Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe
-
Size
536KB
-
MD5
9980f10c028cfa0f4e0ea8baf727b736
-
SHA1
597174ce4196d7b353e2cd5901a36da6b8b8eeb9
-
SHA256
d1d503285c17ba53aa8c069adb5f7fa45f6851e22e15ac43bef068d7351bed13
-
SHA512
66c4c39c41862c54d392a64e4a9c532f5d45493479b48d6957b9f9d69b53656029516ee2ad246133e08242c6d8fba0222291abcb1f8e22d8b91c700d7decea9f
-
SSDEEP
12288:wU5rCOTeiUVwv0uJgkZcFdEphWauy68qgKIZxVJ0ZT9:wUQOJUVcVZcXEDWa/wfIRJ0ZT9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2792 E251.tmp 4740 E31C.tmp 2356 E399.tmp 2384 E465.tmp 4088 E4B3.tmp 2844 E57E.tmp 3816 E5CC.tmp 3164 E61A.tmp 3200 E714.tmp 212 E781.tmp 804 E7EF.tmp 4280 E85C.tmp 1192 E927.tmp 4060 E9B4.tmp 2032 EA31.tmp 3888 EB1B.tmp 1612 EB79.tmp 5032 EBF6.tmp 4960 EC63.tmp 1468 ECD1.tmp 1216 ED7D.tmp 3344 EDEA.tmp 624 EE67.tmp 2160 EEE4.tmp 4388 EF61.tmp 2408 EFDE.tmp 2252 F04B.tmp 2768 F0D8.tmp 3596 F174.tmp 944 F230.tmp 2356 F2AD.tmp 3048 F388.tmp 832 F414.tmp 4900 F4A1.tmp 3964 F51E.tmp 4908 F58B.tmp 3164 F5E9.tmp 2696 F666.tmp 3880 F702.tmp 804 F77F.tmp 5092 F7FC.tmp 4468 F86A.tmp 2316 F8F6.tmp 1064 F983.tmp 2012 FA1F.tmp 1712 FAAC.tmp 3888 FB29.tmp 4272 FB86.tmp 2744 FBF4.tmp 2192 FC42.tmp 3460 FC90.tmp 1468 FCEE.tmp 1244 FD4C.tmp 4884 FD9A.tmp 4964 FDE8.tmp 1232 FE36.tmp 1392 FE84.tmp 2364 FED2.tmp 4368 FF20.tmp 3592 FF6E.tmp 4972 FFCC.tmp 1628 1A.tmp 3780 68.tmp 2768 B7.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 2792 116 2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe 89 PID 116 wrote to memory of 2792 116 2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe 89 PID 116 wrote to memory of 2792 116 2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe 89 PID 2792 wrote to memory of 4740 2792 E251.tmp 91 PID 2792 wrote to memory of 4740 2792 E251.tmp 91 PID 2792 wrote to memory of 4740 2792 E251.tmp 91 PID 4740 wrote to memory of 2356 4740 E31C.tmp 93 PID 4740 wrote to memory of 2356 4740 E31C.tmp 93 PID 4740 wrote to memory of 2356 4740 E31C.tmp 93 PID 2356 wrote to memory of 2384 2356 E399.tmp 95 PID 2356 wrote to memory of 2384 2356 E399.tmp 95 PID 2356 wrote to memory of 2384 2356 E399.tmp 95 PID 2384 wrote to memory of 4088 2384 E465.tmp 96 PID 2384 wrote to memory of 4088 2384 E465.tmp 96 PID 2384 wrote to memory of 4088 2384 E465.tmp 96 PID 4088 wrote to memory of 2844 4088 E4B3.tmp 97 PID 4088 wrote to memory of 2844 4088 E4B3.tmp 97 PID 4088 wrote to memory of 2844 4088 E4B3.tmp 97 PID 2844 wrote to memory of 3816 2844 E57E.tmp 98 PID 2844 wrote to memory of 3816 2844 E57E.tmp 98 PID 2844 wrote to memory of 3816 2844 E57E.tmp 98 PID 3816 wrote to memory of 3164 3816 E5CC.tmp 99 PID 3816 wrote to memory of 3164 3816 E5CC.tmp 99 PID 3816 wrote to memory of 3164 3816 E5CC.tmp 99 PID 3164 wrote to memory of 3200 3164 E61A.tmp 100 PID 3164 wrote to memory of 3200 3164 E61A.tmp 100 PID 3164 wrote to memory of 3200 3164 E61A.tmp 100 PID 3200 wrote to memory of 212 3200 E714.tmp 101 PID 3200 wrote to memory of 212 3200 E714.tmp 101 PID 3200 wrote to memory of 212 3200 E714.tmp 101 PID 212 wrote to memory of 804 212 E781.tmp 102 PID 212 wrote to memory of 804 212 E781.tmp 102 PID 212 wrote to memory of 804 212 E781.tmp 102 PID 804 wrote to memory of 4280 804 E7EF.tmp 103 PID 804 wrote to memory of 4280 804 E7EF.tmp 103 PID 804 wrote to memory of 4280 804 E7EF.tmp 103 PID 4280 wrote to memory of 1192 4280 E85C.tmp 105 PID 4280 wrote to memory of 1192 4280 E85C.tmp 105 PID 4280 wrote to memory of 1192 4280 E85C.tmp 105 PID 1192 wrote to memory of 4060 1192 E927.tmp 106 PID 1192 wrote to memory of 4060 1192 E927.tmp 106 PID 1192 wrote to memory of 4060 1192 E927.tmp 106 PID 4060 wrote to memory of 