Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe
-
Size
520KB
-
MD5
521c968a6f05554793686458f35d38e7
-
SHA1
4198e10cdf08c5cb4156d7cb49f2bc85f7c4ac60
-
SHA256
95ed89688f64074763108d44a14e969b02692dce3ab783be6d40772e1315ffdb
-
SHA512
c14a8d77a9ebbaace917f689dadb17581429a6789b8fd673d30113874909eed39a8163163898b89443c07bba9557abe1eea5bf0cb635dc8518cb7236d350ee09
-
SSDEEP
12288:roRXOQjmOytwBxn75l07O65HZIT9czSbICNZ:rogQ9ytwXE95Zo+SsCN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3988 72EE.tmp 3692 734B.tmp 1612 739A.tmp 4508 73E8.tmp 5096 7436.tmp 2796 7494.tmp 2168 74F1.tmp 2944 754F.tmp 2840 759D.tmp 3644 75EB.tmp 2808 7649.tmp 4124 7697.tmp 2396 76E5.tmp 3232 7733.tmp 820 7782.tmp 4224 77D0.tmp 616 782D.tmp 3092 787C.tmp 400 78CA.tmp 2824 7927.tmp 4736 7976.tmp 3864 79C4.tmp 4920 7A31.tmp 4504 7A7F.tmp 4692 7ACD.tmp 4788 7B1B.tmp 2804 7B6A.tmp 5036 7BB8.tmp 380 7C06.tmp 1444 7C54.tmp 4556 7CA2.tmp 2416 7CF0.tmp 3112 7D2F.tmp 3912 7D7D.tmp 2400 7DCB.tmp 388 7E19.tmp 3504 7E67.tmp 3200 7EB5.tmp 3016 7F03.tmp 4248 7F52.tmp 4676 7FCF.tmp 2836 800D.tmp 5112 805B.tmp 2628 80A9.tmp 1004 80F7.tmp 3888 8146.tmp 468 81A3.tmp 3732 81F1.tmp 4160 8240.tmp 4908 828E.tmp 2404 82DC.tmp 1460 833A.tmp 1328 8378.tmp 2984 83C6.tmp 4532 8414.tmp 2808 8462.tmp 2956 84B1.tmp 1432 84FF.tmp 3232 853D.tmp 4916 858B.tmp 4224 85D9.tmp 4128 8628.tmp 1728 8685.tmp 2792 86D3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3988 4820 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 84 PID 4820 wrote to memory of 3988 4820 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 84 PID 4820 wrote to memory of 3988 4820 2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe 84 PID 3988 wrote to memory of 3692 3988 72EE.tmp 87 PID 3988 wrote to memory of 3692 3988 72EE.tmp 87 PID 3988 wrote to memory of 3692 3988 72EE.tmp 87 PID 3692 wrote to memory of 1612 3692 734B.tmp 89 PID 3692 wrote to memory of 1612 3692 734B.tmp 89 PID 3692 wrote to memory of 1612 3692 734B.tmp 89 PID 1612 wrote to memory of 4508 1612 739A.tmp 90 PID 1612 wrote to memory of 4508 1612 739A.tmp 90 PID 1612 wrote to memory of 4508 1612 739A.tmp 90 PID 4508 wrote to memory of 5096 4508 73E8.tmp 786 PID 4508 wrote to memory of 5096 4508 73E8.tmp 786 PID 4508 wrote to memory of 5096 4508 73E8.tmp 786 PID 5096 wrote to memory of 2796 5096 7436.tmp 92 PID 5096 wrote to memory of 2796 5096 7436.tmp 92 PID 5096 wrote to memory of 2796 5096 7436.tmp 92 PID 2796 wrote to memory of 2168 2796 7494.tmp 93 PID 2796 wrote to memory of 2168 2796 7494.tmp 93 PID 2796 wrote to memory of 2168 2796 7494.tmp 93 PID 2168 wrote to memory of 2944 2168 74F1.tmp 1005 PID 2168 wrote to memory of 2944 2168 74F1.tmp 1005 PID 2168 wrote to memory of 2944 2168 74F1.tmp 1005 PID 2944 wrote to memory of 2840 2944 754F.tmp 95 PID 2944 wrote to memory of 2840 2944 754F.tmp 95 PID 2944 wrote to memory of 2840 2944 754F.tmp 95 PID 2840 wrote to memory of 3644 2840 759D.tmp 96 PID 2840 wrote to memory of 3644 2840 759D.tmp 96 PID 2840 wrote to memory of 3644 2840 759D.tmp 96 PID 3644 wrote to memory of 2808 3644 75EB.tmp 97 PID 3644 wrote to memory of 2808 3644 75EB.tmp 97 PID 3644 wrote to memory of 2808 3644 75EB.tmp 97 PID 2808 wrote to memory of 4124 2808 7649.tmp 98 PID 2808 wrote to memory of 4124 2808 7649.tmp 98 PID 2808 wrote to memory of 4124 2808 7649.tmp 98 PID 4124 wrote to memory of 2396 4124 7697.tmp 99 PID 4124 wrote to memory of 2396 4124 7697.tmp 99 PID 4124 wrote to memory of 2396 4124 7697.tmp 99 PID 2396 wrote to memory of 3232 2396 76E5.tmp 149 PID 2396 wrote to memory of 3232 2396 76E5.tmp 149 PID 2396 wrote to memory of 3232 2396 76E5.tmp 149 PID 3232 wrote to memory of 820 3232 7733.tmp 101 PID 3232 wrote to memory of 820 3232 7733.tmp 101 PID 3232 wrote to memory of 820 3232 7733.tmp 101 PID 820 wrote to memory of 4224 820 7782.tmp 102 PID 820 wrote to memory of 4224 820 7782.tmp 102 PID 820 wrote to memory of 4224 820 7782.tmp 102 PID 4224 wrote to memory of 616 4224 77D0.tmp 103 PID 4224 wrote to memory of 616 4224 77D0.tmp 103 PID 4224 wrote to memory of 616 4224 77D0.tmp 103 PID 616 wrote to memory of 3092 616 782D.tmp 104 PID 616 wrote to memory of 3092 616 782D.tmp 104 PID 616 wrote to memory of 3092 616 782D.tmp 104 PID 3092 wrote to memory of 400 3092 787C.tmp 105 PID 3092 wrote to memory of 400 3092 787C.tmp 105 PID 3092 wrote to memory of 400 3092 787C.tmp 105 PID 400 wrote to memory of 2824 400 78CA.tmp 106 PID 400 wrote to memory of 2824 400 78CA.tmp 106 PID 400 wrote to memory of 2824 400 78CA.tmp 106 PID 2824 wrote to memory of 4736 2824 7927.tmp 107 PID 2824 wrote to memory of 4736 2824 7927.tmp 107 PID 2824 wrote to memory of 4736 2824 7927.tmp 107 PID 4736 wrote to memory of 3864 4736 7976.tmp 108
