Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe
-
Size
488KB
-
MD5
719c3a9d8251a6623e6220186abed372
-
SHA1
fd36a874534acba2510da2835d458cab557b3fdf
-
SHA256
f7534c447506f22c1daaab5891c030744546328efa2af8ed1204ed0a63cfbc09
-
SHA512
cdac03551166b867fddc1eb96a1f667bba4e11d68e13427b866a6aa03bb3ad64a3a57e37daee1d4b9b5d07ac9e48e5e03b7e98c08b9767f381d2ed738b254425
-
SSDEEP
12288:/U5rCOTeiDDLXFmnD4OgHByPrZ1ZWo3NZ:/UQOJDXVmD4OgHUtH93N
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4868 E138.tmp 2244 E1A5.tmp 1612 E213.tmp 1436 E29F.tmp 2720 E2FD.tmp 660 E36B.tmp 2960 E3B9.tmp 2644 E416.tmp 4424 E474.tmp 1400 E501.tmp 4544 E55F.tmp 2928 E5BC.tmp 2672 E639.tmp 2324 E6A7.tmp 4580 E714.tmp 1520 E762.tmp 4532 E7DF.tmp 4216 E82D.tmp 3488 E88B.tmp 3984 E908.tmp 2436 E975.tmp 1544 E9D3.tmp 3820 EA31.tmp 2280 EA7F.tmp 4888 EAFC.tmp 4792 EB69.tmp 1252 EBB8.tmp 1392 EC54.tmp 4808 ECA2.tmp 4684 ED2F.tmp 3244 ED8C.tmp 4756 EE09.tmp 4512 EE86.tmp 4616 EED4.tmp 4976 EF23.tmp 1004 EF71.tmp 4864 EFCE.tmp 2656 F02C.tmp 3844 F08A.tmp 1108 F0D8.tmp 4040 F126.tmp 2364 F174.tmp 2372 F1D2.tmp 2324 F220.tmp 4580 F27E.tmp 1972 F2CC.tmp 3360 F31A.tmp 1896 F368.tmp 972 F3C6.tmp 2196 F414.tmp 4944 F472.tmp 5096 F4D0.tmp 1948 F51E.tmp 4552 F57C.tmp 1544 F5CA.tmp 3284 F618.tmp 400 F676.tmp 1096 F6C4.tmp 4792 F712.tmp 3292 F770.tmp 4924 F7BE.tmp 3348 F80C.tmp 1744 F85A.tmp 4696 F8B8.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4868 1528 2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe 90 PID 1528 wrote to memory of 4868 1528 2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe 90 PID 1528 wrote to memory of 4868 1528 2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe 90 PID 4868 wrote to memory of 2244 4868 E138.tmp 91 PID 4868 wrote to memory of 2244 4868 E138.tmp 91 PID 4868 wrote to memory of 2244 4868 E138.tmp 91 PID 2244 wrote to memory of 1612 2244 E1A5.tmp 92 PID 2244 wrote to memory of 1612 2244 E1A5.tmp 92 PID 2244 wrote to memory of 1612 2244 E1A5.tmp 92 PID 1612 wrote to memory of 1436 1612 E213.tmp 93 PID 1612 wrote to memory of 1436 1612 E213.tmp 93 PID 1612 wrote to memory of 1436 1612 E213.tmp 93 PID 1436 wrote to memory of 2720 1436 E29F.tmp 94 PID 1436 wrote to memory of 2720 1436 E29F.tmp 94 PID 1436 wrote to memory of 2720 1436 E29F.tmp 94 PID 2720 wrote to memory of 660 2720 E2FD.tmp 95 PID 2720 wrote to memory of 660 2720 E2FD.tmp 95 PID 2720 wrote to memory of 660 2720 E2FD.tmp 95 PID 660 wrote to memory of 2960 660 E36B.tmp 97 PID 660 wrote to memory of 2960 660 E36B.tmp 97 PID 660 wrote to memory of 2960 660 E36B.tmp 97 PID 2960 wrote to memory of 2644 2960 E3B9.tmp 99 PID 2960 wrote to memory of 2644 2960 E3B9.tmp 99 PID 2960 wrote to memory of 2644 2960 E3B9.tmp 99 PID 2644 wrote to memory of 4424 2644 E416.tmp 101 PID 2644 wrote to memory of 4424 2644 E416.tmp 101 PID 2644 wrote to memory of 4424 2644 E416.tmp 101 PID 4424 wrote to memory of 1400 4424 E474.tmp 102 PID 4424 wrote to memory of 1400 4424 E474.tmp 102 PID 4424 wrote to memory of 1400 4424 E474.tmp 102 PID 1400 wrote to memory of 4544 1400 E501.tmp 103 PID 1400 wrote to memory of 4544 1400 E501.tmp 103 PID 1400 wrote to memory of 4544 1400 E501.tmp 103 PID 4544 wrote to memory of 2928 4544 E55F.tmp 104 PID 4544 wrote to memory of 2928 4544 E55F.tmp 104 PID 4544 wrote to memory of 2928 4544 E55F.tmp 104 PID 2928 wrote to memory of 2672 2928 E5BC.tmp 105 PID 2928 wrote to memory of 2672 2928 E5BC.tmp 105 PID 2928 wrote to memory of 2672 2928 E5BC.tmp 105 PID 2672 wrote to memory of 2324 2672 E639.tmp 106 PID 2672 wrote to memory of 2324 2672 E639.tmp 106 PID 2672 wrote to memory of 2324 2672 