Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe
Resource
win7-20240508-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe
-
Size
487KB
-
MD5
2b2e253bcd5e9335719d1324b157cece
-
SHA1
c560dc2c57d2131f4077be3a16650c21935e8db5
-
SHA256
a23b6c07d9535f89e4e380c0079a7f8decbd4eb31149b2cfe11ac5378d6ec215
-
SHA512
f4b777dad3bea799b69cd71cd5a9a25f3b27361b60891abf5ab017272a842dce574b0c06efe24b46ca2530a8772072d464b9ebc81b7fa8a7eb02010f7e46bdf3
-
SSDEEP
12288:HU5rCOTeiJDO/xefpzAlYlI9wLbLWOuNZ:HUQOJJDO/xezAS0wLfMN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1488 4D16.tmp 4056 4D84.tmp 3012 4DE1.tmp 2876 4E7E.tmp 1664 4EDB.tmp 736 4F58.tmp 3844 4FB6.tmp 64 5014.tmp 1516 5081.tmp 4232 510E.tmp 1408 516C.tmp 4436 51E9.tmp 2780 5246.tmp 1052 52A4.tmp 4408 5302.tmp 1124 5360.tmp 1728 53AE.tmp 1940 540B.tmp 2396 5479.tmp 1640 54E6.tmp 4008 5563.tmp 4184 55E0.tmp 384 565D.tmp 4996 56DA.tmp 1692 5776.tmp 3632 57E4.tmp 1948 5861.tmp 4856 58CE.tmp 3652 592C.tmp 3076 5999.tmp 4276 5A07.tmp 4684 5A64.tmp 4648 5AE1.tmp 1500 5B3F.tmp 2924 5B9D.tmp 4616 5BEB.tmp 3012 5C39.tmp 1988 5C87.tmp 1096 5CD5.tmp 3844 5D33.tmp 1984 5D91.tmp 3320 5DEF.tmp 3992 5E3D.tmp 4568 5E8B.tmp 4688 5EE9.tmp 2780 5F37.tmp 2316 5F85.tmp 1192 5FD3.tmp 1016 6021.tmp 2516 606F.tmp 4008 60BD.tmp 2736 610C.tmp 3896 6179.tmp 384 61D7.tmp 3884 6225.tmp 4588 6273.tmp 632 62C1.tmp 1332 630F.tmp 2000 635D.tmp 4460 63AB.tmp 3772 6409.tmp 5116 6467.tmp 2656 64B5.tmp 4224 6503.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3928 wrote to memory of 1488 3928 2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe 85 PID 3928 wrote to memory of 1488 3928 2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe 85 PID 3928 wrote to memory of 1488 3928 2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe 85 PID 1488 wrote to memory of 4056 1488 4D16.tmp 86 PID 1488 wrote to memory of 4056 1488 4D16.tmp 86 PID 1488 wrote to memory of 4056 1488 4D16.tmp 86 PID 4056 wrote to memory of 3012 4056 4D84.tmp 87 PID 4056 wrote to memory of 3012 4056 4D84.tmp 87 PID 4056 wrote to memory of 3012 4056 4D84.tmp 87 PID 3012 wrote to memory of 2876 3012 4DE1.tmp 88 PID 3012 wrote to memory of 2876 3012 4DE1.tmp 88 PID 3012 wrote to memory of 2876 3012 4DE1.tmp 88 PID 2876 wrote to memory of 1664 2876 4E7E.tmp 89 PID 2876 wrote to memory of 1664 2876 4E7E.tmp 89 PID 2876 wrote to memory of 1664 2876 4E7E.tmp 89 PID 1664 wrote to memory of 736 1664 4EDB.tmp 90 PID 1664 wrote to memory of 736 1664 4EDB.tmp 90 PID 1664 wrote to memory of 736 1664 4EDB.tmp 90 PID 736 wrote to memory of 3844 736 4F58.tmp 92 PID 736 wrote to memory of 3844 736 4F58.tmp 92 PID 736 wrote to memory of 3844 736 4F58.tmp 92 PID 3844 wrote to memory of 64 3844 4FB6.tmp 93 PID 3844 wrote to memory of 64 3844 4FB6.tmp 93 PID 3844 wrote to memory of 64 3844 4FB6.tmp 93 PID 64 wrote to memory of 1516 64 5014.tmp 95 PID 64 wrote to memory of 1516 64 5014.tmp 95 PID 64 wrote to memory of 1516 64 5014.tmp 95 PID 1516 wrote to memory of 4232 1516 5081.tmp 97 PID 1516 wrote to memory of 4232 1516 5081.tmp 97 PID 1516 wrote to memory of 4232 1516 5081.tmp 97 PID 4232 wrote to memory of 1408 4232 510E.tmp 98 PID 4232 wrote to memory of 1408 4232 510E.tmp 98 PID 4232 wrote to memory of 1408 4232 510E.tmp 98 PID 1408 wrote to memory of 4436 1408 516C.tmp 99 PID 1408 wrote to memory of 4436 1408 516C.tmp 99 PID 1408 wrote to memory of 4436 1408 516C.tmp 99 PID 4436 wrote to memory of 2780 4436 51E9.tmp 100 PID 4436 wrote to memory of 2780 4436 51E9.tmp 100 PID 4436 wrote to memory of 2780 4436 51E9.tmp 100 PID 2780 wrote to memory of 1052 2780 5246.tmp 101 PID 2780 wrote to memory of 1052 2780 5246.tmp 101 PID 2780 wrote to memory of 1052 2780 5246.tmp 101 PID 1052 wrote to memory of 4408 1052 52A4.tmp 103 PID 1052 wrote to memory of 4408 1052 52A4.tmp 103 PID 1052 wrote to memory of 4408 1052 52A4.tmp 103 PID 4408 wrote to memory of 1124 4408 5302.tmp 104 PID 4408 wrote to memory of 1124 4408 5302.tmp 104 PID 4408 wrote to memory of 1124 4408 5302.tmp 104 PID 1124 wrote to memory of 1728 1124 5360.tmp 105 PID 1124 wrote to memory of 1728 1124 5360.tmp 105 PID 1124 wrote to memory of 1728 1124 5360.tmp 105 PID 1728 wrote to memory of 1940 1728 53AE.tmp 106 PID 1728 wrote to memory of 1940 1728 53AE.tmp 106 