Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe
Resource
win10v2004-20240611-en
2 signatures
150 seconds
General
-
Target
2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe
-
Size
530KB
-
MD5
9bf7c826c8f90abf4daf8b25ad88f189
-
SHA1
f6863f0d8decaa85092de302a6c78f228b36464c
-
SHA256
1105e99c93ef127672962038eca79cddd92f29fd3a1d4ebd6a366e066e696e6b
-
SHA512
c8b04bd2fa13be2e103e9c8a6b5022bcb054c7ee89de355d35ffda7d3d6b9a0d4ea415ec79468b425f705dea6a4125334a4851ea1b4836d87a7f92dfa37e44f1
-
SSDEEP
12288:AU5rCOTeio7bre3uaG33GuYq+eCOHN5IENZulFVg0M1:AUQOJoXSef3/Yq+ZObIENclFV/M1
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 5092 3A2A.tmp 776 3A98.tmp 436 3B15.tmp 3484 3BC1.tmp 1500 3C3E.tmp 4872 3C9B.tmp 2948 3CEA.tmp 3892 3D67.tmp 4564 3DE4.tmp 3796 3E41.tmp 3592 3E9F.tmp 4344 3F0C.tmp 728 3F89.tmp 4904 3FE7.tmp 2824 4045.tmp 4336 40A3.tmp 3536 4120.tmp 1080 418D.tmp 3120 41EB.tmp 3320 4249.tmp 4032 4297.tmp 3116 4314.tmp 760 4371.tmp 1260 43DF.tmp 4404 444C.tmp 4760 44AA.tmp 3340 4537.tmp 1216 45B4.tmp 1564 4611.tmp 2420 467F.tmp 3232 46FC.tmp 1608 4759.tmp 2436 47C7.tmp 1864 4815.tmp 4892 4863.tmp 3716 48C1.tmp 3220 491F.tmp 3832 496D.tmp 2760 49BB.tmp 4992 4A09.tmp 1328 4A67.tmp 2836 4AB5.tmp 1456 4B03.tmp 552 4B51.tmp 228 4B9F.tmp 4416 4BED.tmp 2228 4C3B.tmp 1836 4C99.tmp 5092 4CF7.tmp 1056 4D55.tmp 3476 4DA3.tmp 3212 4E01.tmp 60 4E4F.tmp 2444 4EAC.tmp 2956 4F0A.tmp 436 4F68.tmp 64 4FD5.tmp 4880 5033.tmp 1500 5081.tmp 2428 50DF.tmp 2924 513D.tmp 4912 51BA.tmp 3892 5217.tmp 1044 5266.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 5092 1420 2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe 81 PID 1420 wrote to memory of 5092 1420 2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe 81 PID 1420 wrote to memory of 5092 1420 2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe 81 PID 5092 wrote to memory of 776 5092 3A2A.tmp 83 PID 5092 wrote to memory of 776 5092 3A2A.tmp 83 PID 5092 wrote to memory of 776 5092 3A2A.tmp 83 PID 776 wrote to memory of 436 776 3A98.tmp 84 PID 776 wrote to memory of 436 776 3A98.tmp 84 PID 776 wrote to memory of 436 776 3A98.tmp 84 PID 436 wrote to memory of 3484 436 3B15.tmp 87 PID 436 wrote to memory of 3484 436 3B15.tmp 87 PID 436 wrote to memory of 3484 436 3B15.tmp 87 PID 3484 wrote to memory of 1500 3484 3BC1.tmp 88 PID 3484 wrote to memory of 1500 3484 3BC1.tmp 88 PID 3484 wrote to memory of 1500 3484 3BC1.tmp 88 PID 1500 wrote to memory of 4872 1500 3C3E.tmp 89 PID 1500 wrote to memory of 4872 1500 3C3E.tmp 89 PID 1500 wrote to memory of 4872 1500 3C3E.tmp 89 PID 4872 wrote to memory of 2948 4872 3C9B.tmp 90 PID 4872 wrote to memory of 2948 4872 3C9B.tmp 90 PID 4872 wrote to memory of 2948 4872 3C9B.tmp 90 PID 2948 wrote to memory of 3892 2948 3CEA.tmp 91 PID 2948 wrote to memory of 3892 2948 3CEA.tmp 91 PID 2948 wrote to memory of 3892 2948 3CEA.tmp 91 PID 3892 wrote to memory of 4564 3892 3D67.tmp 92 PID 3892 wrote to memory of 4564 3892 3D67.tmp 92 PID 3892 wrote to memory of 4564 3892 3D67.tmp 92 PID 4564 wrote to memory of 3796 4564 3DE4.tmp 93 PID 4564 wrote to memory of 3796 4564 3DE4.tmp 93 PID 4564 wrote to memory of 3796 4564 3DE4.tmp 93 PID 3796 wrote to memory of 3592 3796 3E41.tmp 94 PID 3796 wrote to memory of 3592 3796 3E41.tmp 94 PID 3796 wrote to memory of 3592 3796 3E41.tmp 94 PID 3592 wrote to memory of 4344 3592 3E9F.tmp 95 PID 3592 wrote to memory of 4344 3592 3E9F.tmp 95 PID 3592 wrote to memory of 4344 3592 3E9F.tmp 95 PID 4344 wrote to memory of 728 4344 3F0C.tmp 96 PID 4344 wrote to memory of 728 4344 3F0C.tmp 96 PID 4344 wrote to memory of 728 4344 3F0C.tmp 96 PID 728 wrote to memory of 4904 728 3F89.tmp 97 PID 728 wrote to memory of 4904 728 3F89.tmp 97 PID 728 wrote to memory of 4904 728 3F89.tmp 97 PID 4904 wrote to memory of 2824 4904 3FE7.tmp 98 PID 4904 wrote to memory of 2824 4904 3FE7.tmp 98 PID 4904 wrote to memory of 2824 4904 3FE7.tmp 98 PID 2824 wrote to memory of 4336 2824 4045.tmp 99 PID 2824 wrote to memory of 4336 2824 4045.tmp 99 PID 2824 wrote to memory of 4336 2824 4045.tmp 99 PID 4336 wrote to memory of 3536 4336 40A3.tmp 100 PID 4336 wrote to memory of 3536 4336 40A3.tmp 100 PID 4336 wrote to memory of 3536 4336 40A3.tmp 100 PID 3536 wrote to memory of 1080 3536 4120.tmp 101 PID 3536 wrote to memory of 1080 3536 4120.tmp 101 PID 3536 wrote to memory of 1080 3536 4120.tmp 101 PID 1080 