Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 19:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe
Resource
win7-20231129-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe
-
Size
536KB
-
MD5
d30fb0c5b9f286cadaf33fd668fa905c
-
SHA1
1e08a63947e4e04b6deab7c896273b54ff58031a
-
SHA256
ba9322858a1c86604613ac6ac8b5c03188c4943a6f9d3cd5740499571076bebe
-
SHA512
253a0c67be5329e3cfb397839bf1dfa20aac197526f8d18d37c3125eb87fb24a0ad5cd957204483a0f457e8f9462654318a5164f89b5032f69949643f25133c6
-
SSDEEP
12288:wU5rCOTeiUPs5vYqyM+qVwsGtJTIZxVJ0ZT9:wUQOJU0+qH+qVwsMIRJ0ZT9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4628 4AB5.tmp 1748 4B51.tmp 3720 4C1C.tmp 4664 4CC8.tmp 1260 4D45.tmp 2800 4DE1.tmp 4400 4EAC.tmp 4548 4F49.tmp 3592 4FE5.tmp 4688 5091.tmp 2448 512D.tmp 3928 51C9.tmp 4092 5246.tmp 2584 52F2.tmp 5000 538E.tmp 1444 542B.tmp 2804 54B7.tmp 444 5563.tmp 3332 55E0.tmp 5104 566D.tmp 1048 5709.tmp 2716 5796.tmp 2044 5822.tmp 2564 58CE.tmp 4368 596A.tmp 4452 5A16.tmp 988 5A93.tmp 3720 5B4F.tmp 3228 5BDB.tmp 1140 5C97.tmp 2360 5D43.tmp 4880 5DB0.tmp 500 5E5C.tmp 2116 5EBA.tmp 3036 5F27.tmp 4832 5F85.tmp 820 6002.tmp 4036 606F.tmp 856 60DD.tmp 4788 613A.tmp 4336 61A8.tmp 1204 6206.tmp 1228 6254.tmp 5068 62D1.tmp 3208 632E.tmp 364 638C.tmp 4616 6419.tmp 3348 6477.tmp 768 64C5.tmp 2032 6513.tmp 684 6561.tmp 1056 65BF.tmp 4364 660D.tmp 4552 666B.tmp 4368 66B9.tmp 3296 6707.tmp 1960 6765.tmp 4916 67C2.tmp 3720 6820.tmp 3824 686E.tmp 5096 68CC.tmp 2548 691A.tmp 8 6978.tmp 1260 69D6.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4628 1932 2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe 85 PID 1932 wrote to memory of 4628 1932 2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe 85 PID 1932 wrote to memory of 4628 1932 2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe 85 PID 4628 wrote to memory of 1748 4628 4AB5.tmp 86 PID 4628 wrote to memory of 1748 4628 4AB5.tmp 86 PID 4628 wrote to memory of 1748 4628 4AB5.tmp 86 PID 1748 wrote to memory of 3720 1748 4B51.tmp 88 PID 1748 wrote to memory of 3720 1748 4B51.tmp 88 PID 1748 wrote to memory of 3720 1748 4B51.tmp 88 PID 3720 wrote to memory of 4664 3720 4C1C.tmp 89 PID 3720 wrote to memory of 4664 3720 4C1C.tmp 89 PID 3720 wrote to memory of 4664 3720 4C1C.tmp 89 PID 4664 wrote to memory of 1260 4664 4CC8.tmp 91 PID 4664 wrote to memory of 1260 4664 4CC8.tmp 91 PID 4664 wrote to memory of 1260 4664 4CC8.tmp 91 PID 1260 wrote to memory of 2800 1260 4D45.tmp 93 PID 1260 wrote to memory of 2800 1260 4D45.tmp 93 PID 1260 wrote to memory of 2800 1260 4D45.tmp 93 PID 2800 wrote to memory of 4400 2800 4DE1.tmp 94 PID 2800 wrote to memory of 4400 2800 4DE1.tmp 94 PID 2800 wrote to memory of 4400 2800 4DE1.tmp 94 PID 4400 wrote to memory of 4548 4400 4EAC.tmp 95 PID 4400 wrote to memory of 4548 4400 4EAC.tmp 95 PID 4400 wrote to memory of 4548 4400 4EAC.tmp 95 PID 4548 wrote to memory of 3592 4548 4F49.tmp 96 PID 4548 wrote to memory of 3592 4548 4F49.tmp 96 PID 4548 wrote to memory of 3592 4548 4F49.tmp 96 PID 3592 wrote to memory of 4688 3592 4FE5.tmp 97 PID 3592 wrote to memory of 4688 3592 4FE5.tmp 97 PID 3592 wrote to memory of 4688 3592 4FE5.tmp 97 PID 4688 wrote to memory of 2448 4688 5091.tmp 98 PID 4688 wrote to memory of 2448 4688 5091.tmp 98 PID 4688 wrote to memory of 2448 4688 5091.tmp 98 PID 2448 wrote to memory of 3928 2448 512D.tmp 99 PID 2448 wrote to memory of 3928 2448 512D.tmp 99 PID 2448 wrote to memory of 3928 2448 512D.tmp 99 PID 3928 wrote to memory of 4092 3928 51C9.tmp 100 PID 3928 wrote to memory of 4092 3928 51C9.tmp 100 PID 3928 wrote to memory of 4092 3928 51C9.tmp 100 PID 4092 wrote to memory of 2584 4092 5246.tmp 101 PID 4092 wrote to memory of 2584 4092 5246.tmp 101 PID 4092 wrote to memory of 2584 4092 5246.tmp 101 PID 2584 wrote to memory of 5000 2584 52F2.tmp 102 PID 2584 wrote to memory of 5000 2584 52F2.tmp 102 PID 2584 wrote to memory of 5000 2584 52F2.tmp 102 PID 5000 wrote to memory of 1444 5000 538E.tmp 105 PID 5000 wrote to memory of 1444 5000 538E.tmp 105 PID 5000 wrote to memory of 1444 5000 538E.tmp 105 PID 1444 wrote to memory of 2804 1444 542B.tmp 106 PID 1444 wrote to memory of 2804 1444 542B.tmp 106 PID 1444 wrote to memory of 2804 1444 542B.tmp 106 PID 2804 wrote to memory of 444 2804 54B7.tmp 107 PID 2804 wrote to memory of 444 2804 54B7.tmp 107 