Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe
Resource
win7-20240220-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe
-
Size
529KB
-
MD5
884e4b5e556cbb71bdfaadf93a4736f4
-
SHA1
fefd5a30c8477dc6ae720f98b6e8a84cf8572d68
-
SHA256
2a6dc1b788d4887d601c55d40594b6d825e6c41dde4f0ce42c6e43d3cd3386bb
-
SHA512
ebdb287e9758aa6bbd68609abbf54b4ebf7e4b8eca866bae6879eb28b29ef6474a156b85b9edcc0df5f5ed25edc2e59ff14a88354089b940608c69e75fbc00fd
-
SSDEEP
12288:NU5rCOTeijAaQjTDZ2sKtcJOgftK8ZCTZwlH4Hp:NUQOJjTQvHKtc8DRTSlH4Hp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3140 E157.tmp 3152 E1C5.tmp 748 E251.tmp 2932 E2CE.tmp 2420 E34B.tmp 3240 E3E8.tmp 3700 E455.tmp 3300 E4E2.tmp 228 E55F.tmp 4432 E5BC.tmp 4372 E639.tmp 4920 E687.tmp 2628 E6F5.tmp 4192 E743.tmp 3660 E7C0.tmp 2600 E80E.tmp 4916 E88B.tmp 4592 E8F8.tmp 5092 E956.tmp 4004 E9D3.tmp 4888 EA31.tmp 244 EA9E.tmp 4232 EAFC.tmp 2824 EB79.tmp 3732 EBC7.tmp 1744 EC35.tmp 784 EC92.tmp 2608 ED1F.tmp 4880 ED8C.tmp 4352 EDFA.tmp 3140 EE86.tmp 3172 EED4.tmp 884 EF42.tmp 2580 EFA0.tmp 3724 EFEE.tmp 5040 F04B.tmp 816 F09A.tmp 4688 F0E8.tmp 5052 F136.tmp 1084 F184.tmp 3992 F1D2.tmp 5056 F220.tmp 2356 F27E.tmp 1576 F2CC.tmp 2532 F31A.tmp 2940 F368.tmp 2260 F3B6.tmp 4848 F405.tmp 4380 F453.tmp 4300 F4B0.tmp 3660 F4FF.tmp 4968 F54D.tmp 2072 F59B.tmp 4640 F5E9.tmp 4592 F637.tmp 5092 F685.tmp 216 F6D3.tmp 2652 F721.tmp 1564 F77F.tmp 244 F7DD.tmp 4188 F83B.tmp 4436 F889.tmp 4744 F8E7.tmp 1744 F935.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 692 wrote to memory of 3140 692 2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe 90 PID 692 wrote to memory of 3140 692 2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe 90 PID 692 wrote to memory of 3140 692 2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe 90 PID 3140 wrote to memory of 3152 3140 E157.tmp 91 PID 3140 wrote to memory of 3152 3140 E157.tmp 91 PID 3140 wrote to memory of 3152 3140 E157.tmp 91 PID 3152 wrote to memory of 748 3152 E1C5.tmp 92 PID 3152 wrote to memory of 748 3152 E1C5.tmp 92 PID 3152 wrote to memory of 748 3152 E1C5.tmp 92 PID 748 wrote to memory of 2932 748 E251.tmp 94 PID 748 wrote to memory of 2932 748 E251.tmp 94 PID 748 wrote to memory of 2932 748 E251.tmp 94 PID 2932 wrote to memory of 2420 2932 E2CE.tmp 95 PID 2932 wrote to memory of 2420 2932 E2CE.tmp 95 PID 2932 wrote to memory of 2420 2932 E2CE.tmp 95 PID 2420 wrote to memory of 3240 2420 E34B.tmp 97 PID 2420 wrote to memory of 3240 2420 E34B.tmp 97 PID 2420 wrote to memory of 3240 2420 E34B.tmp 97 PID 3240 wrote to memory of 3700 3240 E3E8.tmp 99 PID 3240 wrote to memory of 3700 3240 E3E8.tmp 99 PID 3240 wrote to memory of 3700 3240 E3E8.tmp 99 PID 3700 wrote to memory of 3300 3700 E455.tmp 100 PID 3700 wrote to memory of 3300 3700 E455.tmp 100 PID 3700 wrote to memory of 3300 3700 E455.tmp 100 PID 3300 wrote to memory of 228 3300 E4E2.tmp 101 PID 3300 wrote to memory of 228 3300 E4E2.tmp 101 PID 3300 wrote to memory of 228 3300 E4E2.tmp 101 PID 228 wrote to memory of 4432 228 E55F.tmp 102 PID 228 wrote to memory of 4432 228 E55F.tmp 102 PID 228 wrote to memory of 4432 228 E55F.tmp 102 PID 4432 wrote to memory of 4372 4432 E5BC.tmp 103 PID 4432 wrote to memory of 4372 4432 E5BC.tmp 103 PID 4432 wrote to memory of 4372 4432 E5BC.tmp 103 PID 4372 wrote to memory of 4920 4372 E639.tmp 104 PID 4372 wrote to memory of 4920 4372 E639.tmp 104 PID 4372 wrote to memory of 4920 4372 E639.tmp 104 PID 4920 wrote to memory of 2628 4920 E687.tmp 105 PID 4920 wrote to memory of 2628 4920 E687.tmp 105 PID 4920 wrote to memory of 2628 4920 E687.tmp 105 PID 2628 