Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe
Resource
win7-20231129-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe
-
Size
486KB
-
MD5
88a23998c416f134a595faa46b7957af
-
SHA1
907186b0af9c3d2bc41d037f5d16369a88eb7e05
-
SHA256
6f58b637e66ef1210e87424ec2dddfd0a6c5cf985bc1b78ccd33939b0150cfc1
-
SHA512
840ae5842b44481b18c9c4f2c6aec8ce0c4d9aa01ef3dcc69714f330790fe33a5ff2bbd52d94332c87c9c0ae31beca55bdccb20a9179596c81b2eca3abdaa31a
-
SSDEEP
6144:Forf3lPvovsgZnqG2C7mOTeiLfD7wongDO/2KcUtqcPtuCXMmNi6GsH3dZ:UU5rCOTeiD9gDO/tBlwCXuMNZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1132 6300.tmp 380 639C.tmp 1192 63FA.tmp 3160 6486.tmp 3588 64E4.tmp 2752 6561.tmp 2264 65CE.tmp 3848 663C.tmp 4948 66A9.tmp 4304 6726.tmp 1496 6784.tmp 3504 6801.tmp 2320 684F.tmp 3448 68AD.tmp 4252 692A.tmp 2252 6997.tmp 2324 69E5.tmp 4196 6A33.tmp 3964 6A81.tmp 4528 6AD0.tmp 8 6B3D.tmp 4332 6BAA.tmp 2980 6C27.tmp 1316 6C75.tmp 3724 6CD3.tmp 2108 6D31.tmp 4464 6D7F.tmp 4776 6DCD.tmp 5056 6E3B.tmp 3352 6EA8.tmp 3200 6EF6.tmp 3232 6F63.tmp 4288 6FD1.tmp 3592 701F.tmp 4628 706D.tmp 4508 70BB.tmp 3032 7119.tmp 4244 7177.tmp 2724 71D4.tmp 4604 7232.tmp 2100 7280.tmp 3132 72CE.tmp 3764 731D.tmp 5016 736B.tmp 2828 73C8.tmp 1616 7426.tmp 2592 7474.tmp 1544 74D2.tmp 928 7530.tmp 4812 757E.tmp 3656 75CC.tmp 3196 761A.tmp 4636 7668.tmp 1628 76B6.tmp 1568 7705.tmp 1460 7762.tmp 2460 77C0.tmp 4344 77FF.tmp 776 783D.tmp 240 788B.tmp 936 78D9.tmp 5072 7927.tmp 824 7976.tmp 1208 79C4.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1132 2468 2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe 81 PID 2468 wrote to memory of 1132 2468 2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe 81 PID 2468 wrote to memory of 1132 2468 2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe 81 PID 1132 wrote to memory of 380 1132 6300.tmp 82 PID 1132 wrote to memory of 380 1132 6300.tmp 82 PID 1132 wrote to memory of 380 1132 6300.tmp 82 PID 380 wrote to memory of 1192 380 639C.tmp 84 PID 380 wrote to memory of 1192 380 639C.tmp 84 PID 380 wrote to memory of 1192 380 639C.tmp 84 PID 1192 wrote to memory of 3160 1192 63FA.tmp 86 PID 1192 wrote to memory of 3160 1192 63FA.tmp 86 PID 1192 wrote to memory of 3160 1192 63FA.tmp 86 PID 3160 wrote to memory of 3588 3160 6486.tmp 88 PID 3160 wrote to memory of 3588 3160 6486.tmp 88 PID 3160 wrote to memory of 3588 3160 6486.tmp 88 PID 3588 wrote to memory of 2752 3588 64E4.tmp 89 PID 3588 wrote to memory of 2752 3588 64E4.tmp 89 PID 3588 wrote to memory of 2752 3588 64E4.tmp 89 PID 2752 wrote to memory of 2264 2752 6561.tmp 90 PID 2752 wrote to memory of 2264 2752 6561.tmp 90 PID 2752 wrote to memory of 2264 2752 6561.tmp 90 PID 2264 wrote to memory of 3848 2264 65CE.tmp 91 PID 2264 wrote to memory of 3848 2264 65CE.tmp 91 PID 2264 wrote to memory of 3848 2264 65CE.tmp 91 PID 3848 wrote to memory of 4948 3848 663C.tmp 92 PID 3848 wrote to memory of 4948 3848 663C.tmp 92 PID 3848 wrote to memory of 4948 3848 663C.tmp 92 PID 4948 wrote to memory of 4304 4948 66A9.tmp 93 PID 4948 wrote to memory of 4304 4948 66A9.tmp 93 PID 4948 wrote to memory of 4304 4948 66A9.tmp 93 PID 4304 wrote to memory of 1496 4304 6726.tmp 94 PID 4304 wrote to memory of 1496 4304 6726.tmp 94 PID 4304 wrote to memory of 1496 4304 6726.tmp 94 PID 1496 wrote to memory of 3504 1496 6784.tmp 95 PID 1496 wrote to memory of 3504 1496 6784.tmp 95 PID 1496 wrote to memory of 3504 1496 6784.tmp 95 PID 3504 wrote to memory of 2320 3504 6801.tmp 96 PID 3504 wrote to memory of 2320 3504 6801.tmp 96 PID 3504 wrote to memory of 2320 3504 6801.tmp 96 PID 2320 wrote to memory of 3448 2320 684F.tmp 97 PID 2320 wrote to memory of 3448 2320 684F.tmp 97 PID 2320 wrote to memory of 3448 2320 684F.tmp 97 PID 3448 wrote to memory of 4252 3448 68AD.tmp 98 PID 3448 wrote to memory of 4252 3448 68AD.tmp 98 PID 3448 wrote to memory of 4252 3448 68AD.tmp 98 PID 4252 wrote to memory of 2252 4252 692A.tmp 99 PID 4252 wrote to memory of 2252 4252 692A.tmp 99 PID 4252 wrote to memory of 2252 4252 692A.tmp 99 PID 2252 wrote to memory of 2324 2252 6997.tmp 100 PID 2252 wrote to memory of 2324 2252 6997.tmp 100 PID 2252 wrote to memory of 2324 2252 6997.tmp 100 PID 2324 wrote to memory of 4196 2324 69E5.tmp 101 PID 2324 wrote to memory of 4196 2324 69E5.tmp 101 PID 2324 wrote to memory of 4196 2324 