Analysis
-
max time kernel
172s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe
-
Size
487KB
-
MD5
c6a238350367db252bae82c8a2aa88d3
-
SHA1
54c425ed67e7836a15ad6945c27ce4105805f7f5
-
SHA256
ba3166ba608dab8f0d029afc7e1919c771e9d8b96e978c5f49f24a9a74c576ad
-
SHA512
c7c091087f56233787c3d47161b4683b6342a7128b28b8f4215dbb412503ff70228d0a121a4cfc544afb35c6ab8a1d3df55202c72626f5238e1e77de6945f72c
-
SSDEEP
12288:HU5rCOTeiJg4zVHh+95YsPKTq7U/czWNZ:HUQOJJgu+TK/CWN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3700 DC95.tmp 3096 EEE4.tmp 2044 F08A.tmp 372 F906.tmp 4816 FE94.tmp 1792 5F6.tmp 5096 B65.tmp 4056 BE2.tmp 2500 141F.tmp 4856 15D5.tmp 3756 1C0F.tmp 3252 211F.tmp 836 2844.tmp 1440 2E8D.tmp 4040 339E.tmp 1524 3812.tmp 3144 38ED.tmp 4368 3D62.tmp 4776 3E1D.tmp 3128 3FE2.tmp 3548 408E.tmp 5024 412B.tmp 3016 41C7.tmp 2624 435D.tmp 2372 4428.tmp 3572 4D11.tmp 3536 5A6F.tmp 116 6675.tmp 3308 678F.tmp 2820 6935.tmp 2584 6A8C.tmp 460 6B38.tmp 2856 6C51.tmp 3172 78A6.tmp 4412 7932.tmp 3560 7F6C.tmp 232 86CF.tmp 1692 8C1E.tmp 3496 90B2.tmp 1144 915E.tmp 4476 91CB.tmp 2892 9239.tmp 4972 92D5.tmp 4784 9352.tmp 3100 93EE.tmp 4248 944C.tmp 2052 94D8.tmp 1572 A505.tmp 2692 ADDF.tmp 4980 B2E0.tmp 2500 B89D.tmp 4388 BB6B.tmp 2684 BE3A.tmp 3952 D443.tmp 4604 D695.tmp 4404 D869.tmp 1700 D915.tmp 1524 DE55.tmp 1328 E21E.tmp 4368 E6D1.tmp 1012 E8B5.tmp 4852 F0A4.tmp 552 F632.tmp 3548 F8B3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4648 wrote to memory of 3700 4648 2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe 85 PID 4648 wrote to memory of 3700 4648 2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe 85 PID 4648 wrote to memory of 3700 4648 2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe 85 PID 3700 wrote to memory of 3096 3700 DC95.tmp 87 PID 3700 wrote to memory of 3096 3700 DC95.tmp 87 PID 3700 wrote to memory of 3096 3700 DC95.tmp 87 PID 3096 wrote to memory of 2044 3096 EEE4.tmp 88 PID 3096 wrote to memory of 2044 3096 EEE4.tmp 88 PID 3096 wrote to memory of 2044 3096 EEE4.tmp 88 PID 2044 wrote to memory of 372 2044 F08A.tmp 89 PID 2044 wrote to memory of 372 2044 F08A.tmp 89 PID 2044 wrote to memory of 372 2044 F08A.tmp 89 PID 372 wrote to memory of 4816 372 F906.tmp 90 PID 372 wrote to memory of 4816 372 F906.tmp 90 PID 372 wrote to memory of 4816 372 F906.tmp 90 PID 4816 wrote to memory of 1792 4816 FE94.tmp 91 PID 4816 wrote to memory of 1792 4816 FE94.tmp 91 PID 4816 wrote to memory of 1792 4816 FE94.tmp 91 PID 1792 wrote to memory of 5096 1792 5F6.tmp 92 PID 1792 wrote to memory of 5096 1792 5F6.tmp 92 PID 1792 wrote to memory of 5096 1792 5F6.tmp 92 PID 5096 wrote to memory of 4056 5096 B65.tmp 93 PID 5096 wrote to memory of 4056 5096 B65.tmp 93 PID 5096 wrote to memory of 4056 5096 B65.tmp 93 PID 4056 wrote to memory of 2500 4056 BE2.tmp 94 PID 4056 wrote to memory of 2500 4056 BE2.tmp 94 PID 4056 wrote to memory of 2500 4056 BE2.tmp 94 PID 2500 wrote to memory of 4856 2500 141F.tmp 96 PID 2500 wrote to memory of 4856 2500 141F.tmp 96 PID 2500 wrote to memory of 4856 2500 141F.tmp 96 PID 4856 wrote to memory of 3756 4856 15D5.tmp 97 PID 4856 wrote to memory of 3756 4856 15D5.tmp 97 PID 4856 wrote to memory of 3756 4856 15D5.tmp 97 PID 3756 wrote to memory of 3252 3756 1C0F.tmp 98 PID 3756 wrote to memory of 3252 3756 1C0F.tmp 98 PID 3756 wrote to memory of 3252 3756 1C0F.tmp 98 PID 3252 wrote to memory of 836 3252 211F.tmp 99 PID 3252 wrote to memory of 836 3252 211F.tmp 99 PID 3252 wrote to memory of 836 3252 211F.tmp 99 PID 836 wrote to memory of 1440 836 2844.tmp 100 PID 836 wrote to memory of 1440 836 2844.tmp 100 PID 836 wrote to memory of 1440 836 2844.tmp 100 PID 1440 wrote to memory of 4040 1440 