wrote to memory of 3120 1080 418D.tmp 102 PID 1080 wrote to memory of 3120 1080 418D.tmp 102 PID 1080 wrote to memory of 3120 1080 418D.tmp 102 PID 3120 wrote to memory of 3320 3120 41EB.tmp 103 PID 3120 wrote to memory of 3320 3120 41EB.tmp 103 PID 3120 wrote to memory of 3320 3120 41EB.tmp 103 PID 3320 wrote to memory of 4032 3320 4249.tmp 104 PID 3320 wrote to memory of 4032 3320 4249.tmp 104 PID 3320 wrote to memory of 4032 3320 4249.tmp 104 PID 4032 wrote to memory of 3116 4032 4297.tmp 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9bf7c826c8f90abf4daf8b25ad88f189_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\3A2A.tmp"C:\Users\Admin\AppData\Local\Temp\3A2A.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\3A98.tmp"C:\Users\Admin\AppData\Local\Temp\3A98.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\3B15.tmp"C:\Users\Admin\AppData\Local\Temp\3B15.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\3BC1.tmp"C:\Users\Admin\AppData\Local\Temp\3BC1.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\3C3E.tmp"C:\Users\Admin\AppData\Local\Temp\3C3E.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"C:\Users\Admin\AppData\Local\Temp\3C9B.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\3CEA.tmp"C:\Users\Admin\AppData\Local\Temp\3CEA.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\3D67.tmp"C:\Users\Admin\AppData\Local\Temp\3D67.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\3DE4.tmp"C:\Users\Admin\AppData\Local\Temp\3DE4.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\3E41.tmp"C:\Users\Admin\AppData\Local\Temp\3E41.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\3E9F.tmp"C:\Users\Admin\AppData\Local\Temp\3E9F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\3F0C.tmp"C:\Users\Admin\AppData\Local\Temp\3F0C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\3F89.tmp"C:\Users\Admin\AppData\Local\Temp\3F89.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\3FE7.tmp"C:\Users\Admin\AppData\Local\Temp\3FE7.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\4045.tmp"C:\Users\Admin\AppData\Local\Temp\4045.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\40A3.tmp"C:\Users\Admin\AppData\Local\Temp\40A3.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\4120.tmp"C:\Users\Admin\AppData\Local\Temp\4120.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\418D.tmp"C:\Users\Admin\AppData\Local\Temp\418D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\41EB.tmp"C:\Users\Admin\AppData\Local\Temp\41EB.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\4249.tmp"C:\Users\Admin\AppData\Local\Temp\4249.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\4297.tmp"C:\Users\Admin\AppData\Local\Temp\4297.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\4314.tmp"C:\Users\Admin\AppData\Local\Temp\4314.tmp"23⤵
- Executes dropped EXE
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\4371.tmp"C:\Users\Admin\AppData\Local\Temp\4371.tmp"24⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\43DF.tmp"C:\Users\Admin\AppData\Local\Temp\43DF.tmp"25⤵
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\444C.tmp"C:\Users\Admin\AppData\Local\Temp\444C.tmp"26⤵
- Executes dropped EXE
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\44AA.tmp"C:\Users\Admin\AppData\Local\Temp\44AA.tmp"27⤵
- Executes dropped EXE
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\4537.tmp"C:\Users\Admin\AppData\Local\Temp\4537.tmp"28⤵
- Executes dropped EXE
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\45B4.tmp"C:\Users\Admin\AppData\Local\Temp\45B4.tmp"29⤵
- Executes dropped EXE
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\4611.tmp"C:\Users\Admin\AppData\Local\Temp\4611.tmp"30⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\467F.tmp"C:\Users\Admin\AppData\Local\Temp\467F.tmp"31⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\46FC.tmp"C:\Users\Admin\AppData\Local\Temp\46FC.tmp"32⤵
- Executes dropped EXE
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\4759.tmp"C:\Users\Admin\AppData\Local\Temp\4759.tmp"33⤵
- Executes dropped EXE
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\47C7.tmp"C:\Users\Admin\AppData\Local\Temp\47C7.tmp"34⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\4815.tmp"C:\Users\Admin\AppData\Local\Temp\4815.tmp"35⤵
- Executes dropped EXE