E639.tmp 106 PID 2324 wrote to memory of 4580 2324 E6A7.tmp 107 PID 2324 wrote to memory of 4580 2324 E6A7.tmp 107 PID 2324 wrote to memory of 4580 2324 E6A7.tmp 107 PID 4580 wrote to memory of 1520 4580 E714.tmp 108 PID 4580 wrote to memory of 1520 4580 E714.tmp 108 PID 4580 wrote to memory of 1520 4580 E714.tmp 108 PID 1520 wrote to memory of 4532 1520 E762.tmp 109 PID 1520 wrote to memory of 4532 1520 E762.tmp 109 PID 1520 wrote to memory of 4532 1520 E762.tmp 109 PID 4532 wrote to memory of 4216 4532 E7DF.tmp 110 PID 4532 wrote to memory of 4216 4532 E7DF.tmp 110 PID 4532 wrote to memory of 4216 4532 E7DF.tmp 110 PID 4216 wrote to memory of 3488 4216 E82D.tmp 111 PID 4216 wrote to memory of 3488 4216 E82D.tmp 111 PID 4216 wrote to memory of 3488 4216 E82D.tmp 111 PID 3488 wrote to memory of 3984 3488 E88B.tmp 112 PID 3488 wrote to memory of 3984 3488 E88B.tmp 112 PID 3488 wrote to memory of 3984 3488 E88B.tmp 112 PID 3984 wrote to memory of 2436 3984 E908.tmp 113 PID 3984 wrote to memory of 2436 3984 E908.tmp 113 PID 3984 wrote to memory of 2436 3984 E908.tmp 113 PID 2436 wrote to memory of 1544 2436 E975.tmp 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_719c3a9d8251a6623e6220186abed372_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\E138.tmp"C:\Users\Admin\AppData\Local\Temp\E138.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\E1A5.tmp"C:\Users\Admin\AppData\Local\Temp\E1A5.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\E213.tmp"C:\Users\Admin\AppData\Local\Temp\E213.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\E29F.tmp"C:\Users\Admin\AppData\Local\Temp\E29F.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\E2FD.tmp"C:\Users\Admin\AppData\Local\Temp\E2FD.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\E36B.tmp"C:\Users\Admin\AppData\Local\Temp\E36B.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\E3B9.tmp"C:\Users\Admin\AppData\Local\Temp\E3B9.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\E416.tmp"C:\Users\Admin\AppData\Local\Temp\E416.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\E474.tmp"C:\Users\Admin\AppData\Local\Temp\E474.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\E501.tmp"C:\Users\Admin\AppData\Local\Temp\E501.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\E55F.tmp"C:\Users\Admin\AppData\Local\Temp\E55F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\E5BC.tmp"C:\Users\Admin\AppData\Local\Temp\E5BC.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\E639.tmp"C:\Users\Admin\AppData\Local\Temp\E639.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\E6A7.tmp"C:\Users\Admin\AppData\Local\Temp\E6A7.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\E714.tmp"C:\Users\Admin\AppData\Local\Temp\E714.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\E762.tmp"C:\Users\Admin\AppData\Local\Temp\E762.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\E7DF.tmp"C:\Users\Admin\AppData\Local\Temp\E7DF.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\E82D.tmp"C:\Users\Admin\AppData\Local\Temp\E82D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\E88B.tmp"C:\Users\Admin\AppData\Local\Temp\E88B.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\E908.tmp"C:\Users\Admin\AppData\Local\Temp\E908.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\E975.tmp"C:\Users\Admin\AppData\Local\Temp\E975.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"23⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\EA31.tmp"C:\Users\Admin\AppData\Local\Temp\EA31.tmp"24⤵
- Executes dropped EXE
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\EA7F.tmp"C:\Users\Admin\AppData\Local\Temp\EA7F.tmp"25⤵