69E5.tmp 101 PID 4196 wrote to memory of 3964 4196 6A33.tmp 102 PID 4196 wrote to memory of 3964 4196 6A33.tmp 102 PID 4196 wrote to memory of 3964 4196 6A33.tmp 102 PID 3964 wrote to memory of 4528 3964 6A81.tmp 103 PID 3964 wrote to memory of 4528 3964 6A81.tmp 103 PID 3964 wrote to memory of 4528 3964 6A81.tmp 103 PID 4528 wrote to memory of 8 4528 6AD0.tmp 104 PID 4528 wrote to memory of 8 4528 6AD0.tmp 104 PID 4528 wrote to memory of 8 4528 6AD0.tmp 104 PID 8 wrote to memory of 4332 8 6B3D.tmp 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_88a23998c416f134a595faa46b7957af_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\6300.tmp"C:\Users\Admin\AppData\Local\Temp\6300.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\639C.tmp"C:\Users\Admin\AppData\Local\Temp\639C.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\63FA.tmp"C:\Users\Admin\AppData\Local\Temp\63FA.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\6486.tmp"C:\Users\Admin\AppData\Local\Temp\6486.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\64E4.tmp"C:\Users\Admin\AppData\Local\Temp\64E4.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\6561.tmp"C:\Users\Admin\AppData\Local\Temp\6561.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\65CE.tmp"C:\Users\Admin\AppData\Local\Temp\65CE.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\663C.tmp"C:\Users\Admin\AppData\Local\Temp\663C.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\6726.tmp"C:\Users\Admin\AppData\Local\Temp\6726.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\6784.tmp"C:\Users\Admin\AppData\Local\Temp\6784.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\6801.tmp"C:\Users\Admin\AppData\Local\Temp\6801.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\684F.tmp"C:\Users\Admin\AppData\Local\Temp\684F.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\692A.tmp"C:\Users\Admin\AppData\Local\Temp\692A.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\6997.tmp"C:\Users\Admin\AppData\Local\Temp\6997.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\69E5.tmp"C:\Users\Admin\AppData\Local\Temp\69E5.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\6A33.tmp"C:\Users\Admin\AppData\Local\Temp\6A33.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\6A81.tmp"C:\Users\Admin\AppData\Local\Temp\6A81.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\6AD0.tmp"C:\Users\Admin\AppData\Local\Temp\6AD0.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"23⤵
- Executes dropped EXE
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\6C27.tmp"C:\Users\Admin\AppData\Local\Temp\6C27.tmp"24⤵
- Executes dropped EXE
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\6C75.tmp"C:\Users\Admin\AppData\Local\Temp\6C75.tmp"25⤵
- Executes dropped EXE
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"26⤵
- Executes dropped EXE
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"27⤵
- Executes dropped EXE
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"C:\Users\Admin\AppData\Local\Temp\6D7F.tmp"28⤵
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"C:\Users\Admin\AppData\Local\Temp\6DCD.tmp"29⤵
- Executes dropped EXE
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"30⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"31⤵
- Executes dropped EXE
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"32⤵
- Executes dropped EXE
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\6F63.tmp"C:\Users\Admin\AppData\Local\Temp\6F63.tmp"33⤵
- Executes dropped EXE
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"34⤵
- Executes dropped EXE
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\701F.tmp"C:\Users\Admin\AppData\Local\Temp\701F.tmp"35⤵
- Executes dropped EXE
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\706D.tmp"C:\Users\Admin\AppData\Local\Temp\706D.tmp"36⤵
- Executes dropped EXE
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\70BB.tmp"C:\Users\Admin\AppData\Local\Temp\70BB.tmp"37⤵
- Executes dropped EXE
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\7119.tmp"C:\Users\Admin\AppData\Local\Temp\7119.tmp"38⤵
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\7177.tmp"C:\Users\Admin\AppData\Local\Temp\7177.tmp"39⤵
- Executes dropped EXE
