Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 15:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe
-
Size
765KB
-
MD5
178b3fd402e777254a6de493e39caaf9
-
SHA1
7744484854d276613424d0ac384d5dc905c499f2
-
SHA256
b9e51f0a7718e85031840e9d7c1c1c930524d20a5329a74adf112f19e77b70ef
-
SHA512
94a0456b9e8867aad927c164df1a19db05de2d4fd937a14cb546648f9b0815bea9e57aa45205f44abe889a6b82afa098b45028d7c74ff29fcb638ef01f0bdbe7
-
SSDEEP
12288:ZU5rCOTeiD8/qtcVPaY7BqI5o4I6Zb6h3ZF5rn5rLOa54U5w5A:ZUQOJDSqOPaYIco43Z63vh5Oa+UOS
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3916 5890.tmp 4576 592C.tmp 3848 597A.tmp 228 5A36.tmp 4872 5AA3.tmp 1880 5B01.tmp 3740 5B5E.tmp 2452 5BFB.tmp 4552 5C49.tmp 2456 5D14.tmp 3240 5D62.tmp 3720 5DEF.tmp 3188 5E6C.tmp 4540 5EC9.tmp 740 5F18.tmp 656 5FA4.tmp 452 6031.tmp 4752 60AE.tmp 4896 610C.tmp 1844 61D7.tmp 4780 6234.tmp 2640 62A2.tmp 2392 62F0.tmp 1356 634E.tmp 3752 6448.tmp 2964 64A5.tmp 2420 6522.tmp 4292 6580.tmp 3628 65CE.tmp 1496 66A9.tmp 3764 6726.tmp 1896 6784.tmp 4300 67E2.tmp 464 685F.tmp 3284 68AD.tmp 3432 68FB.tmp 3944 6949.tmp 216 69A7.tmp 4620 69F5.tmp 4852 6A43.tmp 1624 6A91.tmp 2976 6ADF.tmp 3332 6B2D.tmp 4404 6B7B.tmp 4736 6BCA.tmp 824 6C18.tmp 116 6C66.tmp 1076 6CB4.tmp 1920 6D02.tmp 4696 6D60.tmp 3748 6DAE.tmp 3644 6DFC.tmp 212 6E4A.tmp 3824 6E98.tmp 2480 6EE6.tmp 1512 6F44.tmp 1388 6FA2.tmp 2628 700F.tmp 640 706D.tmp 2452 70EA.tmp 2384 7177.tmp 4492 734B.tmp 3856 7417.tmp 1792 74A3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4772 wrote to memory of 3916 4772 2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe 84 PID 4772 wrote to memory of 3916 4772 2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe 84 PID 4772 wrote to memory of 3916 4772 2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe 84 PID 3916 wrote to memory of 4576 3916 5890.tmp 85 PID 3916 wrote to memory of 4576 3916 5890.tmp 85 PID 3916 wrote to memory of 4576 3916 5890.tmp 85 PID 4576 wrote to memory of 3848 4576 592C.tmp 87 PID 4576 wrote to memory of 3848 4576 592C.tmp 87 PID 4576 wrote to memory of 3848 4576 592C.tmp 87 PID 3848 wrote to memory of 228 3848 597A.tmp 89 PID 3848 wrote to memory of 228 3848 597A.tmp 89 PID 3848 wrote to memory of 228 3848 597A.tmp 89 PID 228 wrote to memory of 4872 228 5A36.tmp 91 PID 228 wrote to memory of 4872 228 5A36.tmp 91 PID 228 wrote to memory of 4872 228 5A36.tmp 91 PID 4872 wrote to memory of 1880 4872 5AA3.tmp 92 PID 4872 wrote to memory of 1880 4872 5AA3.tmp 92 PID 4872 wrote to memory of 1880 4872 5AA3.tmp 92 PID 1880 wrote to memory of 3740 1880 5B01.tmp 93 PID 1880 wrote to memory of 3740 1880 5B01.tmp 93 PID 1880 wrote to memory of 3740 1880 5B01.tmp 93 PID 3740 wrote to memory of 2452 3740 5B5E.tmp 94 PID 3740 wrote to memory of 2452 3740 5B5E.tmp 94 PID 3740 wrote to memory of 2452 3740 5B5E.tmp 94 PID 2452 wrote to memory of 4552 2452 5BFB.tmp 95 PID 2452 wrote to memory of 4552 2452 5BFB.tmp 95 PID 2452 wrote to memory of 4552 2452 5BFB.tmp 95 PID 4552 wrote to memory of 2456 4552 5C49.tmp 96 PID 4552 wrote to memory of 2456 4552 5C49.tmp 96 PID 4552 wrote to memory of 2456 4552 5C49.tmp 96 PID 2456 wrote to memory of 3240 2456 5D14.tmp 97 PID 2456 wrote to memory of 3240 2456 5D14.tmp 97 PID 2456 wrote to memory of 3240 2456 5D14.tmp 97 PID 3240 wrote to memory of 3720 3240 5D62.tmp 98 PID 3240 wrote to memory of 3720 3240 5D62.tmp 98 PID 3240 wrote to memory of 3720 3240 5D62.tmp 98 PID 3720 wrote to memory of 3188 3720 5DEF.tmp 99 PID 3720 wrote to memory of 3188 3720 5DEF.tmp 99 PID 3720 wrote to memory of 3188 3720 5DEF.tmp 99 PID 3188 wrote to memory of 4540 3188 5E6C.tmp 100 PID 3188 wrote to memory of 4540 3188 5E6C.tmp 100 PID 3188 wrote to memory of 4540 3188 5E6C.tmp 100 PID 4540 wrote to memory of 740 4540 5EC9.tmp 101 PID 4540 wrote to memory of 740 4540 5EC9.tmp 101 PID 4540 wrote to memory of 740 4540 5EC9.tmp 101 PID 740 wrote to memory of 656 740 5F18.tmp 102 PID 740 wrote to memory of 656 740 5F18.tmp 102 PID 740 wrote to memory of 656 740 5F18.tmp 102 PID 656 wrote to memory of 452 656 5FA4.tmp 103 PID 656 wrote to memory of 452 656 5FA4.tmp 103 PID 656 wrote to memory of 452 656 5FA4.tmp 103 PID 452 wrote to