- Executes dropped EXE
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\EAFC.tmp"C:\Users\Admin\AppData\Local\Temp\EAFC.tmp"26⤵
- Executes dropped EXE
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\EB69.tmp"C:\Users\Admin\AppData\Local\Temp\EB69.tmp"27⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\EBB8.tmp"C:\Users\Admin\AppData\Local\Temp\EBB8.tmp"28⤵
- Executes dropped EXE
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\EC06.tmp"C:\Users\Admin\AppData\Local\Temp\EC06.tmp"29⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\EC54.tmp"C:\Users\Admin\AppData\Local\Temp\EC54.tmp"30⤵
- Executes dropped EXE
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\ECA2.tmp"C:\Users\Admin\AppData\Local\Temp\ECA2.tmp"31⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\ED2F.tmp"C:\Users\Admin\AppData\Local\Temp\ED2F.tmp"32⤵
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"33⤵
- Executes dropped EXE
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\EE09.tmp"C:\Users\Admin\AppData\Local\Temp\EE09.tmp"34⤵
- Executes dropped EXE
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\EE86.tmp"C:\Users\Admin\AppData\Local\Temp\EE86.tmp"35⤵
- Executes dropped EXE
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\EED4.tmp"C:\Users\Admin\AppData\Local\Temp\EED4.tmp"36⤵
- Executes dropped EXE
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\EF23.tmp"C:\Users\Admin\AppData\Local\Temp\EF23.tmp"37⤵
- Executes dropped EXE
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\EF71.tmp"C:\Users\Admin\AppData\Local\Temp\EF71.tmp"38⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\EFCE.tmp"C:\Users\Admin\AppData\Local\Temp\EFCE.tmp"39⤵
- Executes dropped EXE
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\F02C.tmp"C:\Users\Admin\AppData\Local\Temp\F02C.tmp"40⤵
- Executes dropped EXE
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\F08A.tmp"C:\Users\Admin\AppData\Local\Temp\F08A.tmp"41⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\F0D8.tmp"C:\Users\Admin\AppData\Local\Temp\F0D8.tmp"42⤵
- Executes dropped EXE
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\F126.tmp"C:\Users\Admin\AppData\Local\Temp\F126.tmp"43⤵
- Executes dropped EXE
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\F174.tmp"C:\Users\Admin\AppData\Local\Temp\F174.tmp"44⤵
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"45⤵
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\F220.tmp"C:\Users\Admin\AppData\Local\Temp\F220.tmp"46⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\F27E.tmp"C:\Users\Admin\AppData\Local\Temp\F27E.tmp"47⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"48⤵
- Executes dropped EXE
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\F31A.tmp"C:\Users\Admin\AppData\Local\Temp\F31A.tmp"49⤵
- Executes dropped EXE
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\F368.tmp"C:\Users\Admin\AppData\Local\Temp\F368.tmp"50⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\F3C6.tmp"C:\Users\Admin\AppData\Local\Temp\F3C6.tmp"51⤵
- Executes dropped EXE
PID:972 -
C:\Users\Admin\AppData\Local\Temp\F414.tmp"C:\Users\Admin\AppData\Local\Temp\F414.tmp"52⤵
- Executes dropped EXE
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\F472.tmp"C:\Users\Admin\AppData\Local\Temp\F472.tmp"53⤵
- Executes dropped EXE
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\F4D0.tmp"C:\Users\Admin\AppData\Local\Temp\F4D0.tmp"54⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\F51E.tmp"C:\Users\Admin\AppData\Local\Temp\F51E.tmp"55⤵
- Executes dropped EXE
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\F57C.tmp"C:\Users\Admin\AppData\Local\Temp\F57C.tmp"56⤵
