Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe
Resource
win7-20240508-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe
-
Size
530KB
-
MD5
780528ff12d1ac0270b5a389fdf2222d
-
SHA1
2f1d733ae7786fd665896d511d51da4f0afff5ff
-
SHA256
a048ef8e08b809c116ea4f786fd59b08589b8a99f9f675a078cbb8c1c1b343ae
-
SHA512
cb038c568fdcefa59348699fbab00c9e815614c70f88fe6cd92dc9a4ff63e5f4db07d793e7ee08f5a51df62d2c010efe7a95f32269e00a24d64e0a97d2c07105
-
SSDEEP
12288:AU5rCOTeiooPQco56wIx93qEyr8NZulFVg0M1:AUQOJooP43IzqtgNclFV/M1
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1916 45A4.tmp 3836 4611.tmp 4804 468E.tmp 1648 470B.tmp 3024 4788.tmp 3720 4805.tmp 3696 4882.tmp 3200 48E0.tmp 5084 493E.tmp 656 498C.tmp 404 4A09.tmp 4748 4A57.tmp 1072 4AA5.tmp 3884 4B13.tmp 1572 4B90.tmp 4260 4C0D.tmp 2064 4C8A.tmp 4720 4CF7.tmp 2080 4D55.tmp 2412 4DA3.tmp 872 4E20.tmp 2056 4E7E.tmp 1076 4EDB.tmp 4452 4F49.tmp 1996 4F97.tmp 1004 4FF5.tmp 2280 5072.tmp 2128 50DF.tmp 3744 515C.tmp 4696 51D9.tmp 2416 5237.tmp 4012 5294.tmp 1464 5311.tmp 1976 5360.tmp 3980 53AE.tmp 2496 53FC.tmp 1956 545A.tmp 1236 54A8.tmp 4216 5505.tmp 4624 5554.tmp 456 55A2.tmp 1152 55F0.tmp 3688 564E.tmp 1764 569C.tmp 2788 56EA.tmp 2844 5748.tmp 2920 5796.tmp 4284 57E4.tmp 2968 5832.tmp 3544 5880.tmp 4784 58CE.tmp 3528 591C.tmp 2956 597A.tmp 1120 59D8.tmp 3448 5A36.tmp 4704 5A84.tmp 5012 5AE1.tmp 4548 5B30.tmp 4592 5B7E.tmp 2728 5BCC.tmp 3220 5C1A.tmp 2944 5C78.tmp 4352 5CC6.tmp 4292 5D14.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 1916 2144 2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe 80 PID 2144 wrote to memory of 1916 2144 2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe 80 PID 2144 wrote to memory of 1916 2144 2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe 80 PID 1916 wrote to memory of 3836 1916 45A4.tmp 81 PID 1916 wrote to memory of 3836 1916 45A4.tmp 81 PID 1916 wrote to memory of 3836 1916 45A4.tmp 81 PID 3836 wrote to memory of 4804 3836 4611.tmp 82 PID 3836 wrote to memory of 4804 3836 4611.tmp 82 PID 3836 wrote to memory of 4804 3836 4611.tmp 82 PID 4804 wrote to memory of 1648 4804 468E.tmp 83 PID 4804 wrote to memory of 1648 4804 468E.tmp 83 PID 4804 wrote to memory of 1648 4804 468E.tmp 83 PID 1648 wrote to memory of 3024 1648 470B.tmp 84 PID 1648 wrote to memory of 3024 1648 470B.tmp 84 PID 1648 wrote to memory of 3024 1648 470B.tmp 84 PID 3024 wrote to memory of 3720 3024 4788.tmp 85 PID 3024 wrote to memory of 3720 3024 4788.tmp 85 PID 3024 wrote to memory of 3720 3024 4788.tmp 85 PID 3720 wrote to memory of 3696 3720 4805.tmp 86 PID 3720 wrote to memory of 3696 3720 4805.tmp 86 PID 3720 wrote to memory of 3696 3720 4805.tmp 86 PID 3696 wrote to memory of 3200 3696 4882.tmp 87 PID 3696 wrote to memory of 3200 3696 4882.tmp 87 PID 3696 wrote to memory of 3200 3696 4882.tmp 87 PID 3200 wrote to memory of 5084 3200 48E0.tmp 88 PID 3200 wrote to memory of 5084 3200 48E0.tmp 88 PID 3200 wrote to memory of 5084 3200 48E0.tmp 88 PID 5084 wrote to memory of 656 5084 493E.tmp 89 PID 5084 wrote to memory of 656 5084 493E.tmp 89 PID 5084 wrote to memory of 656 5084 493E.tmp 89 PID 656 wrote to memory of 404 656 498C.tmp 90 PID 656 wrote to memory of 404 656 498C.tmp 90 PID 656 wrote to memory of 404 656 498C.tmp 90 PID 404 wrote to memory of 4748 404 4A09.tmp 91 PID 404 wrote to memory of 4748 404 4A09.tmp 91 PID 404 wrote to memory of 4748 404 4A09.tmp 91 PID 4748 wrote to memory of 1072 4748 4A57.tmp 92 PID 4748 wrote to memory of 1072 4748 4A57.tmp 92 PID 4748 wrote to memory of 1072 4748 4A57.tmp 92 PID 1072 wrote to memory of 3884 1072 4AA5.tmp 93 PID 1072 wrote to memory of 3884 1072 4AA5.tmp 93 PID 1072 wrote to memory of 3884 1072 4AA5.tmp 93 PID 3884 wrote to memory of 1572 3884 4B13.tmp 94 PID 3884 wrote to memory of 1572 3884 4B13.tmp 94 PID 3884 wrote to memory of 1572 3884 4B13.tmp 94 PID 1572 wrote to memory of 4260 1572 4B90.tmp 95 PID 1572 wrote to memory of 4260 1572 4B90.tmp 95 PID 1572 wrote to memory of 4260 1572 4B90.tmp 95 PID 4260 wrote to memory of 2064 4260 4C0D.tmp 96 PID 4260 wrote to memory of 2064 4260 4C0D.tmp 96 PID 4260 wrote to memory of 2064 4260 4C0D.tmp 96 PID 2064 wrote to memory of 4720 2064 4C8A.tmp 97 PID 2064 wrote to memory of 4720 2064 4C8A.tmp 97 PID 2064 wrote to memory of 4720 2064 4C8A.tmp 97 PID 4720 wrote to memory of 2080 4720 4CF7.tmp 98 PID 4720 wrote to memory of 2080 4720 4CF7.tmp 98 PID 4720 wrote to memory of 2080 4720 4CF7.tmp 98 PID 2080 wrote to memory of 2412 2080 4D55.tmp 99 PID 2080 wrote to memory of 2412 2080 4D55.tmp 99 PID 2080 wrote to memory of 2412 2080 4D55.tmp 99 PID 2412 wrote to memory of 872 2412 4DA3.tmp 100 PID 2412 wrote to memory of 872 2412 4DA3.tmp 100 PID 2412 wrote to memory of 872 2412 4DA3.tmp 100 PID 872 wrote to memory of 2056 872 4E20.