PID 1728 wrote to memory of 1940 1728 53AE.tmp 106 PID 1940 wrote to memory of 2396 1940 540B.tmp 107 PID 1940 wrote to memory of 2396 1940 540B.tmp 107 PID 1940 wrote to memory of 2396 1940 540B.tmp 107 PID 2396 wrote to memory of 1640 2396 5479.tmp 108 PID 2396 wrote to memory of 1640 2396 5479.tmp 108 PID 2396 wrote to memory of 1640 2396 5479.tmp 108 PID 1640 wrote to memory of 4008 1640 54E6.tmp 109 PID 1640 wrote to memory of 4008 1640 54E6.tmp 109 PID 1640 wrote to memory of 4008 1640 54E6.tmp 109 PID 4008 wrote to memory of 4184 4008 5563.tmp 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_2b2e253bcd5e9335719d1324b157cece_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\4D16.tmp"C:\Users\Admin\AppData\Local\Temp\4D16.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\4D84.tmp"C:\Users\Admin\AppData\Local\Temp\4D84.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"C:\Users\Admin\AppData\Local\Temp\4DE1.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\4E7E.tmp"C:\Users\Admin\AppData\Local\Temp\4E7E.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\4F58.tmp"C:\Users\Admin\AppData\Local\Temp\4F58.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"C:\Users\Admin\AppData\Local\Temp\4FB6.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\5014.tmp"C:\Users\Admin\AppData\Local\Temp\5014.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\5081.tmp"C:\Users\Admin\AppData\Local\Temp\5081.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\510E.tmp"C:\Users\Admin\AppData\Local\Temp\510E.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\516C.tmp"C:\Users\Admin\AppData\Local\Temp\516C.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\51E9.tmp"C:\Users\Admin\AppData\Local\Temp\51E9.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\5246.tmp"C:\Users\Admin\AppData\Local\Temp\5246.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\52A4.tmp"C:\Users\Admin\AppData\Local\Temp\52A4.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\5302.tmp"C:\Users\Admin\AppData\Local\Temp\5302.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\5360.tmp"C:\Users\Admin\AppData\Local\Temp\5360.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\53AE.tmp"C:\Users\Admin\AppData\Local\Temp\53AE.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\540B.tmp"C:\Users\Admin\AppData\Local\Temp\540B.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\5479.tmp"C:\Users\Admin\AppData\Local\Temp\5479.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\54E6.tmp"C:\Users\Admin\AppData\Local\Temp\54E6.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\5563.tmp"C:\Users\Admin\AppData\Local\Temp\5563.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\55E0.tmp"C:\Users\Admin\AppData\Local\Temp\55E0.tmp"23⤵
- Executes dropped EXE
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"24⤵
- Executes dropped EXE
PID:384 -
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"25⤵
- Executes dropped EXE
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"26⤵
- Executes dropped EXE
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\57E4.tmp"C:\Users\Admin\AppData\Local\Temp\57E4.tmp"27⤵
- Executes dropped EXE
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"28⤵
- Executes dropped EXE
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\58CE.tmp"C:\Users\Admin\AppData\Local\Temp\58CE.tmp"29⤵
- Executes dropped EXE
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\592C.tmp"C:\Users\Admin\AppData\Local\Temp\592C.tmp"30⤵
- Executes dropped EXE
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\5999.tmp"C:\Users\Admin\AppData\Local\Temp\5999.tmp"31⤵
- Executes dropped EXE
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\5A07.tmp"C:\Users\Admin\AppData\Local\Temp\5A07.tmp"32⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\5A64.tmp"C:\Users\Admin\AppData\Local\Temp\5A64.tmp"33⤵
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"C:\Users\Admin\AppData\Local\Temp\5AE1.tmp"34⤵
- Executes dropped EXE
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"C:\Users\Admin\AppData\Local\Temp\5B3F.tmp"35⤵
- Executes dropped EXE
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"C:\Users\Admin\AppData\Local\Temp\5B9D.tmp"36⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"C:\Users\Admin\AppData\Local\Temp\5BEB.tmp"37⤵