2E8D.tmp 101 PID 1440 wrote to memory of 4040 1440 2E8D.tmp 101 PID 1440 wrote to memory of 4040 1440 2E8D.tmp 101 PID 4040 wrote to memory of 1524 4040 339E.tmp 102 PID 4040 wrote to memory of 1524 4040 339E.tmp 102 PID 4040 wrote to memory of 1524 4040 339E.tmp 102 PID 1524 wrote to memory of 3144 1524 3812.tmp 103 PID 1524 wrote to memory of 3144 1524 3812.tmp 103 PID 1524 wrote to memory of 3144 1524 3812.tmp 103 PID 3144 wrote to memory of 4368 3144 38ED.tmp 104 PID 3144 wrote to memory of 4368 3144 38ED.tmp 104 PID 3144 wrote to memory of 4368 3144 38ED.tmp 104 PID 4368 wrote to memory of 4776 4368 3D62.tmp 105 PID 4368 wrote to memory of 4776 4368 3D62.tmp 105 PID 4368 wrote to memory of 4776 4368 3D62.tmp 105 PID 4776 wrote to memory of 3128 4776 3E1D.tmp 106 PID 4776 wrote to memory of 3128 4776 3E1D.tmp 106 PID 4776 wrote to memory of 3128 4776 3E1D.tmp 106 PID 3128 wrote to memory of 3548 3128 3FE2.tmp 107 PID 3128 wrote to memory of 3548 3128 3FE2.tmp 107 PID 3128 wrote to memory of 3548 3128 3FE2.tmp 107 PID 3548 wrote to memory of 5024 3548 408E.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-13_c6a238350367db252bae82c8a2aa88d3_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\DC95.tmp"C:\Users\Admin\AppData\Local\Temp\DC95.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\EEE4.tmp"C:\Users\Admin\AppData\Local\Temp\EEE4.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\F08A.tmp"C:\Users\Admin\AppData\Local\Temp\F08A.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\F906.tmp"C:\Users\Admin\AppData\Local\Temp\F906.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\FE94.tmp"C:\Users\Admin\AppData\Local\Temp\FE94.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\5F6.tmp"C:\Users\Admin\AppData\Local\Temp\5F6.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\B65.tmp"C:\Users\Admin\AppData\Local\Temp\B65.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\BE2.tmp"C:\Users\Admin\AppData\Local\Temp\BE2.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\141F.tmp"C:\Users\Admin\AppData\Local\Temp\141F.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\15D5.tmp"C:\Users\Admin\AppData\Local\Temp\15D5.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\1C0F.tmp"C:\Users\Admin\AppData\Local\Temp\1C0F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\211F.tmp"C:\Users\Admin\AppData\Local\Temp\211F.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\2844.tmp"C:\Users\Admin\AppData\Local\Temp\2844.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\339E.tmp"C:\Users\Admin\AppData\Local\Temp\339E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\3812.tmp"C:\Users\Admin\AppData\Local\Temp\3812.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\38ED.tmp"C:\Users\Admin\AppData\Local\Temp\38ED.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\3D62.tmp"C:\Users\Admin\AppData\Local\Temp\3D62.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\3E1D.tmp"C:\Users\Admin\AppData\Local\Temp\3E1D.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\3FE2.tmp"C:\Users\Admin\AppData\Local\Temp\3FE2.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\408E.tmp"C:\Users\Admin\AppData\Local\Temp\408E.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\412B.tmp"C:\Users\Admin\AppData\Local\Temp\412B.tmp"23⤵
- Executes dropped EXE
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\41C7.tmp"C:\Users\Admin\AppData\Local\Temp\41C7.tmp"24⤵
- Executes dropped EXE
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\435D.tmp"C:\Users\Admin\AppData\Local\Temp\435D.tmp"25⤵
- Executes dropped EXE
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\4428.tmp"C:\Users\Admin\AppData\Local\Temp\4428.tmp"26⤵