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_780528ff12d1ac0270b5a389fdf2222d_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\45A4.tmp"C:\Users\Admin\AppData\Local\Temp\45A4.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\4611.tmp"C:\Users\Admin\AppData\Local\Temp\4611.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\468E.tmp"C:\Users\Admin\AppData\Local\Temp\468E.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\470B.tmp"C:\Users\Admin\AppData\Local\Temp\470B.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\4788.tmp"C:\Users\Admin\AppData\Local\Temp\4788.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\4805.tmp"C:\Users\Admin\AppData\Local\Temp\4805.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\4882.tmp"C:\Users\Admin\AppData\Local\Temp\4882.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\48E0.tmp"C:\Users\Admin\AppData\Local\Temp\48E0.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\493E.tmp"C:\Users\Admin\AppData\Local\Temp\493E.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\498C.tmp"C:\Users\Admin\AppData\Local\Temp\498C.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\4A09.tmp"C:\Users\Admin\AppData\Local\Temp\4A09.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\4A57.tmp"C:\Users\Admin\AppData\Local\Temp\4A57.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\4AA5.tmp"C:\Users\Admin\AppData\Local\Temp\4AA5.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\4B13.tmp"C:\Users\Admin\AppData\Local\Temp\4B13.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\4B90.tmp"C:\Users\Admin\AppData\Local\Temp\4B90.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\4C8A.tmp"C:\Users\Admin\AppData\Local\Temp\4C8A.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\4D55.tmp"C:\Users\Admin\AppData\Local\Temp\4D55.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\4E20.tmp"C:\Users\Admin\AppData\Local\Temp\4E20.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\4E7E.tmp"C:\Users\Admin\AppData\Local\Temp\4E7E.tmp"23⤵
- Executes dropped EXE
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"24⤵
- Executes dropped EXE
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\4F49.tmp"C:\Users\Admin\AppData\Local\Temp\4F49.tmp"25⤵
- Executes dropped EXE
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\4F97.tmp"C:\Users\Admin\AppData\Local\Temp\4F97.tmp"26⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\4FF5.tmp"C:\Users\Admin\AppData\Local\Temp\4FF5.tmp"27⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\5072.tmp"C:\Users\Admin\AppData\Local\Temp\5072.tmp"28⤵
- Executes dropped EXE
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\50DF.tmp"C:\Users\Admin\AppData\Local\Temp\50DF.tmp"29⤵
- Executes dropped EXE
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\515C.tmp"C:\Users\Admin\AppData\Local\Temp\515C.tmp"30⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\51D9.tmp"C:\Users\Admin\AppData\Local\Temp\51D9.tmp"31⤵
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\5237.tmp"C:\Users\Admin\AppData\Local\Temp\5237.tmp"32⤵
- Executes dropped EXE
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\5294.tmp"C:\Users\Admin\AppData\Local\Temp\5294.tmp"33⤵
- Executes dropped EXE
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\5311.tmp"C:\Users\Admin\AppData\Local\Temp\5311.tmp"34⤵
- Executes dropped EXE
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\5360.tmp"C:\Users\Admin\AppData\Local\Temp\5360.tmp"35⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\53AE.tmp"C:\Users\Admin\AppData\Local\Temp\53AE.tmp"36⤵
- Executes dropped EXE
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\53FC.tmp"C:\Users\Admin\AppData\Local\Temp\53FC.tmp"37⤵
- Executes dropped EXE
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\545A.tmp"C:\Users\Admin\AppData\Local\Temp\545A.tmp"38⤵
- Executes dropped EXE