Processes
-
C:\Windows\System32\pb7nq5.exe"C:\Windows\System32\pb7nq5.exe"1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\753605827\zmstage.exeC:\Users\Admin\AppData\Local\Temp\753605827\zmstage.exe2⤵PID:3392
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_521c968a6f05554793686458f35d38e7_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\72EE.tmp"C:\Users\Admin\AppData\Local\Temp\72EE.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\739A.tmp"C:\Users\Admin\AppData\Local\Temp\739A.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\73E8.tmp"C:\Users\Admin\AppData\Local\Temp\73E8.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\7494.tmp"C:\Users\Admin\AppData\Local\Temp\7494.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\74F1.tmp"C:\Users\Admin\AppData\Local\Temp\74F1.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\754F.tmp"C:\Users\Admin\AppData\Local\Temp\754F.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\75EB.tmp"C:\Users\Admin\AppData\Local\Temp\75EB.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\7649.tmp"C:\Users\Admin\AppData\Local\Temp\7649.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\7697.tmp"C:\Users\Admin\AppData\Local\Temp\7697.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\76E5.tmp"C:\Users\Admin\AppData\Local\Temp\76E5.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\7733.tmp"C:\Users\Admin\AppData\Local\Temp\7733.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7782.tmp"C:\Users\Admin\AppData\Local\Temp\7782.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\77D0.tmp"C:\Users\Admin\AppData\Local\Temp\77D0.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\782D.tmp"C:\Users\Admin\AppData\Local\Temp\782D.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\787C.tmp"C:\Users\Admin\AppData\Local\Temp\787C.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\78CA.tmp"C:\Users\Admin\AppData\Local\Temp\78CA.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\7927.tmp"C:\Users\Admin\AppData\Local\Temp\7927.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\7976.tmp"C:\Users\Admin\AppData\Local\Temp\7976.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\79C4.tmp"C:\Users\Admin\AppData\Local\Temp\79C4.tmp"23⤵
- Executes dropped EXE
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\7A31.tmp"C:\Users\Admin\AppData\Local\Temp\7A31.tmp"24⤵
- Executes dropped EXE
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\7A7F.tmp"C:\Users\Admin\AppData\Local\Temp\7A7F.tmp"25⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"C:\Users\Admin\AppData\Local\Temp\7ACD.tmp"26⤵
- Executes dropped EXE
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"C:\Users\Admin\AppData\Local\Temp\7B1B.tmp"27⤵
- Executes dropped EXE
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"28⤵
- Executes dropped EXE
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"C:\Users\Admin\AppData\Local\Temp\7BB8.tmp"29⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\7C06.tmp"C:\Users\Admin\AppData\Local\Temp\7C06.tmp"30⤵
- Executes dropped EXE
PID:380 -
C:\Users\Admin\AppData\Local\Temp\7C54.tmp"C:\Users\Admin\AppData\Local\Temp\7C54.tmp"31⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"32⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"C:\Users\Admin\AppData\Local\Temp\7CF0.tmp"33⤵
- Executes dropped EXE
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp"C:\Users\Admin\AppData\Local\Temp\7D2F.tmp"34⤵
- Executes dropped EXE
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\7D7D.tmp"C:\Users\Admin\AppData\Local\Temp\7D7D.tmp"35⤵
- Executes dropped EXE
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"C:\Users\Admin\AppData\Local\Temp\7DCB.tmp"36⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\7E19.tmp"C:\Users\Admin\AppData\Local\Temp\7E19.tmp"37⤵
- Executes dropped EXE
PID:388 -
C:\Users\Admin\AppData\Local\Temp\7E67.tmp"C:\Users\Admin\AppData\Local\Temp\7E67.tmp"38⤵
- Executes dropped EXE
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"39⤵
- Executes dropped EXE
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\7F03.tmp"C:\Users\Admin\AppData\Local\Temp\7F03.tmp"40⤵
- Executes dropped EXE