PID 2804 wrote to memory of 444 2804 54B7.tmp 107 PID 444 wrote to memory of 3332 444 5563.tmp 108 PID 444 wrote to memory of 3332 444 5563.tmp 108 PID 444 wrote to memory of 3332 444 5563.tmp 108 PID 3332 wrote to memory of 5104 3332 55E0.tmp 109 PID 3332 wrote to memory of 5104 3332 55E0.tmp 109 PID 3332 wrote to memory of 5104 3332 55E0.tmp 109 PID 5104 wrote to memory of 1048 5104 566D.tmp 110 PID 5104 wrote to memory of 1048 5104 566D.tmp 110 PID 5104 wrote to memory of 1048 5104 566D.tmp 110 PID 1048 wrote to memory of 2716 1048 5709.tmp 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-30_d30fb0c5b9f286cadaf33fd668fa905c_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\4AB5.tmp"C:\Users\Admin\AppData\Local\Temp\4AB5.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\4B51.tmp"C:\Users\Admin\AppData\Local\Temp\4B51.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\4C1C.tmp"C:\Users\Admin\AppData\Local\Temp\4C1C.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\4D45.tmp"C:\Users\Admin\AppData\Local\Temp\4D45.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\4F49.tmp"C:\Users\Admin\AppData\Local\Temp\4F49.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\4FE5.tmp"C:\Users\Admin\AppData\Local\Temp\4FE5.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\5091.tmp"C:\Users\Admin\AppData\Local\Temp\5091.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\512D.tmp"C:\Users\Admin\AppData\Local\Temp\512D.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\51C9.tmp"C:\Users\Admin\AppData\Local\Temp\51C9.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\5246.tmp"C:\Users\Admin\AppData\Local\Temp\5246.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\52F2.tmp"C:\Users\Admin\AppData\Local\Temp\52F2.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\538E.tmp"C:\Users\Admin\AppData\Local\Temp\538E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\542B.tmp"C:\Users\Admin\AppData\Local\Temp\542B.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\54B7.tmp"C:\Users\Admin\AppData\Local\Temp\54B7.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\5563.tmp"C:\Users\Admin\AppData\Local\Temp\5563.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\55E0.tmp"C:\Users\Admin\AppData\Local\Temp\55E0.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\566D.tmp"C:\Users\Admin\AppData\Local\Temp\566D.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\5709.tmp"C:\Users\Admin\AppData\Local\Temp\5709.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\5796.tmp"C:\Users\Admin\AppData\Local\Temp\5796.tmp"23⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\5822.tmp"C:\Users\Admin\AppData\Local\Temp\5822.tmp"24⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"25⤵
- Executes dropped EXE
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\596A.tmp"C:\Users\Admin\AppData\Local\Temp\596A.tmp"26⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\5A16.tmp"C:\Users\Admin\AppData\Local\Temp\5A16.tmp"27⤵
- Executes dropped EXE
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\5A93.tmp"C:\Users\Admin\AppData\Local\Temp\5A93.tmp"28⤵
- Executes dropped EXE
PID:988 -
C:\Users\Admin\AppData\Local\Temp\5B4F.tmp"C:\Users\Admin\AppData\Local\Temp\5B4F.tmp"29⤵
- Executes dropped EXE
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"C:\Users\Admin\AppData\Local\Temp\5BDB.tmp"30⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\5C97.tmp"C:\Users\Admin\AppData\Local\Temp\5C97.tmp"31⤵
- Executes dropped EXE
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\5D43.tmp"C:\Users\Admin\AppData\Local\Temp\5D43.tmp"32⤵
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"33⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"34⤵
- Executes dropped EXE
PID:500 -
C:\Users\Admin\AppData\Local\Temp\5EBA.tmp"C:\Users\Admin\AppData\Local\Temp\5EBA.tmp"35⤵
- Executes dropped EXE
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\5F27.tmp"C:\Users\Admin\AppData\Local\Temp\5F27.tmp"36⤵
- Executes dropped EXE
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\5F85.tmp"C:\Users\Admin\AppData\Local\Temp\5F85.tmp"37⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\6002.tmp"C:\Users\Admin\AppData\Local\Temp\6002.tmp"38⤵
- Executes dropped EXE
PID:820 -
