1064 3529.tmp 1728 3587.tmp 5040 35D5.tmp 4596 3623.tmp 2416 3671.tmp 1780 36BF.tmp 5056 370E.tmp 4592 377B.tmp 3812 37C9.tmp 4240 3836.tmp 1712 38A4.tmp 1568 3902.tmp 4228 3950.tmp 4468 39CD.tmp 5104 3A4A.tmp 752 3A98.tmp 3748 3AF6.tmp 2156 3B53.tmp 4288 3BB1.tmp 1952 3BFF.tmp 744 3C6D.tmp 2356 3D09.tmp 1872 3DA5.tmp 548 3E03.tmp 3444 3E51.tmp 1192 3EAF.tmp 5004 3F1C.tmp 4280 3F7A.tmp 4828 3FD8.tmp 4764 4035.tmp 1792 40A3.tmp 4496 40F1.tmp 448 413F.tmp 3644 418D.tmp 3296 41EB.tmp 4940 4239.tmp 3368 4287.tmp 4360 42E5.tmp 4044 4343.tmp 2860 43A0.tmp 3996 43EE.tmp 4640 444C.tmp 4492 44AA.tmp 4524 4508.tmp 708 4556.tmp 4320 45A4.tmp 532 45F2.tmp 2024 4650.tmp 3224 469E.tmp 3496 46EC.tmp 992 474A.tmp 228 47A8.tmp 2284 4805.tmp 2248 4853.tmp 3004 48A2.tmp 732 48FF.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1468 2168 2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe 81 PID 2168 wrote to memory of 1468 2168 2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe 81 PID 2168 wrote to memory of 1468 2168 2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe 81 PID 1468 wrote to memory of 380 1468 318F.tmp 83 PID 1468 wrote to memory of 380 1468 318F.tmp 83 PID 1468 wrote to memory of 380 1468 318F.tmp 83 PID 380 wrote to memory of 3028 380 324B.tmp 85 PID 380 wrote to memory of 3028 380 324B.tmp 85 PID 380 wrote to memory of 3028 380 324B.tmp 85 PID 3028 wrote to memory of 1336 3028 32A9.tmp 87 PID 3028 wrote to memory of 1336 3028 32A9.tmp 87 PID 3028 wrote to memory of 1336 3028 32A9.tmp 87 PID 1336 wrote to memory of 992 1336 3326.tmp 88 PID 1336 wrote to memory of 992 1336 3326.tmp 88 PID 1336 wrote to memory of 992 1336 3326.tmp 88 PID 992 wrote to memory of 2504 992 3383.tmp 89 PID 992 wrote to memory of 2504 992 3383.tmp 89 PID 992 wrote to memory of 2504 992 3383.tmp 89 PID 2504 wrote to memory of 1444 2504 33F1.tmp 90 PID 2504 wrote to memory of 1444 2504 33F1.tmp 90 PID 2504 wrote to memory of 1444 2504 33F1.tmp 90 PID 1444 wrote to memory of 3004 1444 344E.tmp 91 PID 1444 wrote to memory of 3004 1444 344E.tmp 91 PID 1444 wrote to memory of 3004 1444 344E.tmp 91 PID 3004 wrote to memory of 1064 3004 34BC.tmp 92 PID 3004 wrote to memory of 1064 3004 34BC.tmp 92 PID 3004 wrote to memory of 1064 3004 34BC.tmp 92 PID 1064 wrote to memory of 1728 1064 3529.tmp 93 PID 1064 wrote to memory of 1728 1064 3529.tmp 93 PID 1064 wrote to memory of 1728 1064 3529.tmp 93 PID 1728 wrote to memory of 5040 1728 3587.tmp 94 PID 1728 wrote to memory of 5040 1728 3587.tmp 94 PID 1728 wrote to memory of 5040 1728 3587.tmp 94 PID 5040 wrote to memory of 4596 5040 35D5.tmp 95 PID 5040 wrote to memory of 4596 5040 35D5.tmp 95 PID 5040 wrote to memory of 4596 5040 35D5.tmp 95 PID 4596 wrote to memory of 2416 4596 3623.tmp 96 PID 4596 wrote to memory of 2416 4596 3623.tmp 96 PID 4596 wrote to memory of 2416 4596 3623.tmp 96 PID 2416 wrote to memory of 1780 2416 3671.tmp 97 PID 2416 wrote to memory of 1780 2416 3671.tmp 97 PID 2416 wrote to memory of 1780 2416 3671.tmp 97 PID 1780 wrote to memory of 5056 1780 36BF.tmp 98 PID 1780 wrote to memory of 5056 1780 36BF.tmp 98 PID 1780 wrote to memory of 5056 1780 36BF.tmp 98 PID 5056 wrote to memory of 4592 5056 370E.tmp 99 PID 5056 wrote to memory of 4592 5056 370E.tmp 99 PID 5056 wrote to memory of 4592 5056 370E.tmp 99 PID 4592 wrote to memory of 3812 4592 377B.tmp 100 PID 4592 wrote to memory of 3812 4592 377B.tmp 100 PID 4592 wrote to memory of 3812 4592 377B.tmp 100 PID 3812 wrote to memory of 4240 3812 37C9.tmp 101 PID 3812 wrote to memory of 4240 3812 37C9.tmp 101 PID 3812 wrote to memory of 4240 3812 37C9.tmp 101 PID 4240 wrote to memory of 1712 4240 3836.tmp 102 PID 4240 wrote to memory of 1712 4240 3836.tmp 102 PID 4240 wrote to memory of 1712 4240 3836.tmp 102 PID 1712 wrote to memory of 1568 1712 38A4.tmp 103 PID 1712 wrote to memory of 1568 1712 38A4.tmp 103 PID 1712 wrote to memory of 1568 1712 38A4.tmp 103 PID 1568 wrote to memory of 4228 1568 3902.tmp 104 PID 1568 wrote to memory of 4228 1568 3902.tmp 104 PID 1568 wrote to memory of 4228 1568 3902.tmp 104 PID 4228 wrote to memory of 4468 4228 3950.tmp 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_87d995810c80cdee1bc9ffd38f15719f_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\318F.tmp"C:\Users\Admin\AppData\Local\Temp\318F.