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\7F52.tmp"C:\Users\Admin\AppData\Local\Temp\7F52.tmp"41⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"C:\Users\Admin\AppData\Local\Temp\7FCF.tmp"42⤵
- Executes dropped EXE
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\800D.tmp"C:\Users\Admin\AppData\Local\Temp\800D.tmp"43⤵
- Executes dropped EXE
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\805B.tmp"C:\Users\Admin\AppData\Local\Temp\805B.tmp"44⤵
- Executes dropped EXE
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\80A9.tmp"C:\Users\Admin\AppData\Local\Temp\80A9.tmp"45⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\80F7.tmp"C:\Users\Admin\AppData\Local\Temp\80F7.tmp"46⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\8146.tmp"C:\Users\Admin\AppData\Local\Temp\8146.tmp"47⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\81A3.tmp"C:\Users\Admin\AppData\Local\Temp\81A3.tmp"48⤵
- Executes dropped EXE
PID:468 -
C:\Users\Admin\AppData\Local\Temp\81F1.tmp"C:\Users\Admin\AppData\Local\Temp\81F1.tmp"49⤵
- Executes dropped EXE
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\8240.tmp"C:\Users\Admin\AppData\Local\Temp\8240.tmp"50⤵
- Executes dropped EXE
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\828E.tmp"C:\Users\Admin\AppData\Local\Temp\828E.tmp"51⤵
- Executes dropped EXE
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\82DC.tmp"C:\Users\Admin\AppData\Local\Temp\82DC.tmp"52⤵
- Executes dropped EXE
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\833A.tmp"C:\Users\Admin\AppData\Local\Temp\833A.tmp"53⤵
- Executes dropped EXE
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\8378.tmp"C:\Users\Admin\AppData\Local\Temp\8378.tmp"54⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\83C6.tmp"C:\Users\Admin\AppData\Local\Temp\83C6.tmp"55⤵
- Executes dropped EXE
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\8414.tmp"C:\Users\Admin\AppData\Local\Temp\8414.tmp"56⤵
- Executes dropped EXE
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\8462.tmp"C:\Users\Admin\AppData\Local\Temp\8462.tmp"57⤵
- Executes dropped EXE
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\84B1.tmp"C:\Users\Admin\AppData\Local\Temp\84B1.tmp"58⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\84FF.tmp"C:\Users\Admin\AppData\Local\Temp\84FF.tmp"59⤵
- Executes dropped EXE
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\853D.tmp"C:\Users\Admin\AppData\Local\Temp\853D.tmp"60⤵
- Executes dropped EXE
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\858B.tmp"C:\Users\Admin\AppData\Local\Temp\858B.tmp"61⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"62⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\8628.tmp"C:\Users\Admin\AppData\Local\Temp\8628.tmp"63⤵
- Executes dropped EXE
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\8685.tmp"C:\Users\Admin\AppData\Local\Temp\8685.tmp"64⤵
- Executes dropped EXE
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\86D3.tmp"C:\Users\Admin\AppData\Local\Temp\86D3.tmp"65⤵
- Executes dropped EXE
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\8722.tmp"C:\Users\Admin\AppData\Local\Temp\8722.tmp"66⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\8770.tmp"C:\Users\Admin\AppData\Local\Temp\8770.tmp"67⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\87BE.tmp"C:\Users\Admin\AppData\Local\Temp\87BE.tmp"68⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\880C.tmp"C:\Users\Admin\AppData\Local\Temp\880C.tmp"69⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\885A.tmp"C:\Users\Admin\AppData\Local\Temp\885A.tmp"70⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\88A8.tmp"C:\Users\Admin\AppData\Local\Temp\88A8.tmp"71⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\88F6.tmp"C:\Users\Admin\AppData\Local\Temp\88F6.tmp"72⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\8944.tmp"C:\Users\Admin\AppData\Local\Temp\8944.tmp"73⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\8993.tmp"C:\Users\Admin\AppData\Local\Temp\8993.tmp"74⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\89D1.tmp"C:\Users\Admin\AppData\Local\Temp\89D1.tmp"75⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"C:\Users\Admin\AppData\Local\Temp\8A1F.tmp"76⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"C:\Users\Admin\AppData\Local\Temp\8A6D.tmp"77⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"C:\Users\Admin\AppData\Local\Temp\8ABB.tmp