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\71D4.tmp"C:\Users\Admin\AppData\Local\Temp\71D4.tmp"40⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\7232.tmp"C:\Users\Admin\AppData\Local\Temp\7232.tmp"41⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\7280.tmp"C:\Users\Admin\AppData\Local\Temp\7280.tmp"42⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\72CE.tmp"C:\Users\Admin\AppData\Local\Temp\72CE.tmp"43⤵
- Executes dropped EXE
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\731D.tmp"C:\Users\Admin\AppData\Local\Temp\731D.tmp"44⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\736B.tmp"C:\Users\Admin\AppData\Local\Temp\736B.tmp"45⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\73C8.tmp"C:\Users\Admin\AppData\Local\Temp\73C8.tmp"46⤵
- Executes dropped EXE
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\7426.tmp"C:\Users\Admin\AppData\Local\Temp\7426.tmp"47⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\7474.tmp"C:\Users\Admin\AppData\Local\Temp\7474.tmp"48⤵
- Executes dropped EXE
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\74D2.tmp"C:\Users\Admin\AppData\Local\Temp\74D2.tmp"49⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"50⤵
- Executes dropped EXE
PID:928 -
C:\Users\Admin\AppData\Local\Temp\757E.tmp"C:\Users\Admin\AppData\Local\Temp\757E.tmp"51⤵
- Executes dropped EXE
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\75CC.tmp"C:\Users\Admin\AppData\Local\Temp\75CC.tmp"52⤵
- Executes dropped EXE
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\761A.tmp"C:\Users\Admin\AppData\Local\Temp\761A.tmp"53⤵
- Executes dropped EXE
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\7668.tmp"C:\Users\Admin\AppData\Local\Temp\7668.tmp"54⤵
- Executes dropped EXE
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"55⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\7705.tmp"C:\Users\Admin\AppData\Local\Temp\7705.tmp"56⤵
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\7762.tmp"C:\Users\Admin\AppData\Local\Temp\7762.tmp"57⤵
- Executes dropped EXE
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\77C0.tmp"C:\Users\Admin\AppData\Local\Temp\77C0.tmp"58⤵
- Executes dropped EXE
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\77FF.tmp"C:\Users\Admin\AppData\Local\Temp\77FF.tmp"59⤵
- Executes dropped EXE
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\783D.tmp"C:\Users\Admin\AppData\Local\Temp\783D.tmp"60⤵
- Executes dropped EXE
PID:776 -
C:\Users\Admin\AppData\Local\Temp\788B.tmp"C:\Users\Admin\AppData\Local\Temp\788B.tmp"61⤵
- Executes dropped EXE
PID:240 -
C:\Users\Admin\AppData\Local\Temp\78D9.tmp"C:\Users\Admin\AppData\Local\Temp\78D9.tmp"62⤵
- Executes dropped EXE
PID:936 -
C:\Users\Admin\AppData\Local\Temp\7927.tmp"C:\Users\Admin\AppData\Local\Temp\7927.tmp"63⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\7976.tmp"C:\Users\Admin\AppData\Local\Temp\7976.tmp"64⤵
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Temp\79C4.tmp"C:\Users\Admin\AppData\Local\Temp\79C4.tmp"65⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\7A12.tmp"C:\Users\Admin\AppData\Local\Temp\7A12.tmp"66⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\7A70.tmp"C:\Users\Admin\AppData\Local\Temp\7A70.tmp"67⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"C:\Users\Admin\AppData\Local\Temp\7ABE.tmp"68⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"C:\Users\Admin\AppData\Local\Temp\7B0C.tmp"69⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"C:\Users\Admin\AppData\Local\Temp\7B5A.tmp"70⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"C:\Users\Admin\AppData\Local\Temp\7BA8.tmp"71⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\7BF6.tmp"C:\Users\Admin\AppData\Local\Temp\7BF6.tmp"72⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\7C44.tmp"C:\Users\Admin\AppData\Local\Temp\7C44.tmp"73⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\7C92.tmp"C:\Users\Admin\AppData\Local\Temp\7C92.tmp"74⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\7CE1.tmp"C:\Users\Admin\AppData\Local\Temp\7CE1.tmp"75⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp"C:\Users\Admin\AppData\Local\Temp\7D2F.tmp"76⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"77⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"78⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\7E09.tmp"C:\Users\Admin\AppData\Local\Temp\7E09.tmp"79⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