wrote to memory of 4192 2628 E6F5.tmp 106 PID 2628 wrote to memory of 4192 2628 E6F5.tmp 106 PID 2628 wrote to memory of 4192 2628 E6F5.tmp 106 PID 4192 wrote to memory of 3660 4192 E743.tmp 107 PID 4192 wrote to memory of 3660 4192 E743.tmp 107 PID 4192 wrote to memory of 3660 4192 E743.tmp 107 PID 3660 wrote to memory of 2600 3660 E7C0.tmp 108 PID 3660 wrote to memory of 2600 3660 E7C0.tmp 108 PID 3660 wrote to memory of 2600 3660 E7C0.tmp 108 PID 2600 wrote to memory of 4916 2600 E80E.tmp 109 PID 2600 wrote to memory of 4916 2600 E80E.tmp 109 PID 2600 wrote to memory of 4916 2600 E80E.tmp 109 PID 4916 wrote to memory of 4592 4916 E88B.tmp 110 PID 4916 wrote to memory of 4592 4916 E88B.tmp 110 PID 4916 wrote to memory of 4592 4916 E88B.tmp 110 PID 4592 wrote to memory of 5092 4592 E8F8.tmp 111 PID 4592 wrote to memory of 5092 4592 E8F8.tmp 111 PID 4592 wrote to memory of 5092 4592 E8F8.tmp 111 PID 5092 wrote to memory of 4004 5092 E956.tmp 112 PID 5092 wrote to memory of 4004 5092 E956.tmp 112 PID 5092 wrote to memory of 4004 5092 E956.tmp 112 PID 4004 wrote to memory of 4888 4004 E9D3.tmp 113 PID 4004 wrote to memory of 4888 4004 E9D3.tmp 113 PID 4004 wrote to memory of 4888 4004 E9D3.tmp 113 PID 4888 wrote to memory of 244 4888 EA31.tmp 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_884e4b5e556cbb71bdfaadf93a4736f4_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\E157.tmp"C:\Users\Admin\AppData\Local\Temp\E157.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\E1C5.tmp"C:\Users\Admin\AppData\Local\Temp\E1C5.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\E251.tmp"C:\Users\Admin\AppData\Local\Temp\E251.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\E2CE.tmp"C:\Users\Admin\AppData\Local\Temp\E2CE.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\E34B.tmp"C:\Users\Admin\AppData\Local\Temp\E34B.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp"C:\Users\Admin\AppData\Local\Temp\E3E8.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\E455.tmp"C:\Users\Admin\AppData\Local\Temp\E455.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\E4E2.tmp"C:\Users\Admin\AppData\Local\Temp\E4E2.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\E55F.tmp"C:\Users\Admin\AppData\Local\Temp\E55F.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\E5BC.tmp"C:\Users\Admin\AppData\Local\Temp\E5BC.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\E639.tmp"C:\Users\Admin\AppData\Local\Temp\E639.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\E687.tmp"C:\Users\Admin\AppData\Local\Temp\E687.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\E6F5.tmp"C:\Users\Admin\AppData\Local\Temp\E6F5.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\E743.tmp"C:\Users\Admin\AppData\Local\Temp\E743.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\E7C0.tmp"C:\Users\Admin\AppData\Local\Temp\E7C0.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\E80E.tmp"C:\Users\Admin\AppData\Local\Temp\E80E.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\E88B.tmp"C:\Users\Admin\AppData\Local\Temp\E88B.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\E8F8.tmp"C:\Users\Admin\AppData\Local\Temp\E8F8.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\E956.tmp"C:\Users\Admin\AppData\Local\Temp\E956.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\EA31.tmp"C:\Users\Admin\AppData\Local\Temp\EA31.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\EA9E.tmp"C:\Users\Admin\AppData\Local\Temp\EA9E.tmp"23⤵
- Executes dropped EXE
PID:244 -