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\4D11.tmp"C:\Users\Admin\AppData\Local\Temp\4D11.tmp"27⤵
- Executes dropped EXE
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\5A6F.tmp"C:\Users\Admin\AppData\Local\Temp\5A6F.tmp"28⤵
- Executes dropped EXE
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\6675.tmp"C:\Users\Admin\AppData\Local\Temp\6675.tmp"29⤵
- Executes dropped EXE
PID:116 -
C:\Users\Admin\AppData\Local\Temp\678F.tmp"C:\Users\Admin\AppData\Local\Temp\678F.tmp"30⤵
- Executes dropped EXE
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\6935.tmp"C:\Users\Admin\AppData\Local\Temp\6935.tmp"31⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\6A8C.tmp"C:\Users\Admin\AppData\Local\Temp\6A8C.tmp"32⤵
- Executes dropped EXE
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\6B38.tmp"C:\Users\Admin\AppData\Local\Temp\6B38.tmp"33⤵
- Executes dropped EXE
PID:460 -
C:\Users\Admin\AppData\Local\Temp\6C51.tmp"C:\Users\Admin\AppData\Local\Temp\6C51.tmp"34⤵
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\78A6.tmp"C:\Users\Admin\AppData\Local\Temp\78A6.tmp"35⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\7932.tmp"C:\Users\Admin\AppData\Local\Temp\7932.tmp"36⤵
- Executes dropped EXE
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\7F6C.tmp"C:\Users\Admin\AppData\Local\Temp\7F6C.tmp"37⤵
- Executes dropped EXE
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\86CF.tmp"C:\Users\Admin\AppData\Local\Temp\86CF.tmp"38⤵
- Executes dropped EXE
PID:232 -
C:\Users\Admin\AppData\Local\Temp\8C1E.tmp"C:\Users\Admin\AppData\Local\Temp\8C1E.tmp"39⤵
- Executes dropped EXE
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\90B2.tmp"C:\Users\Admin\AppData\Local\Temp\90B2.tmp"40⤵
- Executes dropped EXE
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\915E.tmp"C:\Users\Admin\AppData\Local\Temp\915E.tmp"41⤵
- Executes dropped EXE
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\91CB.tmp"C:\Users\Admin\AppData\Local\Temp\91CB.tmp"42⤵
- Executes dropped EXE
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\9239.tmp"C:\Users\Admin\AppData\Local\Temp\9239.tmp"43⤵
- Executes dropped EXE
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\92D5.tmp"C:\Users\Admin\AppData\Local\Temp\92D5.tmp"44⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\9352.tmp"C:\Users\Admin\AppData\Local\Temp\9352.tmp"45⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\93EE.tmp"C:\Users\Admin\AppData\Local\Temp\93EE.tmp"46⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\944C.tmp"C:\Users\Admin\AppData\Local\Temp\944C.tmp"47⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\94D8.tmp"C:\Users\Admin\AppData\Local\Temp\94D8.tmp"48⤵
- Executes dropped EXE
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\A505.tmp"C:\Users\Admin\AppData\Local\Temp\A505.tmp"49⤵
- Executes dropped EXE
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\ADDF.tmp"C:\Users\Admin\AppData\Local\Temp\ADDF.tmp"50⤵
- Executes dropped EXE
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\B2E0.tmp"C:\Users\Admin\AppData\Local\Temp\B2E0.tmp"51⤵
- Executes dropped EXE
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\B89D.tmp"C:\Users\Admin\AppData\Local\Temp\B89D.tmp"52⤵
- Executes dropped EXE
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\BB6B.tmp"C:\Users\Admin\AppData\Local\Temp\BB6B.tmp"53⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\BE3A.tmp"C:\Users\Admin\AppData\Local\Temp\BE3A.tmp"54⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\D443.tmp"C:\Users\Admin\AppData\Local\Temp\D443.tmp"55⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\D695.tmp"C:\Users\Admin\AppData\Local\Temp\D695.tmp"56⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\D869.tmp"C:\Users\Admin\AppData\Local\Temp\D869.tmp"57⤵