2032 4060 E9B4.tmp 107 PID 4060 wrote to memory of 2032 4060 E9B4.tmp 107 PID 4060 wrote to memory of 2032 4060 E9B4.tmp 107 PID 2032 wrote to memory of 3888 2032 EA31.tmp 108 PID 2032 wrote to memory of 3888 2032 EA31.tmp 108 PID 2032 wrote to memory of 3888 2032 EA31.tmp 108 PID 3888 wrote to memory of 1612 3888 EB1B.tmp 109 PID 3888 wrote to memory of 1612 3888 EB1B.tmp 109 PID 3888 wrote to memory of 1612 3888 EB1B.tmp 109 PID 1612 wrote to memory of 5032 1612 EB79.tmp 110 PID 1612 wrote to memory of 5032 1612 EB79.tmp 110 PID 1612 wrote to memory of 5032 1612 EB79.tmp 110 PID 5032 wrote to memory of 4960 5032 EBF6.tmp 111 PID 5032 wrote to memory of 4960 5032 EBF6.tmp 111 PID 5032 wrote to memory of 4960 5032 EBF6.tmp 111 PID 4960 wrote to memory of 1468 4960 EC63.tmp 112 PID 4960 wrote to memory of 1468 4960 EC63.tmp 112 PID 4960 wrote to memory of 1468 4960 EC63.tmp 112 PID 1468 wrote to memory of 1216 1468 ECD1.tmp 113 PID 1468 wrote to memory of 1216 1468 ECD1.tmp 113 PID 1468 wrote to memory of 1216 1468 ECD1.tmp 113 PID 1216 wrote to memory of 3344 1216 ED7D.tmp 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9980f10c028cfa0f4e0ea8baf727b736_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\E251.tmp"C:\Users\Admin\AppData\Local\Temp\E251.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\E31C.tmp"C:\Users\Admin\AppData\Local\Temp\E31C.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\E399.tmp"C:\Users\Admin\AppData\Local\Temp\E399.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\E465.tmp"C:\Users\Admin\AppData\Local\Temp\E465.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\E4B3.tmp"C:\Users\Admin\AppData\Local\Temp\E4B3.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\E57E.tmp"C:\Users\Admin\AppData\Local\Temp\E57E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\E5CC.tmp"C:\Users\Admin\AppData\Local\Temp\E5CC.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\E61A.tmp"C:\Users\Admin\AppData\Local\Temp\E61A.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\E714.tmp"C:\Users\Admin\AppData\Local\Temp\E714.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\E781.tmp"C:\Users\Admin\AppData\Local\Temp\E781.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\E7EF.tmp"C:\Users\Admin\AppData\Local\Temp\E7EF.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\E85C.tmp"C:\Users\Admin\AppData\Local\Temp\E85C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\E927.tmp"C:\Users\Admin\AppData\Local\Temp\E927.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\E9B4.tmp"C:\Users\Admin\AppData\Local\Temp\E9B4.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\EA31.tmp"C:\Users\Admin\AppData\Local\Temp\EA31.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\EB1B.tmp"C:\Users\Admin\AppData\Local\Temp\EB1B.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\EB79.tmp"C:\Users\Admin\AppData\Local\Temp\EB79.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\EBF6.tmp"C:\Users\Admin\AppData\Local\Temp\EBF6.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\EC63.tmp"C:\Users\Admin\AppData\Local\Temp\EC63.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\ECD1.tmp"C:\Users\Admin\AppData\Local\Temp\ECD1.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\ED7D.tmp"C:\Users\Admin\AppData\Local\Temp\ED7D.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\EDEA.tmp"C:\Users\Admin\AppData\Local\Temp\EDEA.tmp"23⤵
- Executes dropped EXE
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\EE67.tmp"C:\Users\Admin\AppData\Local\Temp\EE67.tmp"24⤵
- Executes dropped EXE
PID:624 -