\7E67.tmp"C:\Users\Admin\AppData\Local\Temp\7E67.tmp"80⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"81⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\7F03.tmp"C:\Users\Admin\AppData\Local\Temp\7F03.tmp"82⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\7F61.tmp"C:\Users\Admin\AppData\Local\Temp\7F61.tmp"83⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"84⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"C:\Users\Admin\AppData\Local\Temp\7FFD.tmp"85⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\804C.tmp"C:\Users\Admin\AppData\Local\Temp\804C.tmp"86⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\80A9.tmp"C:\Users\Admin\AppData\Local\Temp\80A9.tmp"87⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\80F7.tmp"C:\Users\Admin\AppData\Local\Temp\80F7.tmp"88⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\8146.tmp"C:\Users\Admin\AppData\Local\Temp\8146.tmp"89⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\8194.tmp"C:\Users\Admin\AppData\Local\Temp\8194.tmp"90⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\81E2.tmp"C:\Users\Admin\AppData\Local\Temp\81E2.tmp"91⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\8230.tmp"C:\Users\Admin\AppData\Local\Temp\8230.tmp"92⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\827E.tmp"C:\Users\Admin\AppData\Local\Temp\827E.tmp"93⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\82CC.tmp"C:\Users\Admin\AppData\Local\Temp\82CC.tmp"94⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"95⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\8368.tmp"C:\Users\Admin\AppData\Local\Temp\8368.tmp"96⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\83B7.tmp"C:\Users\Admin\AppData\Local\Temp\83B7.tmp"97⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\8405.tmp"C:\Users\Admin\AppData\Local\Temp\8405.tmp"98⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp"C:\Users\Admin\AppData\Local\Temp\8453.tmp"99⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\84A1.tmp"C:\Users\Admin\AppData\Local\Temp\84A1.tmp"100⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\84EF.tmp"C:\Users\Admin\AppData\Local\Temp\84EF.tmp"101⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\853D.tmp"C:\Users\Admin\AppData\Local\Temp\853D.tmp"102⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\858B.tmp"C:\Users\Admin\AppData\Local\Temp\858B.tmp"103⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"104⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\8628.tmp"C:\Users\Admin\AppData\Local\Temp\8628.tmp"105⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\8685.tmp"C:\Users\Admin\AppData\Local\Temp\8685.tmp"106⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\86D3.tmp"C:\Users\Admin\AppData\Local\Temp\86D3.tmp"107⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\8722.tmp"C:\Users\Admin\AppData\Local\Temp\8722.tmp"108⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\8760.tmp"C:\Users\Admin\AppData\Local\Temp\8760.tmp"109⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\87AE.tmp"C:\Users\Admin\AppData\Local\Temp\87AE.tmp"110⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\87FC.tmp"C:\Users\Admin\AppData\Local\Temp\87FC.tmp"111⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\884A.tmp"C:\Users\Admin\AppData\Local\Temp\884A.tmp"112⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\8899.tmp"C:\Users\Admin\AppData\Local\Temp\8899.tmp"113⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\88D7.tmp"C:\Users\Admin\AppData\Local\Temp\88D7.tmp"114⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\8916.tmp"C:\Users\Admin\AppData\Local\Temp\8916.tmp"115⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\8964.tmp"C:\Users\Admin\AppData\Local\Temp\8964.tmp"116⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\89B2.tmp"C:\Users\Admin\AppData\Local\Temp\89B2.tmp"117⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"118⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"119⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"120⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"121⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\8B58.tmp"C:\Users\Admin\AppData\Local\Temp\8B58.tmp"122⤵PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-