- Executes dropped EXE
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\F5CA.tmp"C:\Users\Admin\AppData\Local\Temp\F5CA.tmp"57⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\F618.tmp"C:\Users\Admin\AppData\Local\Temp\F618.tmp"58⤵
- Executes dropped EXE
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\F676.tmp"C:\Users\Admin\AppData\Local\Temp\F676.tmp"59⤵
- Executes dropped EXE
PID:400 -
C:\Users\Admin\AppData\Local\Temp\F6C4.tmp"C:\Users\Admin\AppData\Local\Temp\F6C4.tmp"60⤵
- Executes dropped EXE
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\F712.tmp"C:\Users\Admin\AppData\Local\Temp\F712.tmp"61⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\F770.tmp"C:\Users\Admin\AppData\Local\Temp\F770.tmp"62⤵
- Executes dropped EXE
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\F7BE.tmp"C:\Users\Admin\AppData\Local\Temp\F7BE.tmp"63⤵
- Executes dropped EXE
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\F80C.tmp"C:\Users\Admin\AppData\Local\Temp\F80C.tmp"64⤵
- Executes dropped EXE
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\F85A.tmp"C:\Users\Admin\AppData\Local\Temp\F85A.tmp"65⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\F8B8.tmp"C:\Users\Admin\AppData\Local\Temp\F8B8.tmp"66⤵
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\F906.tmp"C:\Users\Admin\AppData\Local\Temp\F906.tmp"67⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\F954.tmp"C:\Users\Admin\AppData\Local\Temp\F954.tmp"68⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\F9A2.tmp"C:\Users\Admin\AppData\Local\Temp\F9A2.tmp"69⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\F9F0.tmp"C:\Users\Admin\AppData\Local\Temp\F9F0.tmp"70⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\FA4E.tmp"C:\Users\Admin\AppData\Local\Temp\FA4E.tmp"71⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\FA9C.tmp"C:\Users\Admin\AppData\Local\Temp\FA9C.tmp"72⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\FAEA.tmp"C:\Users\Admin\AppData\Local\Temp\FAEA.tmp"73⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\FB38.tmp"C:\Users\Admin\AppData\Local\Temp\FB38.tmp"74⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\FB86.tmp"C:\Users\Admin\AppData\Local\Temp\FB86.tmp"75⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\FBD5.tmp"C:\Users\Admin\AppData\Local\Temp\FBD5.tmp"76⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\FC23.tmp"C:\Users\Admin\AppData\Local\Temp\FC23.tmp"77⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\FC71.tmp"C:\Users\Admin\AppData\Local\Temp\FC71.tmp"78⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\FCBF.tmp"C:\Users\Admin\AppData\Local\Temp\FCBF.tmp"79⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\FD0D.tmp"C:\Users\Admin\AppData\Local\Temp\FD0D.tmp"80⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"81⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\FDB9.tmp"C:\Users\Admin\AppData\Local\Temp\FDB9.tmp"82⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\FE17.tmp"C:\Users\Admin\AppData\Local\Temp\FE17.tmp"83⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\FE74.tmp"C:\Users\Admin\AppData\Local\Temp\FE74.tmp"84⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\FED2.tmp"C:\Users\Admin\AppData\Local\Temp\FED2.tmp"85⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\FF30.tmp"C:\Users\Admin\AppData\Local\Temp\FF30.tmp"86⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\FF8E.tmp"C:\Users\Admin\AppData\Local\Temp\FF8E.tmp"87⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"88⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\3A.tmp"C:\Users