memory of 4752 452 6031.tmp 104 PID 452 wrote to memory of 4752 452 6031.tmp 104 PID 452 wrote to memory of 4752 452 6031.tmp 104 PID 4752 wrote to memory of 4896 4752 60AE.tmp 105 PID 4752 wrote to memory of 4896 4752 60AE.tmp 105 PID 4752 wrote to memory of 4896 4752 60AE.tmp 105 PID 4896 wrote to memory of 1844 4896 610C.tmp 106 PID 4896 wrote to memory of 1844 4896 610C.tmp 106 PID 4896 wrote to memory of 1844 4896 610C.tmp 106 PID 1844 wrote to memory of 4780 1844 61D7.tmp 107 PID 1844 wrote to memory of 4780 1844 61D7.tmp 107 PID 1844 wrote to memory of 4780 1844 61D7.tmp 107 PID 4780 wrote to memory of 2640 4780 6234.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_178b3fd402e777254a6de493e39caaf9_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\5890.tmp"C:\Users\Admin\AppData\Local\Temp\5890.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\592C.tmp"C:\Users\Admin\AppData\Local\Temp\592C.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\5A36.tmp"C:\Users\Admin\AppData\Local\Temp\5A36.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\5B01.tmp"C:\Users\Admin\AppData\Local\Temp\5B01.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\5BFB.tmp"C:\Users\Admin\AppData\Local\Temp\5BFB.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\5C49.tmp"C:\Users\Admin\AppData\Local\Temp\5C49.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\5D14.tmp"C:\Users\Admin\AppData\Local\Temp\5D14.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\5D62.tmp"C:\Users\Admin\AppData\Local\Temp\5D62.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\5E6C.tmp"C:\Users\Admin\AppData\Local\Temp\5E6C.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp"C:\Users\Admin\AppData\Local\Temp\5F18.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"C:\Users\Admin\AppData\Local\Temp\5FA4.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\6031.tmp"C:\Users\Admin\AppData\Local\Temp\6031.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\60AE.tmp"C:\Users\Admin\AppData\Local\Temp\60AE.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\610C.tmp"C:\Users\Admin\AppData\Local\Temp\610C.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\61D7.tmp"C:\Users\Admin\AppData\Local\Temp\61D7.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\6234.tmp"C:\Users\Admin\AppData\Local\Temp\6234.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\62A2.tmp"C:\Users\Admin\AppData\Local\Temp\62A2.tmp"23⤵
- Executes dropped EXE
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\62F0.tmp"C:\Users\Admin\AppData\Local\Temp\62F0.tmp"24⤵
- Executes dropped EXE
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\634E.tmp"C:\Users\Admin\AppData\Local\Temp\634E.tmp"25⤵
- Executes dropped EXE
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\6448.tmp"C:\Users\Admin\AppData\Local\Temp\6448.tmp"26⤵
- Executes dropped EXE
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\64A5.tmp"C:\Users\Admin\AppData\Local\Temp\64A5.tmp"27⤵
- Executes dropped EXE
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\6522.tmp"C:\Users\Admin\AppData\Local\Temp\6522.tmp"28⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\6580.tmp"C:\Users\Admin\AppData\Local\Temp\6580.tmp"29⤵
- Executes dropped EXE
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\65CE.tmp"C:\Users\Admin\AppData\Local\Temp\65CE.tmp"30⤵
- Executes dropped EXE
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"31⤵
- Executes dropped EXE
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"32⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\6784.tmp"C:\Users\Admin\AppData\Local\Temp\6784.tmp"33⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\67E2.tmp"C:\Users\Admin\AppData\Local\Temp\67E2.tmp"34⤵
- Executes dropped EXE
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"35⤵
- Executes dropped EXE
PID:464 -
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"36⤵
- Executes dropped EXE
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\68FB.tmp"C:\Users\Admin\AppData\Local\Temp\68FB.tmp"37⤵
- Executes dropped EXE
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\6949.tmp"C:\Users\Admin\AppData\Local\Temp\6949.tmp"38⤵
- Executes dropped EXE