- Executes dropped EXE
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\5C39.tmp"C:\Users\Admin\AppData\Local\Temp\5C39.tmp"38⤵
- Executes dropped EXE
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\5C87.tmp"C:\Users\Admin\AppData\Local\Temp\5C87.tmp"39⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"40⤵
- Executes dropped EXE
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\5D33.tmp"C:\Users\Admin\AppData\Local\Temp\5D33.tmp"41⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\5D91.tmp"C:\Users\Admin\AppData\Local\Temp\5D91.tmp"42⤵
- Executes dropped EXE
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"43⤵
- Executes dropped EXE
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"44⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"45⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"46⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\5F37.tmp"C:\Users\Admin\AppData\Local\Temp\5F37.tmp"47⤵
- Executes dropped EXE
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\5F85.tmp"C:\Users\Admin\AppData\Local\Temp\5F85.tmp"48⤵
- Executes dropped EXE
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\5FD3.tmp"C:\Users\Admin\AppData\Local\Temp\5FD3.tmp"49⤵
- Executes dropped EXE
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\6021.tmp"C:\Users\Admin\AppData\Local\Temp\6021.tmp"50⤵
- Executes dropped EXE
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\606F.tmp"C:\Users\Admin\AppData\Local\Temp\606F.tmp"51⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\60BD.tmp"C:\Users\Admin\AppData\Local\Temp\60BD.tmp"52⤵
- Executes dropped EXE
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\610C.tmp"C:\Users\Admin\AppData\Local\Temp\610C.tmp"53⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\6179.tmp"C:\Users\Admin\AppData\Local\Temp\6179.tmp"54⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\61D7.tmp"C:\Users\Admin\AppData\Local\Temp\61D7.tmp"55⤵
- Executes dropped EXE
PID:384 -
C:\Users\Admin\AppData\Local\Temp\6225.tmp"C:\Users\Admin\AppData\Local\Temp\6225.tmp"56⤵
- Executes dropped EXE
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\6273.tmp"C:\Users\Admin\AppData\Local\Temp\6273.tmp"57⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\62C1.tmp"C:\Users\Admin\AppData\Local\Temp\62C1.tmp"58⤵
- Executes dropped EXE
PID:632 -
C:\Users\Admin\AppData\Local\Temp\630F.tmp"C:\Users\Admin\AppData\Local\Temp\630F.tmp"59⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\635D.tmp"C:\Users\Admin\AppData\Local\Temp\635D.tmp"60⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\63AB.tmp"C:\Users\Admin\AppData\Local\Temp\63AB.tmp"61⤵
- Executes dropped EXE
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\6409.tmp"C:\Users\Admin\AppData\Local\Temp\6409.tmp"62⤵
- Executes dropped EXE
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\6467.tmp"C:\Users\Admin\AppData\Local\Temp\6467.tmp"63⤵
- Executes dropped EXE
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\64B5.tmp"C:\Users\Admin\AppData\Local\Temp\64B5.tmp"64⤵
- Executes dropped EXE
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\6503.tmp"C:\Users\Admin\AppData\Local\Temp\6503.tmp"65⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\6551.tmp"C:\Users\Admin\AppData\Local\Temp\6551.tmp"66⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\659F.tmp"C:\Users\Admin\AppData\Local\Temp\659F.tmp"67⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\65EE.tmp"C:\Users\Admin\AppData\Local\Temp\65EE.tmp"68⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\664B.tmp"C:\Users\Admin\AppData\Local\Temp\664B.tmp"69⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"70⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\6707.tmp"C:\Users\Admin\AppData\Local\Temp\6707.tmp"71⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\6765.tmp"C:\Users\Admin\AppData\Local\Temp\6765.tmp"72⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\67B3.tmp"C:\Users\Admin\AppData\Local\Temp\67B3.tmp"73⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\6801.tmp"C:\Users\Admin\AppData\Local\Temp\6801.tmp"74⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"75⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\689D.tmp"C:\Users\Admin\AppData\Local\Temp\689D.tmp"76⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\68EB.tmp"C:\Users\Admin\AppData\Local\Temp\68EB.tmp"77⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\6939.tmp"C:\Users\Admin\AppData\Local\Temp\6939.tmp"78⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\6997.tmp"C:\Users\Admin\AppData\Local\Temp\6997.tmp"79⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\69E5.tmp"C:\Users\Admin\AppData\Local\Temp\69E5.tmp"80⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\6A33.tmp"C:\Users\Admin\AppData\Local\Temp\6A33.tmp"81⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"82⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"83⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"84⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"C:\Users\Admin\AppData\Local\Temp\6B7B.tmp"85⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"86⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\6C37.tmp"C:\Users\Admin\AppData\Local\Temp\6C37.tmp"87⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\6C85.tmp"C:\Users\Admin\AppData\Local\Temp\6C85.tmp"88⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"89⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"90⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"91⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"92⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"93⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\6E89.tmp"C:\Users\Admin\AppData\Local\Temp\6E89.tmp"94⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"95⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\6F35.tmp"C:\Users\Admin\AppData\Local\Temp\6F35.tmp"96⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\6F92.tmp"C:\Users\Admin\AppData\Local\Temp\6F92.tmp"97⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"98⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\704E.tmp"C:\Users\Admin\AppData\Local\Temp\704E.tmp"99⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\709C.tmp"C:\Users\Admin\AppData\Local\Temp\709C.tmp"100⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\70FA.tmp"C:\Users\Admin\AppData\Local\Temp\70FA.tmp"101⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"102⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\7196.tmp"C:\Users\Admin\AppData\Local\Temp\7196.tmp"103⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\71F4.tmp"C:\Users\Admin\AppData\Local\Temp\71F4.tmp"104⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\7251.tmp"C:\Users\Admin\AppData\Local\Temp\7251.tmp"105⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\72A0.tmp"C:\Users\Admin\AppData\Local\Temp\72A0.tmp"106⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\72FD.tmp"C:\Users\Admin\AppData\Local\Temp\72FD.tmp"107⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"108⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\739A.tmp"C:\Users\Admin\AppData\Local\Temp\739A.tmp"109⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\73E8.tmp"C:\Users\Admin\AppData\Local\Temp\73E8.tmp"110⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"111⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\7474.tmp"C:\Users\Admin\AppData\Local\Temp\7474.tmp"112⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\74C2.tmp"C:\Users\Admin\AppData\Local\Temp\74C2.tmp"113⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\7511.tmp"C:\Users\Admin\AppData\Local\Temp\7511.tmp"114⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\754F.tmp"C:\Users\Admin\AppData\Local\Temp\754F.tmp"115⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"116⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\75EB.tmp"C:\Users\Admin\AppData\Local\Temp\75EB.tmp"117⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\7639.tmp"C:\Users\Admin\AppData\Local\Temp\7639.tmp"118⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\7697.tmp"C:\Users\Admin\AppData\Local\Temp\7697.tmp"119⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"120⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\7743.tmp"C:\Users\Admin\AppData\Local\Temp\7743.tmp"121⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\77A1.tmp"C:\Users\Admin\AppData\Local\Temp\77A1.tmp"122⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-