C:\Users\Admin\AppData\Local\Temp\EAFC.tmp"C:\Users\Admin\AppData\Local\Temp\EAFC.tmp"24⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\EB79.tmp"C:\Users\Admin\AppData\Local\Temp\EB79.tmp"25⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\EBC7.tmp"C:\Users\Admin\AppData\Local\Temp\EBC7.tmp"26⤵
- Executes dropped EXE
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\EC35.tmp"C:\Users\Admin\AppData\Local\Temp\EC35.tmp"27⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\EC92.tmp"C:\Users\Admin\AppData\Local\Temp\EC92.tmp"28⤵
- Executes dropped EXE
PID:784 -
C:\Users\Admin\AppData\Local\Temp\ED1F.tmp"C:\Users\Admin\AppData\Local\Temp\ED1F.tmp"29⤵
- Executes dropped EXE
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"30⤵
- Executes dropped EXE
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\EDFA.tmp"C:\Users\Admin\AppData\Local\Temp\EDFA.tmp"31⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\EE86.tmp"C:\Users\Admin\AppData\Local\Temp\EE86.tmp"32⤵
- Executes dropped EXE
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\EED4.tmp"C:\Users\Admin\AppData\Local\Temp\EED4.tmp"33⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\EF42.tmp"C:\Users\Admin\AppData\Local\Temp\EF42.tmp"34⤵
- Executes dropped EXE
PID:884 -
C:\Users\Admin\AppData\Local\Temp\EFA0.tmp"C:\Users\Admin\AppData\Local\Temp\EFA0.tmp"35⤵
- Executes dropped EXE
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\EFEE.tmp"C:\Users\Admin\AppData\Local\Temp\EFEE.tmp"36⤵
- Executes dropped EXE
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\F04B.tmp"C:\Users\Admin\AppData\Local\Temp\F04B.tmp"37⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\F09A.tmp"C:\Users\Admin\AppData\Local\Temp\F09A.tmp"38⤵
- Executes dropped EXE
PID:816 -
C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"39⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\F136.tmp"C:\Users\Admin\AppData\Local\Temp\F136.tmp"40⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\F184.tmp"C:\Users\Admin\AppData\Local\Temp\F184.tmp"41⤵
- Executes dropped EXE
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"42⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\F220.tmp"C:\Users\Admin\AppData\Local\Temp\F220.tmp"43⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\F27E.tmp"C:\Users\Admin\AppData\Local\Temp\F27E.tmp"44⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"45⤵
- Executes dropped EXE
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\F31A.tmp"C:\Users\Admin\AppData\Local\Temp\F31A.tmp"46⤵
- Executes dropped EXE
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\F368.tmp"C:\Users\Admin\AppData\Local\Temp\F368.tmp"47⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\F3B6.tmp"C:\Users\Admin\AppData\Local\Temp\F3B6.tmp"48⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\F405.tmp"C:\Users\Admin\AppData\Local\Temp\F405.tmp"49⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\F453.tmp"C:\Users\Admin\AppData\Local\Temp\F453.tmp"50⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\F4B0.tmp"C:\Users\Admin\AppData\Local\Temp\F4B0.tmp"51⤵
- Executes dropped EXE
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\F4FF.tmp"C:\Users\Admin\AppData\Local\Temp\F4FF.tmp"52⤵
- Executes dropped EXE
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\F54D.tmp"C:\Users\Admin\AppData\Local\Temp\F54D.tmp"53⤵
- Executes dropped EXE
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\F59B.tmp"C:\Users\Admin\AppData\Local\Temp\F59B.tmp"54⤵
- Executes dropped EXE
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\F5E9.tmp"C:\Users\Admin\AppData\Local\Temp\F5E9.tmp"55⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\F637.tmp"C:\Users\Admin\AppData\Local\Temp\F637.tmp"56⤵