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\69A7.tmp"C:\Users\Admin\AppData\Local\Temp\69A7.tmp"39⤵
- Executes dropped EXE
PID:216 -
C:\Users\Admin\AppData\Local\Temp\69F5.tmp"C:\Users\Admin\AppData\Local\Temp\69F5.tmp"40⤵
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\6A43.tmp"C:\Users\Admin\AppData\Local\Temp\6A43.tmp"41⤵
- Executes dropped EXE
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"42⤵
- Executes dropped EXE
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"43⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"44⤵
- Executes dropped EXE
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"45⤵
- Executes dropped EXE
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"46⤵
- Executes dropped EXE
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\6C18.tmp"C:\Users\Admin\AppData\Local\Temp\6C18.tmp"47⤵
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Temp\6C66.tmp"C:\Users\Admin\AppData\Local\Temp\6C66.tmp"48⤵
- Executes dropped EXE
PID:116 -
C:\Users\Admin\AppData\Local\Temp\6CB4.tmp"C:\Users\Admin\AppData\Local\Temp\6CB4.tmp"49⤵
- Executes dropped EXE
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\6D02.tmp"C:\Users\Admin\AppData\Local\Temp\6D02.tmp"50⤵
- Executes dropped EXE
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\6D60.tmp"C:\Users\Admin\AppData\Local\Temp\6D60.tmp"51⤵
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\6DAE.tmp"C:\Users\Admin\AppData\Local\Temp\6DAE.tmp"52⤵
- Executes dropped EXE
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\6DFC.tmp"C:\Users\Admin\AppData\Local\Temp\6DFC.tmp"53⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"54⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\6E98.tmp"C:\Users\Admin\AppData\Local\Temp\6E98.tmp"55⤵
- Executes dropped EXE
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"56⤵
- Executes dropped EXE
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\6F44.tmp"C:\Users\Admin\AppData\Local\Temp\6F44.tmp"57⤵
- Executes dropped EXE
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"58⤵
- Executes dropped EXE
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\700F.tmp"C:\Users\Admin\AppData\Local\Temp\700F.tmp"59⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\706D.tmp"C:\Users\Admin\AppData\Local\Temp\706D.tmp"60⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"61⤵
- Executes dropped EXE
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\7177.tmp"C:\Users\Admin\AppData\Local\Temp\7177.tmp"62⤵
- Executes dropped EXE
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"63⤵
- Executes dropped EXE
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\7417.tmp"C:\Users\Admin\AppData\Local\Temp\7417.tmp"64⤵
- Executes dropped EXE
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\74A3.tmp"C:\Users\Admin\AppData\Local\Temp\74A3.tmp"65⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7501.tmp"C:\Users\Admin\AppData\Local\Temp\7501.tmp"66⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\75FB.tmp"C:\Users\Admin\AppData\Local\Temp\75FB.tmp"67⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"68⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\77DF.tmp"C:\Users\Admin\AppData\Local\Temp\77DF.tmp"69⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\786C.tmp"C:\Users\Admin\AppData\Local\Temp\786C.tmp"70⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\7908.tmp"C:\Users\Admin\AppData\Local\Temp\7908.tmp"71⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\7976.tmp"C:\Users\Admin\AppData\Local\Temp\7976.tmp"72⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\79E3.tmp"C:\Users\Admin\AppData\Local\Temp\79E3.tmp"73⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\7A50.tmp"C:\Users\Admin\AppData\Local\Temp\7A50.tmp"74⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"75⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"76⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\7B79.tmp"C:\Users\Admin\AppData\Local\Temp\7B79.tmp"77⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"78⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\7C54.tmp"C:\Users\Admin\AppData\Local\Temp\7C54.tmp"79⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