- Executes dropped EXE
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\D915.tmp"C:\Users\Admin\AppData\Local\Temp\D915.tmp"58⤵
- Executes dropped EXE
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\DE55.tmp"C:\Users\Admin\AppData\Local\Temp\DE55.tmp"59⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\E21E.tmp"C:\Users\Admin\AppData\Local\Temp\E21E.tmp"60⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\E6D1.tmp"C:\Users\Admin\AppData\Local\Temp\E6D1.tmp"61⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\E8B5.tmp"C:\Users\Admin\AppData\Local\Temp\E8B5.tmp"62⤵
- Executes dropped EXE
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\F0A4.tmp"C:\Users\Admin\AppData\Local\Temp\F0A4.tmp"63⤵
- Executes dropped EXE
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\F632.tmp"C:\Users\Admin\AppData\Local\Temp\F632.tmp"64⤵
- Executes dropped EXE
PID:552 -
C:\Users\Admin\AppData\Local\Temp\F8B3.tmp"C:\Users\Admin\AppData\Local\Temp\F8B3.tmp"65⤵
- Executes dropped EXE
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\FD18.tmp"C:\Users\Admin\AppData\Local\Temp\FD18.tmp"66⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\FE70.tmp"C:\Users\Admin\AppData\Local\Temp\FE70.tmp"67⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\FFC7.tmp"C:\Users\Admin\AppData\Local\Temp\FFC7.tmp"68⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\332.tmp"C:\Users\Admin\AppData\Local\Temp\332.tmp"69⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\7C6.tmp"C:\Users\Admin\AppData\Local\Temp\7C6.tmp"70⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\99B.tmp"C:\Users\Admin\AppData\Local\Temp\99B.tmp"71⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\F19.tmp"C:\Users\Admin\AppData\Local\Temp\F19.tmp"72⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\13FB.tmp"C:\Users\Admin\AppData\Local\Temp\13FB.tmp"73⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\190C.tmp"C:\Users\Admin\AppData\Local\Temp\190C.tmp"74⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\1AE1.tmp"C:\Users\Admin\AppData\Local\Temp\1AE1.tmp"75⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\1C39.tmp"C:\Users\Admin\AppData\Local\Temp\1C39.tmp"76⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\1EF8.tmp"C:\Users\Admin\AppData\Local\Temp\1EF8.tmp"77⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\1FB3.tmp"C:\Users\Admin\AppData\Local\Temp\1FB3.tmp"78⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\23AB.tmp"C:\Users\Admin\AppData\Local\Temp\23AB.tmp"79⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\2793.tmp"C:\Users\Admin\AppData\Local\Temp\2793.tmp"80⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\2968.tmp"C:\Users\Admin\AppData\Local\Temp\2968.tmp"81⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2F05.tmp"C:\Users\Admin\AppData\Local\Temp\2F05.tmp"82⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\3EC4.tmp"C:\Users\Admin\AppData\Local\Temp\3EC4.tmp"83⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\4174.tmp"C:\Users\Admin\AppData\Local\Temp\4174.tmp"84⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\48F6.tmp"C:\Users\Admin\AppData\Local\Temp\48F6.tmp"85⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\4BF3.tmp"C:\Users\Admin\AppData\Local\Temp\4BF3.tmp"86⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\54FC.tmp"C:\Users\Admin\AppData\Local\Temp\54FC.tmp"87⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\5615.tmp"C:\Users\Admin\AppData\Local\Temp\5615.tmp"88⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\5B16.tmp"C:\Users\Admin\AppData