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\54A8.tmp"C:\Users\Admin\AppData\Local\Temp\54A8.tmp"39⤵
- Executes dropped EXE
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"40⤵
- Executes dropped EXE
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"41⤵
- Executes dropped EXE
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\55A2.tmp"C:\Users\Admin\AppData\Local\Temp\55A2.tmp"42⤵
- Executes dropped EXE
PID:456 -
C:\Users\Admin\AppData\Local\Temp\55F0.tmp"C:\Users\Admin\AppData\Local\Temp\55F0.tmp"43⤵
- Executes dropped EXE
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\564E.tmp"C:\Users\Admin\AppData\Local\Temp\564E.tmp"44⤵
- Executes dropped EXE
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\569C.tmp"C:\Users\Admin\AppData\Local\Temp\569C.tmp"45⤵
- Executes dropped EXE
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\56EA.tmp"C:\Users\Admin\AppData\Local\Temp\56EA.tmp"46⤵
- Executes dropped EXE
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\5748.tmp"C:\Users\Admin\AppData\Local\Temp\5748.tmp"47⤵
- Executes dropped EXE
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\5796.tmp"C:\Users\Admin\AppData\Local\Temp\5796.tmp"48⤵
- Executes dropped EXE
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\57E4.tmp"C:\Users\Admin\AppData\Local\Temp\57E4.tmp"49⤵
- Executes dropped EXE
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\5832.tmp"C:\Users\Admin\AppData\Local\Temp\5832.tmp"50⤵
- Executes dropped EXE
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\5880.tmp"C:\Users\Admin\AppData\Local\Temp\5880.tmp"51⤵
- Executes dropped EXE
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"52⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"53⤵
- Executes dropped EXE
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"54⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\59D8.tmp"C:\Users\Admin\AppData\Local\Temp\59D8.tmp"55⤵
- Executes dropped EXE
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\5A36.tmp"C:\Users\Admin\AppData\Local\Temp\5A36.tmp"56⤵
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\5A84.tmp"C:\Users\Admin\AppData\Local\Temp\5A84.tmp"57⤵
- Executes dropped EXE
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"58⤵
- Executes dropped EXE
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\5B30.tmp"C:\Users\Admin\AppData\Local\Temp\5B30.tmp"59⤵
- Executes dropped EXE
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"C:\Users\Admin\AppData\Local\Temp\5B7E.tmp"60⤵
- Executes dropped EXE
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"61⤵
- Executes dropped EXE
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"62⤵
- Executes dropped EXE
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\5C78.tmp"C:\Users\Admin\AppData\Local\Temp\5C78.tmp"63⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"C:\Users\Admin\AppData\Local\Temp\5CC6.tmp"64⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\5D14.tmp"C:\Users\Admin\AppData\Local\Temp\5D14.tmp"65⤵
- Executes dropped EXE
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\5D72.tmp"C:\Users\Admin\AppData\Local\Temp\5D72.tmp"66⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"C:\Users\Admin\AppData\Local\Temp\5DC0.tmp"67⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"C:\Users\Admin\AppData\Local\Temp\5E0E.tmp"68⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"C:\Users\Admin\AppData\Local\Temp\5E5C.tmp"69⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"C:\Users\Admin\AppData\Local\Temp\5EAA.tmp"70⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"71⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\5F56.tmp"C:\Users\Admin\AppData\Local\Temp\5F56.tmp"72⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\5FB4.tmp"C:\Users\Admin\AppData\Local\Temp\5FB4.tmp"73⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\6002.tmp"C:\Users\Admin\AppData\Local\Temp\6002.tmp"74⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\6050.tmp"C:\Users\Admin\AppData\Local\Temp\6050.tmp"75⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\609E.tmp"C:\Users\Admin\AppData\Local\Temp\609E.tmp"76⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\60EC.tmp"C:\Users\Admin\AppData\Local\Temp\60EC.tmp"77⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\613A.tmp"C:\Users\Admin\AppData\Local\Temp\613A.tmp"78⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