C:\Users\Admin\AppData\Local\Temp\EEE4.tmp"C:\Users\Admin\AppData\Local\Temp\EEE4.tmp"25⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\EF61.tmp"C:\Users\Admin\AppData\Local\Temp\EF61.tmp"26⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\EFDE.tmp"C:\Users\Admin\AppData\Local\Temp\EFDE.tmp"27⤵
- Executes dropped EXE
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\F04B.tmp"C:\Users\Admin\AppData\Local\Temp\F04B.tmp"28⤵
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\F0D8.tmp"C:\Users\Admin\AppData\Local\Temp\F0D8.tmp"29⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\F174.tmp"C:\Users\Admin\AppData\Local\Temp\F174.tmp"30⤵
- Executes dropped EXE
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\F230.tmp"C:\Users\Admin\AppData\Local\Temp\F230.tmp"31⤵
- Executes dropped EXE
PID:944 -
C:\Users\Admin\AppData\Local\Temp\F2AD.tmp"C:\Users\Admin\AppData\Local\Temp\F2AD.tmp"32⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\F388.tmp"C:\Users\Admin\AppData\Local\Temp\F388.tmp"33⤵
- Executes dropped EXE
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\F414.tmp"C:\Users\Admin\AppData\Local\Temp\F414.tmp"34⤵
- Executes dropped EXE
PID:832 -
C:\Users\Admin\AppData\Local\Temp\F4A1.tmp"C:\Users\Admin\AppData\Local\Temp\F4A1.tmp"35⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\F51E.tmp"C:\Users\Admin\AppData\Local\Temp\F51E.tmp"36⤵
- Executes dropped EXE
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\F58B.tmp"C:\Users\Admin\AppData\Local\Temp\F58B.tmp"37⤵
- Executes dropped EXE
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\F5E9.tmp"C:\Users\Admin\AppData\Local\Temp\F5E9.tmp"38⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\F666.tmp"C:\Users\Admin\AppData\Local\Temp\F666.tmp"39⤵
- Executes dropped EXE
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\F702.tmp"C:\Users\Admin\AppData\Local\Temp\F702.tmp"40⤵
- Executes dropped EXE
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\F77F.tmp"C:\Users\Admin\AppData\Local\Temp\F77F.tmp"41⤵
- Executes dropped EXE
PID:804 -
C:\Users\Admin\AppData\Local\Temp\F7FC.tmp"C:\Users\Admin\AppData\Local\Temp\F7FC.tmp"42⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\F86A.tmp"C:\Users\Admin\AppData\Local\Temp\F86A.tmp"43⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\F8F6.tmp"C:\Users\Admin\AppData\Local\Temp\F8F6.tmp"44⤵
- Executes dropped EXE
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\F983.tmp"C:\Users\Admin\AppData\Local\Temp\F983.tmp"45⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\FA1F.tmp"C:\Users\Admin\AppData\Local\Temp\FA1F.tmp"46⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\FAAC.tmp"C:\Users\Admin\AppData\Local\Temp\FAAC.tmp"47⤵
- Executes dropped EXE
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\FB29.tmp"C:\Users\Admin\AppData\Local\Temp\FB29.tmp"48⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\FB86.tmp"C:\Users\Admin\AppData\Local\Temp\FB86.tmp"49⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\FBF4.tmp"C:\Users\Admin\AppData\Local\Temp\FBF4.tmp"50⤵
- Executes dropped EXE
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\FC42.tmp"C:\Users\Admin\AppData\Local\Temp\FC42.tmp"51⤵
- Executes dropped EXE
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\FC90.tmp"C:\Users\Admin\AppData\Local\Temp\FC90.tmp"52⤵
- Executes dropped EXE
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\FCEE.tmp"C:\Users\Admin\AppData\Local\Temp\FCEE.tmp"53⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\FD4C.tmp"C:\Users\Admin\AppData\Local\Temp\FD4C.tmp"54⤵
- Executes dropped EXE
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\FD9A.tmp"C:\Users\Admin\AppData\Local\Temp\FD9A.tmp"55⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\FDE8.tmp"C:\Users\Admin\AppData\Local\Temp\FDE8.tmp"56⤵