C:\Users\Admin\AppData\Local\Temp\606F.tmp"C:\Users\Admin\AppData\Local\Temp\606F.tmp"39⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\60DD.tmp"C:\Users\Admin\AppData\Local\Temp\60DD.tmp"40⤵
- Executes dropped EXE
PID:856 -
C:\Users\Admin\AppData\Local\Temp\613A.tmp"C:\Users\Admin\AppData\Local\Temp\613A.tmp"41⤵
- Executes dropped EXE
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\61A8.tmp"C:\Users\Admin\AppData\Local\Temp\61A8.tmp"42⤵
- Executes dropped EXE
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\6206.tmp"C:\Users\Admin\AppData\Local\Temp\6206.tmp"43⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\6254.tmp"C:\Users\Admin\AppData\Local\Temp\6254.tmp"44⤵
- Executes dropped EXE
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\62D1.tmp"C:\Users\Admin\AppData\Local\Temp\62D1.tmp"45⤵
- Executes dropped EXE
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\632E.tmp"C:\Users\Admin\AppData\Local\Temp\632E.tmp"46⤵
- Executes dropped EXE
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\638C.tmp"C:\Users\Admin\AppData\Local\Temp\638C.tmp"47⤵
- Executes dropped EXE
PID:364 -
C:\Users\Admin\AppData\Local\Temp\6419.tmp"C:\Users\Admin\AppData\Local\Temp\6419.tmp"48⤵
- Executes dropped EXE
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\6477.tmp"C:\Users\Admin\AppData\Local\Temp\6477.tmp"49⤵
- Executes dropped EXE
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\64C5.tmp"C:\Users\Admin\AppData\Local\Temp\64C5.tmp"50⤵
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\6513.tmp"C:\Users\Admin\AppData\Local\Temp\6513.tmp"51⤵
- Executes dropped EXE
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\6561.tmp"C:\Users\Admin\AppData\Local\Temp\6561.tmp"52⤵
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\65BF.tmp"C:\Users\Admin\AppData\Local\Temp\65BF.tmp"53⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\660D.tmp"C:\Users\Admin\AppData\Local\Temp\660D.tmp"54⤵
- Executes dropped EXE
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\666B.tmp"C:\Users\Admin\AppData\Local\Temp\666B.tmp"55⤵
- Executes dropped EXE
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\66B9.tmp"C:\Users\Admin\AppData\Local\Temp\66B9.tmp"56⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\6707.tmp"C:\Users\Admin\AppData\Local\Temp\6707.tmp"57⤵
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\6765.tmp"C:\Users\Admin\AppData\Local\Temp\6765.tmp"58⤵
- Executes dropped EXE
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\67C2.tmp"C:\Users\Admin\AppData\Local\Temp\67C2.tmp"59⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\6820.tmp"C:\Users\Admin\AppData\Local\Temp\6820.tmp"60⤵
- Executes dropped EXE
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\686E.tmp"C:\Users\Admin\AppData\Local\Temp\686E.tmp"61⤵
- Executes dropped EXE
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\68CC.tmp"C:\Users\Admin\AppData\Local\Temp\68CC.tmp"62⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\691A.tmp"C:\Users\Admin\AppData\Local\Temp\691A.tmp"63⤵
- Executes dropped EXE
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"64⤵
- Executes dropped EXE
PID:8 -
C:\Users\Admin\AppData\Local\Temp\69D6.tmp"C:\Users\Admin\AppData\Local\Temp\69D6.tmp"65⤵
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\6A33.tmp"C:\Users\Admin\AppData\Local\Temp\6A33.tmp"66⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\6A81.tmp"C:\Users\Admin\AppData\Local\Temp\6A81.tmp"67⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"68⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"69⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"70⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"71⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\6C27.tmp"C:\Users\Admin\AppData\Local\Temp\6C27.tmp"72⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\6C85.tmp"C:\Users\Admin\AppData\Local\Temp\6C85.tmp"73⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"74⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\6D50.tmp"C:\Users\Admin\AppData\Local\Temp\6D50.tmp"75⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\6DAE.tmp"C:\Users\Admin\AppData\Local\Temp\6DAE.tmp"76⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\6E0C.tmp"C:\Users\Admin\AppData\Local\Temp\6E0C.tmp"77⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\6E5A.tmp"C:\Users\Admin\AppData\Local\Temp\6E5A.tmp"78⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