"C:\Users\Admin\AppData\Local\Temp\7CC1.tmp"80⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"81⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"82⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"83⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\7E58.tmp"C:\Users\Admin\AppData\Local\Temp\7E58.tmp"84⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"C:\Users\Admin\AppData\Local\Temp\7EC5.tmp"85⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\7F23.tmp"C:\Users\Admin\AppData\Local\Temp\7F23.tmp"86⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\7F80.tmp"C:\Users\Admin\AppData\Local\Temp\7F80.tmp"87⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"88⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\802C.tmp"C:\Users\Admin\AppData\Local\Temp\802C.tmp"89⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\807A.tmp"C:\Users\Admin\AppData\Local\Temp\807A.tmp"90⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\80C9.tmp"C:\Users\Admin\AppData\Local\Temp\80C9.tmp"91⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\8117.tmp"C:\Users\Admin\AppData\Local\Temp\8117.tmp"92⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\8165.tmp"C:\Users\Admin\AppData\Local\Temp\8165.tmp"93⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\81B3.tmp"C:\Users\Admin\AppData\Local\Temp\81B3.tmp"94⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"95⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\824F.tmp"C:\Users\Admin\AppData\Local\Temp\824F.tmp"96⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\82AD.tmp"C:\Users\Admin\AppData\Local\Temp\82AD.tmp"97⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"98⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\8378.tmp"C:\Users\Admin\AppData\Local\Temp\8378.tmp"99⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\83E5.tmp"C:\Users\Admin\AppData\Local\Temp\83E5.tmp"100⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\8434.tmp"C:\Users\Admin\AppData\Local\Temp\8434.tmp"101⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\8482.tmp"C:\Users\Admin\AppData\Local\Temp\8482.tmp"102⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\84D0.tmp"C:\Users\Admin\AppData\Local\Temp\84D0.tmp"103⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\851E.tmp"C:\Users\Admin\AppData\Local\Temp\851E.tmp"104⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\857C.tmp"C:\Users\Admin\AppData\Local\Temp\857C.tmp"105⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"106⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\8637.tmp"C:\Users\Admin\AppData\Local\Temp\8637.tmp"107⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\86A5.tmp"C:\Users\Admin\AppData\Local\Temp\86A5.tmp"108⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\86F3.tmp"C:\Users\Admin\AppData\Local\Temp\86F3.tmp"109⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\8750.tmp"C:\Users\Admin\AppData\Local\Temp\8750.tmp"110⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\87AE.tmp"C:\Users\Admin\AppData\Local\Temp\87AE.tmp"111⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\87FC.tmp"C:\Users\Admin\AppData\Local\Temp\87FC.tmp"112⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\885A.tmp"C:\Users\Admin\AppData\Local\Temp\885A.tmp"113⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\88B8.tmp"C:\Users\Admin\AppData\Local\Temp\88B8.tmp"114⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\8906.tmp"C:\Users\Admin\AppData\Local\Temp\8906.tmp"115⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\8954.tmp"C:\Users\Admin\AppData\Local\Temp\8954.tmp"116⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\89A2.tmp"C:\Users\Admin\AppData\Local\Temp\89A2.tmp"117⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\8A00.tmp"C:\Users\Admin\AppData\Local\Temp\8A00.tmp"118⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"119⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"120⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"121⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\8B67.tmp"C:\Users\Admin\AppData\Local\Temp\8B67.tmp"122⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-