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\4863.tmp"C:\Users\Admin\AppData\Local\Temp\4863.tmp"36⤵
- Executes dropped EXE
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\48C1.tmp"C:\Users\Admin\AppData\Local\Temp\48C1.tmp"37⤵
- Executes dropped EXE
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\491F.tmp"C:\Users\Admin\AppData\Local\Temp\491F.tmp"38⤵
- Executes dropped EXE
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\496D.tmp"C:\Users\Admin\AppData\Local\Temp\496D.tmp"39⤵
- Executes dropped EXE
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\49BB.tmp"C:\Users\Admin\AppData\Local\Temp\49BB.tmp"40⤵
- Executes dropped EXE
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\4A09.tmp"C:\Users\Admin\AppData\Local\Temp\4A09.tmp"41⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\4A67.tmp"C:\Users\Admin\AppData\Local\Temp\4A67.tmp"42⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\4AB5.tmp"C:\Users\Admin\AppData\Local\Temp\4AB5.tmp"43⤵
- Executes dropped EXE
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\4B03.tmp"C:\Users\Admin\AppData\Local\Temp\4B03.tmp"44⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\4B51.tmp"C:\Users\Admin\AppData\Local\Temp\4B51.tmp"45⤵
- Executes dropped EXE
PID:552 -
C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"46⤵
- Executes dropped EXE
PID:228 -
C:\Users\Admin\AppData\Local\Temp\4BED.tmp"C:\Users\Admin\AppData\Local\Temp\4BED.tmp"47⤵
- Executes dropped EXE
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"48⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\4C99.tmp"C:\Users\Admin\AppData\Local\Temp\4C99.tmp"49⤵
- Executes dropped EXE
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"50⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\4D55.tmp"C:\Users\Admin\AppData\Local\Temp\4D55.tmp"51⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"52⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\4E01.tmp"C:\Users\Admin\AppData\Local\Temp\4E01.tmp"53⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"54⤵
- Executes dropped EXE
PID:60 -
C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"55⤵
- Executes dropped EXE
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"C:\Users\Admin\AppData\Local\Temp\4F0A.tmp"56⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\4F68.tmp"C:\Users\Admin\AppData\Local\Temp\4F68.tmp"57⤵
- Executes dropped EXE
PID:436 -
C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"58⤵
- Executes dropped EXE
PID:64 -
C:\Users\Admin\AppData\Local\Temp\5033.tmp"C:\Users\Admin\AppData\Local\Temp\5033.tmp"59⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\5081.tmp"C:\Users\Admin\AppData\Local\Temp\5081.tmp"60⤵
- Executes dropped EXE
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\50DF.tmp"C:\Users\Admin\AppData\Local\Temp\50DF.tmp"61⤵
- Executes dropped EXE
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"62⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\51BA.tmp"C:\Users\Admin\AppData\Local\Temp\51BA.tmp"63⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\5217.tmp"C:\Users\Admin\AppData\Local\Temp\5217.tmp"64⤵
- Executes dropped EXE
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\5266.tmp"C:\Users\Admin\AppData\Local\Temp\5266.tmp"65⤵
- Executes dropped EXE
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\52C3.tmp"C:\Users\Admin\AppData\Local\Temp\52C3.tmp"66⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\5321.tmp"C:\Users\Admin\AppData\Local\Temp\5321.tmp"67⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\536F.tmp"C:\Users\Admin\AppData\Local\Temp\536F.tmp"68⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\53BD.tmp"C:\Users\Admin\AppData\Local\Temp\53BD.tmp"69⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\540B.tmp"C:\Users\Admin\AppData\Local\Temp\540B.tmp"70⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\545A.tmp"C:\Users\Admin\AppData\Local\Temp\545A.tmp"71⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\54B7.tmp"C:\Users\Admin\AppData\Local\Temp\54B7.tmp"72⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"73⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\5563.tmp"C:\Users\Admin\AppData\Local\Temp\5563.tmp"74⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\55C1.tmp"C:\Users\Admin\AppData\Local\Temp\55C1.tmp"75⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\561F.tmp"C:\Users\Admin\AppData\Local\Temp\561F.tmp"76⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\567C.tmp"C:\Users\Admin\AppData\Local\Temp\567C.tmp"77⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"78⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\5728.tmp"C:\Users\Admin\AppData\Local\Temp\5728.tmp"79⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\5786.tmp"C:\Users\Admin\AppData\Local\Temp\5786.tmp"80⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\57E4.tmp"C:\Users\Admin\AppData\Local\Temp\57E4.tmp"81⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\5832.tmp"C:\Users\Admin\AppData\Local\Temp\5832.tmp"82⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\5880.tmp"C:\Users\Admin\AppData\Local\Temp\5880.tmp"83⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"84⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"85⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\596A.tmp"C:\Users\Admin\AppData\Local\Temp\596A.tmp"86⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\59C8.tmp"C:\Users\Admin\AppData\Local\Temp\59C8.tmp"87⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\5A16.tmp"C:\Users\Admin\AppData\Local\Temp\5A16.tmp"88⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\5A74.tmp"C:\Users\Admin\AppData\Local\Temp\5A74.tmp"89⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"90⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\5B20.tmp"C:\Users\Admin\AppData\Local\Temp\5B20.tmp"91⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"92⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"93⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"94⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\5C68.tmp"C:\Users\Admin\AppData\Local\Temp\5C68.tmp"95⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"96⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\5D14.tmp"C:\Users\Admin\AppData\Local\Temp\5D14.tmp"97⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\5D72.tmp"C:\Users\Admin\AppData\Local\Temp\5D72.tmp"98⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"99⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"100⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"101⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"102⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\5F08.tmp"C:\Users\Admin\AppData\Local\Temp\5F08.tmp"103⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\5F66.tmp"C:\Users\Admin\AppData\Local\Temp\5F66.tmp"104⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\5FC3.tmp"C:\Users\Admin\AppData\Local\Temp\5FC3.tmp"105⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\6012.tmp"C:\Users\Admin\AppData\Local\Temp\6012.tmp"106⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\6060.tmp"C:\Users\Admin\AppData\Local\Temp\6060.tmp"107⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\60BD.tmp"C:\Users\Admin\AppData\Local\Temp\60BD.tmp"108⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\611B.tmp"C:\Users\Admin\AppData\Local\Temp\611B.tmp"109⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\6169.tmp"C:\Users\Admin\AppData\Local\Temp\6169.tmp"110⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\61B7.tmp"C:\Users\Admin\AppData\Local\Temp\61B7.tmp"111⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\6206.tmp"C:\Users\Admin\AppData\Local\Temp\6206.tmp"112⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\6254.tmp"C:\Users\Admin\AppData\Local\Temp\6254.tmp"113⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\62A2.tmp"C:\Users\Admin\AppData\Local\Temp\62A2.tmp"114⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"115⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\635D.tmp"C:\Users\Admin\AppData\Local\Temp\635D.tmp"116⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\63AB.tmp"C:\Users\Admin\AppData\Local\Temp\63AB.tmp"117⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"118⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\6457.tmp"C:\Users\Admin\AppData\Local\Temp\6457.tmp"119⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\64A5.tmp"C:\Users\Admin\AppData\Local\Temp\64A5.tmp"120⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\64F4.tmp"C:\Users\Admin\AppData\Local\Temp\64F4.tmp"121⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\6551.tmp"C:\Users\Admin\AppData\Local\Temp\6551.tmp"122⤵PID:5100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-