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\324B.tmp"C:\Users\Admin\AppData\Local\Temp\324B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\32A9.tmp"C:\Users\Admin\AppData\Local\Temp\32A9.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3326.tmp"C:\Users\Admin\AppData\Local\Temp\3326.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\3383.tmp"C:\Users\Admin\AppData\Local\Temp\3383.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\33F1.tmp"C:\Users\Admin\AppData\Local\Temp\33F1.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\344E.tmp"C:\Users\Admin\AppData\Local\Temp\344E.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\34BC.tmp"C:\Users\Admin\AppData\Local\Temp\34BC.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\3529.tmp"C:\Users\Admin\AppData\Local\Temp\3529.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\3587.tmp"C:\Users\Admin\AppData\Local\Temp\3587.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\35D5.tmp"C:\Users\Admin\AppData\Local\Temp\35D5.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\3623.tmp"C:\Users\Admin\AppData\Local\Temp\3623.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\3671.tmp"C:\Users\Admin\AppData\Local\Temp\3671.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\36BF.tmp"C:\Users\Admin\AppData\Local\Temp\36BF.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\370E.tmp"C:\Users\Admin\AppData\Local\Temp\370E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\377B.tmp"C:\Users\Admin\AppData\Local\Temp\377B.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\37C9.tmp"C:\Users\Admin\AppData\Local\Temp\37C9.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\3836.tmp"C:\Users\Admin\AppData\Local\Temp\3836.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\38A4.tmp"C:\Users\Admin\AppData\Local\Temp\38A4.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\3902.tmp"C:\Users\Admin\AppData\Local\Temp\3902.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\3950.tmp"C:\Users\Admin\AppData\Local\Temp\3950.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\39CD.tmp"C:\Users\Admin\AppData\Local\Temp\39CD.tmp"23⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\3A4A.tmp"C:\Users\Admin\AppData\Local\Temp\3A4A.tmp"24⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\3A98.tmp"C:\Users\Admin\AppData\Local\Temp\3A98.tmp"25⤵
- Executes dropped EXE
PID:752 -
C:\Users\Admin\AppData\Local\Temp\3AF6.tmp"C:\Users\Admin\AppData\Local\Temp\3AF6.tmp"26⤵
- Executes dropped EXE
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\3B53.tmp"C:\Users\Admin\AppData\Local\Temp\3B53.tmp"27⤵
- Executes dropped EXE
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3BB1.tmp"C:\Users\Admin\AppData\Local\Temp\3BB1.tmp"28⤵
- Executes dropped EXE
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\3BFF.tmp"C:\Users\Admin\AppData\Local\Temp\3BFF.tmp"29⤵
- Executes dropped EXE
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\3C6D.tmp"C:\Users\Admin\AppData\Local\Temp\3C6D.tmp"30⤵
- Executes dropped EXE
PID:744 -
C:\Users\Admin\AppData\Local\Temp\3D09.tmp"C:\Users\Admin\AppData\Local\Temp\3D09.tmp"31⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\3DA5.tmp"C:\Users\Admin\AppData\Local\Temp\3DA5.tmp"32⤵
- Executes dropped EXE
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\3E03.tmp"C:\Users\Admin\AppData\Local\Temp\3E03.tmp"33⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Local\Temp\3E51.tmp"C:\Users\Admin\AppData\Local\Temp\3E51.tmp"34⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\3EAF.tmp"C:\Users\Admin\AppData\Local\Temp\3EAF.tmp"35⤵
- Executes dropped EXE
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3F1C.tmp"C:\Users\Admin\AppData\Local\Temp\3F1C.tmp"36⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\3F7A.tmp"C:\Users\Admin\AppData\Local\Temp\3F7A.tmp"37⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\3FD8.tmp"C:\Users\Admin\AppData\Local\Temp\3FD8.tmp"38⤵
- Executes dropped EXE
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\4035.tmp"C:\Users\Admin\AppData\Local\Temp\4035.tmp"39⤵
- Executes dropped EXE
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\40A3.tmp"C:\Users\Admin\AppData\Local\Temp\40A3.tmp"40⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\40F1.tmp"C:\Users\Admin\AppData\Local\Temp\40F1.tmp"41⤵
- Executes dropped EXE