- Executes dropped EXE
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\FE36.tmp"C:\Users\Admin\AppData\Local\Temp\FE36.tmp"57⤵
- Executes dropped EXE
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\FE84.tmp"C:\Users\Admin\AppData\Local\Temp\FE84.tmp"58⤵
- Executes dropped EXE
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\FED2.tmp"C:\Users\Admin\AppData\Local\Temp\FED2.tmp"59⤵
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\FF20.tmp"C:\Users\Admin\AppData\Local\Temp\FF20.tmp"60⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\FF6E.tmp"C:\Users\Admin\AppData\Local\Temp\FF6E.tmp"61⤵
- Executes dropped EXE
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\FFCC.tmp"C:\Users\Admin\AppData\Local\Temp\FFCC.tmp"62⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\1A.tmp"C:\Users\Admin\AppData\Local\Temp\1A.tmp"63⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\68.tmp"C:\Users\Admin\AppData\Local\Temp\68.tmp"64⤵
- Executes dropped EXE
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\B7.tmp"C:\Users\Admin\AppData\Local\Temp\B7.tmp"65⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\105.tmp"C:\Users\Admin\AppData\Local\Temp\105.tmp"66⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\162.tmp"C:\Users\Admin\AppData\Local\Temp\162.tmp"67⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\1C0.tmp"C:\Users\Admin\AppData\Local\Temp\1C0.tmp"68⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\21E.tmp"C:\Users\Admin\AppData\Local\Temp\21E.tmp"69⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\26C.tmp"C:\Users\Admin\AppData\Local\Temp\26C.tmp"70⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\2D9.tmp"C:\Users\Admin\AppData\Local\Temp\2D9.tmp"71⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\328.tmp"C:\Users\Admin\AppData\Local\Temp\328.tmp"72⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\376.tmp"C:\Users\Admin\AppData\Local\Temp\376.tmp"73⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\3C4.tmp"C:\Users\Admin\AppData\Local\Temp\3C4.tmp"74⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\412.tmp"C:\Users\Admin\AppData\Local\Temp\412.tmp"75⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\460.tmp"C:\Users\Admin\AppData\Local\Temp\460.tmp"76⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\4AE.tmp"C:\Users\Admin\AppData\Local\Temp\4AE.tmp"77⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\50C.tmp"C:\Users\Admin\AppData\Local\Temp\50C.tmp"78⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\55A.tmp"C:\Users\Admin\AppData\Local\Temp\55A.tmp"79⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\5A8.tmp"C:\Users\Admin\AppData\Local\Temp\5A8.tmp"80⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\606.tmp"C:\Users\Admin\AppData\Local\Temp\606.tmp"81⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\664.tmp"C:\Users\Admin\AppData\Local\Temp\664.tmp"82⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\6C1.tmp"C:\Users\Admin\AppData\Local\Temp\6C1.tmp"83⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\710.tmp"C:\Users\Admin\AppData\Local\Temp\710.tmp"84⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\75E.tmp"C:\Users\Admin\AppData\Local\Temp\75E.tmp"85⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\7AC.tmp"C:\Users\Admin\AppData\Local\Temp\7AC.tmp"86⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\7FA.tmp"C:\Users\Admin\AppData\Local\Temp\7FA.tmp"87⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\848.tmp"C:\Users\Admin\AppData\Local\Temp\848.tmp"88⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\8A6.tmp"C:\Users\Admin\AppData\Local\Temp\8A6.tmp"89⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\8F4.tmp"C:\Users\Admin\AppData\Local\Temp\8F4.tmp"90⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\942.tmp"C:\Users\Admin\AppData\Local\Temp\942.tmp"91⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\990.tmp"C:\Users\Admin\AppData\Local\Temp\990.tmp"92⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\9DE.tmp"C:\Users\Admin\AppData\Local\Temp\9DE.tmp"93⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\A2C.tmp"C:\Users\Admin\AppData\Local\Temp\A2C.tmp"94⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\A7B.tmp"C:\Users\Admin\AppData\Local\Temp\A7B.tmp"95⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\AC9.tmp"C:\Users\Admin\AppData\Local\Temp\AC9.tmp"96⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\B17.tmp"C:\Users\Admin\AppData\Local\Temp\B17.tmp"97⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\B75.tmp"C:\Users\Admin\AppData\Local\Temp\B75.tmp"98⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\BC3.tmp"C:\Users\Admin\AppData\Local\Temp\BC3.tmp"99⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\C11.tmp"C:\Users\Admin\AppData\Local\Temp\C11.tmp"100⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\C5F.tmp"C:\Users\Admin\AppData\Local\Temp\C5F.tmp"101⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\CBD.tmp"C:\Users\Admin\AppData\Local\Temp\CBD.tmp"102⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\D0B.tmp"C:\Users\Admin\AppData\Local\Temp\D0B.tmp"103⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\D59.tmp"C:\Users\Admin\AppData\Local\Temp\D59.tmp"104⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\DA7.tmp"C:\Users\Admin\AppData\Local\Temp\DA7.tmp"105⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\DF5.tmp"C:\Users\Admin\AppData\Local\Temp\DF5.tmp"106⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\E43.tmp"C:\Users\Admin\AppData\Local\Temp\E43.tmp"107⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\EA1.tmp"C:\Users\Admin\AppData\Local\Temp\EA1.tmp"108⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\EEF.tmp"C:\Users\Admin\AppData\Local\Temp\EEF.tmp"109⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\F3D.tmp"C:\Users\Admin\AppData\Local\Temp\F3D.tmp"110⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\F8B.tmp"C:\Users\Admin\AppData\Local\Temp\F8B.tmp"111⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\FDA.tmp"C:\Users\Admin\AppData\Local\Temp\FDA.tmp"112⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\1037.tmp"C:\Users\Admin\AppData\Local\Temp\1037.tmp"113⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\1095.tmp"C:\Users\Admin\AppData\Local\Temp\1095.tmp"114⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\10E3.tmp"C:\Users\Admin\AppData\Local\Temp\10E3.tmp"115⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\1131.tmp"C:\Users\Admin\AppData\Local\Temp\1131.tmp"116⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\117F.tmp"C:\Users\Admin\AppData\Local\Temp\117F.tmp"117⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\11CE.tmp"C:\Users\Admin\AppData\Local\Temp\11CE.tmp"118⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\121C.tmp"C:\Users\Admin\AppData\Local\Temp\121C.tmp"119⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\126A.tmp"C:\Users\Admin\AppData\Local\Temp\126A.tmp"120⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\12B8.tmp"C:\Users\Admin\AppData\Local\Temp\12B8.tmp"121⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\1306.tmp"C:\Users\Admin\AppData\Local\Temp\1306.tmp"122⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-