"79⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"80⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\6F44.tmp"C:\Users\Admin\AppData\Local\Temp\6F44.tmp"81⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"82⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"83⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\703E.tmp"C:\Users\Admin\AppData\Local\Temp\703E.tmp"84⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"85⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"86⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\7138.tmp"C:\Users\Admin\AppData\Local\Temp\7138.tmp"87⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\7196.tmp"C:\Users\Admin\AppData\Local\Temp\7196.tmp"88⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\71E4.tmp"C:\Users\Admin\AppData\Local\Temp\71E4.tmp"89⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\7232.tmp"C:\Users\Admin\AppData\Local\Temp\7232.tmp"90⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\7290.tmp"C:\Users\Admin\AppData\Local\Temp\7290.tmp"91⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\72DE.tmp"C:\Users\Admin\AppData\Local\Temp\72DE.tmp"92⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\732C.tmp"C:\Users\Admin\AppData\Local\Temp\732C.tmp"93⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\738A.tmp"C:\Users\Admin\AppData\Local\Temp\738A.tmp"94⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\73D8.tmp"C:\Users\Admin\AppData\Local\Temp\73D8.tmp"95⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"96⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\7484.tmp"C:\Users\Admin\AppData\Local\Temp\7484.tmp"97⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\74E2.tmp"C:\Users\Admin\AppData\Local\Temp\74E2.tmp"98⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"99⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\757E.tmp"C:\Users\Admin\AppData\Local\Temp\757E.tmp"100⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\75CC.tmp"C:\Users\Admin\AppData\Local\Temp\75CC.tmp"101⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\761A.tmp"C:\Users\Admin\AppData\Local\Temp\761A.tmp"102⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\7678.tmp"C:\Users\Admin\AppData\Local\Temp\7678.tmp"103⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\76C6.tmp"C:\Users\Admin\AppData\Local\Temp\76C6.tmp"104⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\7714.tmp"C:\Users\Admin\AppData\Local\Temp\7714.tmp"105⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"106⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\77B0.tmp"C:\Users\Admin\AppData\Local\Temp\77B0.tmp"107⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\780E.tmp"C:\Users\Admin\AppData\Local\Temp\780E.tmp"108⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\785C.tmp"C:\Users\Admin\AppData\Local\Temp\785C.tmp"109⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\78AA.tmp"C:\Users\Admin\AppData\Local\Temp\78AA.tmp"110⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\7908.tmp"C:\Users\Admin\AppData\Local\Temp\7908.tmp"111⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\7956.tmp"C:\Users\Admin\AppData\Local\Temp\7956.tmp"112⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\79A4.tmp"C:\Users\Admin\AppData\Local\Temp\79A4.tmp"113⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\79F3.tmp"C:\Users\Admin\AppData\Local\Temp\79F3.tmp"114⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\7A41.tmp"C:\Users\Admin\AppData\Local\Temp\7A41.tmp"115⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\7A9E.tmp"C:\Users\Admin\AppData\Local\Temp\7A9E.tmp"116⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\7AED.tmp"C:\Users\Admin\AppData\Local\Temp\7AED.tmp"117⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"118⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\7B89.tmp"C:\Users\Admin\AppData\Local\Temp\7B89.tmp"119⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\7BD7.tmp"C:\Users\Admin\AppData\Local\Temp\7BD7.tmp"120⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\7C25.tmp"C:\Users\Admin\AppData\Local\Temp\7C25.tmp"121⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\7C73.tmp"C:\Users\Admin\AppData\Local\Temp\7C73.tmp"122⤵PID:1224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-