"78⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"79⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\8B58.tmp"C:\Users\Admin\AppData\Local\Temp\8B58.tmp"80⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"C:\Users\Admin\AppData\Local\Temp\8BA6.tmp"81⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"82⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\8C32.tmp"C:\Users\Admin\AppData\Local\Temp\8C32.tmp"83⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\8C81.tmp"C:\Users\Admin\AppData\Local\Temp\8C81.tmp"84⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"85⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\8D0D.tmp"C:\Users\Admin\AppData\Local\Temp\8D0D.tmp"86⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"87⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\8DA9.tmp"C:\Users\Admin\AppData\Local\Temp\8DA9.tmp"88⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\8DF8.tmp"C:\Users\Admin\AppData\Local\Temp\8DF8.tmp"89⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\8E46.tmp"C:\Users\Admin\AppData\Local\Temp\8E46.tmp"90⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\8E94.tmp"C:\Users\Admin\AppData\Local\Temp\8E94.tmp"91⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"92⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\8F30.tmp"C:\Users\Admin\AppData\Local\Temp\8F30.tmp"93⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"94⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"95⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"96⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\903A.tmp"C:\Users\Admin\AppData\Local\Temp\903A.tmp"97⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\9078.tmp"C:\Users\Admin\AppData\Local\Temp\9078.tmp"98⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\90C6.tmp"C:\Users\Admin\AppData\Local\Temp\90C6.tmp"99⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\9114.tmp"C:\Users\Admin\AppData\Local\Temp\9114.tmp"100⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\9153.tmp"C:\Users\Admin\AppData\Local\Temp\9153.tmp"101⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\91A1.tmp"C:\Users\Admin\AppData\Local\Temp\91A1.tmp"102⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\91EF.tmp"C:\Users\Admin\AppData\Local\Temp\91EF.tmp"103⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\923D.tmp"C:\Users\Admin\AppData\Local\Temp\923D.tmp"104⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\928B.tmp"C:\Users\Admin\AppData\Local\Temp\928B.tmp"105⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\92DA.tmp"C:\Users\Admin\AppData\Local\Temp\92DA.tmp"106⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\9328.tmp"C:\Users\Admin\AppData\Local\Temp\9328.tmp"107⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\9376.tmp"C:\Users\Admin\AppData\Local\Temp\9376.tmp"108⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\93C4.tmp"C:\Users\Admin\AppData\Local\Temp\93C4.tmp"109⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\9402.tmp"C:\Users\Admin\AppData\Local\Temp\9402.tmp"110⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\9451.tmp"C:\Users\Admin\AppData\Local\Temp\9451.tmp"111⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\949F.tmp"C:\Users\Admin\AppData\Local\Temp\949F.tmp"112⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\94DD.tmp"C:\Users\Admin\AppData\Local\Temp\94DD.tmp"113⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\952B.tmp"C:\Users\Admin\AppData\Local\Temp\952B.tmp"114⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\9579.tmp"C:\Users\Admin\AppData\Local\Temp\9579.tmp"115⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\95C8.tmp"C:\Users\Admin\AppData\Local\Temp\95C8.tmp"116⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\9606.tmp"C:\Users\Admin\AppData\Local\Temp\9606.tmp"117⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\9654.tmp"C:\Users\Admin\AppData\Local\Temp\9654.tmp"118⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\96A2.tmp"C:\Users\Admin\AppData\Local\Temp\96A2.tmp"119⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\96F0.tmp"C:\Users\Admin\AppData\Local\Temp\96F0.tmp"120⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\972F.tmp"C:\Users\Admin\AppData\Local\Temp\972F.tmp"121⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\977D.tmp"C:\Users\Admin\AppData\Local\Temp\977D.tmp"122⤵PID:660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-