- Executes dropped EXE
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\F685.tmp"C:\Users\Admin\AppData\Local\Temp\F685.tmp"57⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\F6D3.tmp"C:\Users\Admin\AppData\Local\Temp\F6D3.tmp"58⤵
- Executes dropped EXE
PID:216 -
C:\Users\Admin\AppData\Local\Temp\F721.tmp"C:\Users\Admin\AppData\Local\Temp\F721.tmp"59⤵
- Executes dropped EXE
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\F77F.tmp"C:\Users\Admin\AppData\Local\Temp\F77F.tmp"60⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\F7DD.tmp"C:\Users\Admin\AppData\Local\Temp\F7DD.tmp"61⤵
- Executes dropped EXE
PID:244 -
C:\Users\Admin\AppData\Local\Temp\F83B.tmp"C:\Users\Admin\AppData\Local\Temp\F83B.tmp"62⤵
- Executes dropped EXE
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\F889.tmp"C:\Users\Admin\AppData\Local\Temp\F889.tmp"63⤵
- Executes dropped EXE
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\F8E7.tmp"C:\Users\Admin\AppData\Local\Temp\F8E7.tmp"64⤵
- Executes dropped EXE
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\F935.tmp"C:\Users\Admin\AppData\Local\Temp\F935.tmp"65⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\F983.tmp"C:\Users\Admin\AppData\Local\Temp\F983.tmp"66⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\F9E1.tmp"C:\Users\Admin\AppData\Local\Temp\F9E1.tmp"67⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\FA3E.tmp"C:\Users\Admin\AppData\Local\Temp\FA3E.tmp"68⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"69⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\FADB.tmp"C:\Users\Admin\AppData\Local\Temp\FADB.tmp"70⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\FB29.tmp"C:\Users\Admin\AppData\Local\Temp\FB29.tmp"71⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\FB77.tmp"C:\Users\Admin\AppData\Local\Temp\FB77.tmp"72⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\FBC5.tmp"C:\Users\Admin\AppData\Local\Temp\FBC5.tmp"73⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\FC23.tmp"C:\Users\Admin\AppData\Local\Temp\FC23.tmp"74⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\FC71.tmp"C:\Users\Admin\AppData\Local\Temp\FC71.tmp"75⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\FCBF.tmp"C:\Users\Admin\AppData\Local\Temp\FCBF.tmp"76⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\FD0D.tmp"C:\Users\Admin\AppData\Local\Temp\FD0D.tmp"77⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"78⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\FDA9.tmp"C:\Users\Admin\AppData\Local\Temp\FDA9.tmp"79⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\FDF7.tmp"C:\Users\Admin\AppData\Local\Temp\FDF7.tmp"80⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\FE55.tmp"C:\Users\Admin\AppData\Local\Temp\FE55.tmp"81⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\FEB3.tmp"C:\Users\Admin\AppData\Local\Temp\FEB3.tmp"82⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\FF01.tmp"C:\Users\Admin\AppData\Local\Temp\FF01.tmp"83⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"84⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\FF9D.tmp"C:\Users\Admin\AppData\Local\Temp\FF9D.tmp"85⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"86⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\49.tmp"C:\Users\Admin\AppData\Local\Temp\49.tmp"87⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\97.tmp"C:\Users\Admin\AppData\Local\Temp\97.tmp"88⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\E5.tmp"C:\Users\Admin\AppData\Local\Temp\E5.tmp"89⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