\6198.tmp"C:\Users\Admin\AppData\Local\Temp\6198.tmp"79⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\61E6.tmp"C:\Users\Admin\AppData\Local\Temp\61E6.tmp"80⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\6244.tmp"C:\Users\Admin\AppData\Local\Temp\6244.tmp"81⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\6292.tmp"C:\Users\Admin\AppData\Local\Temp\6292.tmp"82⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\62F0.tmp"C:\Users\Admin\AppData\Local\Temp\62F0.tmp"83⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\633E.tmp"C:\Users\Admin\AppData\Local\Temp\633E.tmp"84⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\638C.tmp"C:\Users\Admin\AppData\Local\Temp\638C.tmp"85⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\63EA.tmp"C:\Users\Admin\AppData\Local\Temp\63EA.tmp"86⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"87⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\6496.tmp"C:\Users\Admin\AppData\Local\Temp\6496.tmp"88⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\64F4.tmp"C:\Users\Admin\AppData\Local\Temp\64F4.tmp"89⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\6551.tmp"C:\Users\Admin\AppData\Local\Temp\6551.tmp"90⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\65AF.tmp"C:\Users\Admin\AppData\Local\Temp\65AF.tmp"91⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\660D.tmp"C:\Users\Admin\AppData\Local\Temp\660D.tmp"92⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\665B.tmp"C:\Users\Admin\AppData\Local\Temp\665B.tmp"93⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"94⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\66F7.tmp"C:\Users\Admin\AppData\Local\Temp\66F7.tmp"95⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\6755.tmp"C:\Users\Admin\AppData\Local\Temp\6755.tmp"96⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\67B3.tmp"C:\Users\Admin\AppData\Local\Temp\67B3.tmp"97⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\6801.tmp"C:\Users\Admin\AppData\Local\Temp\6801.tmp"98⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\684F.tmp"C:\Users\Admin\AppData\Local\Temp\684F.tmp"99⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"100⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\68FB.tmp"C:\Users\Admin\AppData\Local\Temp\68FB.tmp"101⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\6949.tmp"C:\Users\Admin\AppData\Local\Temp\6949.tmp"102⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\6997.tmp"C:\Users\Admin\AppData\Local\Temp\6997.tmp"103⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\69F5.tmp"C:\Users\Admin\AppData\Local\Temp\69F5.tmp"104⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\6A43.tmp"C:\Users\Admin\AppData\Local\Temp\6A43.tmp"105⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"106⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"107⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"108⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"109⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"110⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\6C18.tmp"C:\Users\Admin\AppData\Local\Temp\6C18.tmp"111⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\6C66.tmp"C:\Users\Admin\AppData\Local\Temp\6C66.tmp"112⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"113⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\6D21.tmp"C:\Users\Admin\AppData\Local\Temp\6D21.tmp"114⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"C:\Users\Admin\AppData\Local\Temp\6D6F.tmp"115⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\6DBE.tmp"C:\Users\Admin\AppData\Local\Temp\6DBE.tmp"116⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\6E0C.tmp"C:\Users\Admin\AppData\Local\Temp\6E0C.tmp"117⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\6E69.tmp"C:\Users\Admin\AppData\Local\Temp\6E69.tmp"118⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"C:\Users\Admin\AppData\Local\Temp\6EB8.tmp"119⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\6F15.tmp"C:\Users\Admin\AppData\Local\Temp\6F15.tmp"120⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\6F63.tmp"C:\Users\Admin\AppData\Local\Temp\6F63.tmp"121⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"C:\Users\Admin\AppData\Local\Temp\6FC1.tmp"122⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-