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\413F.tmp"C:\Users\Admin\AppData\Local\Temp\413F.tmp"42⤵
- Executes dropped EXE
PID:448 -
C:\Users\Admin\AppData\Local\Temp\418D.tmp"C:\Users\Admin\AppData\Local\Temp\418D.tmp"43⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\41EB.tmp"C:\Users\Admin\AppData\Local\Temp\41EB.tmp"44⤵
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\4239.tmp"C:\Users\Admin\AppData\Local\Temp\4239.tmp"45⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\4287.tmp"C:\Users\Admin\AppData\Local\Temp\4287.tmp"46⤵
- Executes dropped EXE
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\42E5.tmp"C:\Users\Admin\AppData\Local\Temp\42E5.tmp"47⤵
- Executes dropped EXE
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\4343.tmp"C:\Users\Admin\AppData\Local\Temp\4343.tmp"48⤵
- Executes dropped EXE
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\43A0.tmp"C:\Users\Admin\AppData\Local\Temp\43A0.tmp"49⤵
- Executes dropped EXE
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\43EE.tmp"C:\Users\Admin\AppData\Local\Temp\43EE.tmp"50⤵
- Executes dropped EXE
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\444C.tmp"C:\Users\Admin\AppData\Local\Temp\444C.tmp"51⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\44AA.tmp"C:\Users\Admin\AppData\Local\Temp\44AA.tmp"52⤵
- Executes dropped EXE
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\4508.tmp"C:\Users\Admin\AppData\Local\Temp\4508.tmp"53⤵
- Executes dropped EXE
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\4556.tmp"C:\Users\Admin\AppData\Local\Temp\4556.tmp"54⤵
- Executes dropped EXE
PID:708 -
C:\Users\Admin\AppData\Local\Temp\45A4.tmp"C:\Users\Admin\AppData\Local\Temp\45A4.tmp"55⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\45F2.tmp"C:\Users\Admin\AppData\Local\Temp\45F2.tmp"56⤵
- Executes dropped EXE
PID:532 -
C:\Users\Admin\AppData\Local\Temp\4650.tmp"C:\Users\Admin\AppData\Local\Temp\4650.tmp"57⤵
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\469E.tmp"C:\Users\Admin\AppData\Local\Temp\469E.tmp"58⤵
- Executes dropped EXE
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\46EC.tmp"C:\Users\Admin\AppData\Local\Temp\46EC.tmp"59⤵
- Executes dropped EXE
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\474A.tmp"C:\Users\Admin\AppData\Local\Temp\474A.tmp"60⤵
- Executes dropped EXE
PID:992 -
C:\Users\Admin\AppData\Local\Temp\47A8.tmp"C:\Users\Admin\AppData\Local\Temp\47A8.tmp"61⤵
- Executes dropped EXE
PID:228 -
C:\Users\Admin\AppData\Local\Temp\4805.tmp"C:\Users\Admin\AppData\Local\Temp\4805.tmp"62⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\4853.tmp"C:\Users\Admin\AppData\Local\Temp\4853.tmp"63⤵
- Executes dropped EXE
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\48A2.tmp"C:\Users\Admin\AppData\Local\Temp\48A2.tmp"64⤵
- Executes dropped EXE
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\48FF.tmp"C:\Users\Admin\AppData\Local\Temp\48FF.tmp"65⤵
- Executes dropped EXE
PID:732 -
C:\Users\Admin\AppData\Local\Temp\495D.tmp"C:\Users\Admin\AppData\Local\Temp\495D.tmp"66⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\49AB.tmp"C:\Users\Admin\AppData\Local\Temp\49AB.tmp"67⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\49F9.tmp"C:\Users\Admin\AppData\Local\Temp\49F9.tmp"68⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\4A47.tmp"C:\Users\Admin\AppData\Local\Temp\4A47.tmp"69⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\4AA5.tmp"C:\Users\Admin\AppData\Local\Temp\4AA5.tmp"70⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\4B13.tmp"C:\Users\Admin\AppData\Local\Temp\4B13.tmp"71⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\4B70.tmp"C:\Users\Admin\AppData\Local\Temp\4B70.tmp"72⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\4BCE.tmp"C:\Users\Admin\AppData\Local\Temp\4BCE.tmp"73⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\4C1C.tmp"C:\Users\Admin\AppData\Local\Temp\4C1C.tmp"74⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"75⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"76⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\4D16.tmp"C:\Users\Admin\AppData\Local\Temp\4D16.tmp"77⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\4D74.tmp"C:\Users\Admin\AppData\Local\Temp\4D74.tmp"78⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\4DC2.tmp"C:\Users