\Admin\AppData\Local\Temp\3A.tmp"89⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\97.tmp"C:\Users\Admin\AppData\Local\Temp\97.tmp"90⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\E5.tmp"C:\Users\Admin\AppData\Local\Temp\E5.tmp"91⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\134.tmp"C:\Users\Admin\AppData\Local\Temp\134.tmp"92⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\182.tmp"C:\Users\Admin\AppData\Local\Temp\182.tmp"93⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\1D0.tmp"C:\Users\Admin\AppData\Local\Temp\1D0.tmp"94⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\21E.tmp"C:\Users\Admin\AppData\Local\Temp\21E.tmp"95⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\26C.tmp"C:\Users\Admin\AppData\Local\Temp\26C.tmp"96⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\2CA.tmp"C:\Users\Admin\AppData\Local\Temp\2CA.tmp"97⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\318.tmp"C:\Users\Admin\AppData\Local\Temp\318.tmp"98⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\366.tmp"C:\Users\Admin\AppData\Local\Temp\366.tmp"99⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\3B4.tmp"C:\Users\Admin\AppData\Local\Temp\3B4.tmp"100⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\412.tmp"C:\Users\Admin\AppData\Local\Temp\412.tmp"101⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\470.tmp"C:\Users\Admin\AppData\Local\Temp\470.tmp"102⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\4BE.tmp"C:\Users\Admin\AppData\Local\Temp\4BE.tmp"103⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\51C.tmp"C:\Users\Admin\AppData\Local\Temp\51C.tmp"104⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\579.tmp"C:\Users\Admin\AppData\Local\Temp\579.tmp"105⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\5D7.tmp"C:\Users\Admin\AppData\Local\Temp\5D7.tmp"106⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\635.tmp"C:\Users\Admin\AppData\Local\Temp\635.tmp"107⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\683.tmp"C:\Users\Admin\AppData\Local\Temp\683.tmp"108⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\6E1.tmp"C:\Users\Admin\AppData\Local\Temp\6E1.tmp"109⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\72F.tmp"C:\Users\Admin\AppData\Local\Temp\72F.tmp"110⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\77D.tmp"C:\Users\Admin\AppData\Local\Temp\77D.tmp"111⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\7CB.tmp"C:\Users\Admin\AppData\Local\Temp\7CB.tmp"112⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\819.tmp"C:\Users\Admin\AppData\Local\Temp\819.tmp"113⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\867.tmp"C:\Users\Admin\AppData\Local\Temp\867.tmp"114⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\8B5.tmp"C:\Users\Admin\AppData\Local\Temp\8B5.tmp"115⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\904.tmp"C:\Users\Admin\AppData\Local\Temp\904.tmp"116⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\952.tmp"C:\Users\Admin\AppData\Local\Temp\952.tmp"117⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\9A0.tmp"C:\Users\Admin\AppData\Local\Temp\9A0.tmp"118⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\9EE.tmp"C:\Users\Admin\AppData\Local\Temp\9EE.tmp"119⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\A3C.tmp"C:\Users\Admin\AppData\Local\Temp\A3C.tmp"120⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\A9A.tmp"C:\Users\Admin\AppData\Local\Temp\A9A.tmp"121⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\AE8.tmp"C:\Users\Admin\AppData\Local\Temp\AE8.tmp"122⤵PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-