\Local\Temp\5B16.tmp"89⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\6008.tmp"C:\Users\Admin\AppData\Local\Temp\6008.tmp"90⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\64AC.tmp"C:\Users\Admin\AppData\Local\Temp\64AC.tmp"91⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\68C2.tmp"C:\Users\Admin\AppData\Local\Temp\68C2.tmp"92⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\69FB.tmp"C:\Users\Admin\AppData\Local\Temp\69FB.tmp"93⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\6A68.tmp"C:\Users\Admin\AppData\Local\Temp\6A68.tmp"94⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\6AE5.tmp"C:\Users\Admin\AppData\Local\Temp\6AE5.tmp"95⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\6B62.tmp"C:\Users\Admin\AppData\Local\Temp\6B62.tmp"96⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\6D56.tmp"C:\Users\Admin\AppData\Local\Temp\6D56.tmp"97⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\6DD3.tmp"C:\Users\Admin\AppData\Local\Temp\6DD3.tmp"98⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\6E50.tmp"C:\Users\Admin\AppData\Local\Temp\6E50.tmp"99⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\6EED.tmp"C:\Users\Admin\AppData\Local\Temp\6EED.tmp"100⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\6F79.tmp"C:\Users\Admin\AppData\Local\Temp\6F79.tmp"101⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\7025.tmp"C:\Users\Admin\AppData\Local\Temp\7025.tmp"102⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp"C:\Users\Admin\AppData\Local\Temp\70C1.tmp"103⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\7296.tmp"C:\Users\Admin\AppData\Local\Temp\7296.tmp"104⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\7313.tmp"C:\Users\Admin\AppData\Local\Temp\7313.tmp"105⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\73A0.tmp"C:\Users\Admin\AppData\Local\Temp\73A0.tmp"106⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\743C.tmp"C:\Users\Admin\AppData\Local\Temp\743C.tmp"107⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\74E8.tmp"C:\Users\Admin\AppData\Local\Temp\74E8.tmp"108⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\7574.tmp"C:\Users\Admin\AppData\Local\Temp\7574.tmp"109⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\7601.tmp"C:\Users\Admin\AppData\Local\Temp\7601.tmp"110⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\769D.tmp"C:\Users\Admin\AppData\Local\Temp\769D.tmp"111⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\7759.tmp"C:\Users\Admin\AppData\Local\Temp\7759.tmp"112⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\77D6.tmp"C:\Users\Admin\AppData\Local\Temp\77D6.tmp"113⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\7853.tmp"C:\Users\Admin\AppData\Local\Temp\7853.tmp"114⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\78DF.tmp"C:\Users\Admin\AppData\Local\Temp\78DF.tmp"115⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\797C.tmp"C:\Users\Admin\AppData\Local\Temp\797C.tmp"116⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\79F9.tmp"C:\Users\Admin\AppData\Local\Temp\79F9.tmp"117⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\7A76.tmp"C:\Users\Admin\AppData\Local\Temp\7A76.tmp"118⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\7AE3.tmp"C:\Users\Admin\AppData\Local\Temp\7AE3.tmp"119⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\7B70.tmp"C:\Users\Admin\AppData\Local\Temp\7B70.tmp"120⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\82D2.tmp"C:\Users\Admin\AppData\Local\Temp\82D2.tmp"121⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\836F.tmp"C:\Users\Admin\AppData\Local\Temp\836F.tmp"122⤵PID:4864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-