\Admin\AppData\Local\Temp\4DC2.tmp"79⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\4E10.tmp"C:\Users\Admin\AppData\Local\Temp\4E10.tmp"80⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"81⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"82⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"83⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\4F68.tmp"C:\Users\Admin\AppData\Local\Temp\4F68.tmp"84⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"85⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\5023.tmp"C:\Users\Admin\AppData\Local\Temp\5023.tmp"86⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\5081.tmp"C:\Users\Admin\AppData\Local\Temp\5081.tmp"87⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\50CF.tmp"C:\Users\Admin\AppData\Local\Temp\50CF.tmp"88⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\512D.tmp"C:\Users\Admin\AppData\Local\Temp\512D.tmp"89⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\519A.tmp"C:\Users\Admin\AppData\Local\Temp\519A.tmp"90⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\51E9.tmp"C:\Users\Admin\AppData\Local\Temp\51E9.tmp"91⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\5237.tmp"C:\Users\Admin\AppData\Local\Temp\5237.tmp"92⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\5285.tmp"C:\Users\Admin\AppData\Local\Temp\5285.tmp"93⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\52E3.tmp"C:\Users\Admin\AppData\Local\Temp\52E3.tmp"94⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\5331.tmp"C:\Users\Admin\AppData\Local\Temp\5331.tmp"95⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\537F.tmp"C:\Users\Admin\AppData\Local\Temp\537F.tmp"96⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\53CD.tmp"C:\Users\Admin\AppData\Local\Temp\53CD.tmp"97⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\541B.tmp"C:\Users\Admin\AppData\Local\Temp\541B.tmp"98⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\5479.tmp"C:\Users\Admin\AppData\Local\Temp\5479.tmp"99⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\54D7.tmp"C:\Users\Admin\AppData\Local\Temp\54D7.tmp"100⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\5525.tmp"C:\Users\Admin\AppData\Local\Temp\5525.tmp"101⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\5573.tmp"C:\Users\Admin\AppData\Local\Temp\5573.tmp"102⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"103⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"104⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\566D.tmp"C:\Users\Admin\AppData\Local\Temp\566D.tmp"105⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\56CB.tmp"C:\Users\Admin\AppData\Local\Temp\56CB.tmp"106⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\5719.tmp"C:\Users\Admin\AppData\Local\Temp\5719.tmp"107⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\5767.tmp"C:\Users\Admin\AppData\Local\Temp\5767.tmp"108⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\57C5.tmp"C:\Users\Admin\AppData\Local\Temp\57C5.tmp"109⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\5822.tmp"C:\Users\Admin\AppData\Local\Temp\5822.tmp"110⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\5870.tmp"C:\Users\Admin\AppData\Local\Temp\5870.tmp"111⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"112⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\592C.tmp"C:\Users\Admin\AppData\Local\Temp\592C.tmp"113⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\598A.tmp"C:\Users\Admin\AppData\Local\Temp\598A.tmp"114⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\59D8.tmp"C:\Users\Admin\AppData\Local\Temp\59D8.tmp"115⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\5A26.tmp"C:\Users\Admin\AppData\Local\Temp\5A26.tmp"116⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\5A74.tmp"C:\Users\Admin\AppData\Local\Temp\5A74.tmp"117⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\5AC2.tmp"C:\Users\Admin\AppData\Local\Temp\5AC2.tmp"118⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\5B20.tmp"C:\Users\Admin\AppData\Local\Temp\5B20.tmp"119⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"120⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"121⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\5C49.tmp"C:\Users\Admin\AppData\Local\Temp\5C49.tmp"122⤵PID:3288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-