\134.tmp"C:\Users\Admin\AppData\Local\Temp\134.tmp"90⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\182.tmp"C:\Users\Admin\AppData\Local\Temp\182.tmp"91⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\1D0.tmp"C:\Users\Admin\AppData\Local\Temp\1D0.tmp"92⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\21E.tmp"C:\Users\Admin\AppData\Local\Temp\21E.tmp"93⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\27C.tmp"C:\Users\Admin\AppData\Local\Temp\27C.tmp"94⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\2D9.tmp"C:\Users\Admin\AppData\Local\Temp\2D9.tmp"95⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\328.tmp"C:\Users\Admin\AppData\Local\Temp\328.tmp"96⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\376.tmp"C:\Users\Admin\AppData\Local\Temp\376.tmp"97⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\3C4.tmp"C:\Users\Admin\AppData\Local\Temp\3C4.tmp"98⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\422.tmp"C:\Users\Admin\AppData\Local\Temp\422.tmp"99⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\47F.tmp"C:\Users\Admin\AppData\Local\Temp\47F.tmp"100⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\4DD.tmp"C:\Users\Admin\AppData\Local\Temp\4DD.tmp"101⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\52B.tmp"C:\Users\Admin\AppData\Local\Temp\52B.tmp"102⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\589.tmp"C:\Users\Admin\AppData\Local\Temp\589.tmp"103⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\5E7.tmp"C:\Users\Admin\AppData\Local\Temp\5E7.tmp"104⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\644.tmp"C:\Users\Admin\AppData\Local\Temp\644.tmp"105⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\693.tmp"C:\Users\Admin\AppData\Local\Temp\693.tmp"106⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\6E1.tmp"C:\Users\Admin\AppData\Local\Temp\6E1.tmp"107⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\72F.tmp"C:\Users\Admin\AppData\Local\Temp\72F.tmp"108⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\77D.tmp"C:\Users\Admin\AppData\Local\Temp\77D.tmp"109⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\7DB.tmp"C:\Users\Admin\AppData\Local\Temp\7DB.tmp"110⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\829.tmp"C:\Users\Admin\AppData\Local\Temp\829.tmp"111⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\877.tmp"C:\Users\Admin\AppData\Local\Temp\877.tmp"112⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\8C5.tmp"C:\Users\Admin\AppData\Local\Temp\8C5.tmp"113⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\913.tmp"C:\Users\Admin\AppData\Local\Temp\913.tmp"114⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\961.tmp"C:\Users\Admin\AppData\Local\Temp\961.tmp"115⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\9BF.tmp"C:\Users\Admin\AppData\Local\Temp\9BF.tmp"116⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\A1D.tmp"C:\Users\Admin\AppData\Local\Temp\A1D.tmp"117⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\A6B.tmp"C:\Users\Admin\AppData\Local\Temp\A6B.tmp"118⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\AC9.tmp"C:\Users\Admin\AppData\Local\Temp\AC9.tmp"119⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\B17.tmp"C:\Users\Admin\AppData\Local\Temp\B17.tmp"120⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\B65.tmp"C:\Users\Admin\AppData\Local\Temp\B65.tmp"121⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\BC3.tmp"C:\Users\Admin\AppData\Local\Temp\BC3.tmp"122⤵PID:4956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-