Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe
-
Size
520KB
-
MD5
cab823e6ed28bd3c7e926143ffda7c7d
-
SHA1
b3932641bd9aa281368f38314e24bc8dd1afcc47
-
SHA256
b81289521d39447710936cf0ad28f5c940e0a2b79744513f62d6ea5561e32610
-
SHA512
40adb5968a7f59f5e860538cce4bccac3971bdc9621cb3d260a745c97697d07975e882959599f7ff22de63f1d0fb4131ffac36f40b1691edbe299121d1d3fe7a
-
SSDEEP
12288:gj8fuxR21t5i8fD4KIK3goALDQjsSe/NZ:gj8fuK1GYDl3goAQRe/N
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 404 498C.tmp 4152 4A09.tmp 1676 4A96.tmp 2120 4B03.tmp 3852 4B90.tmp 3876 4C0D.tmp 1028 4C99.tmp 3508 4D16.tmp 4812 4D74.tmp 4880 4E01.tmp 4992 4E6E.tmp 3620 4EFB.tmp 3544 4F49.tmp 1512 4F97.tmp 4472 5014.tmp 3632 5062.tmp 3644 50CF.tmp 3352 513D.tmp 4536 51AA.tmp 2844 5208.tmp 2444 5266.tmp 3792 52E3.tmp 2672 539E.tmp 4572 541B.tmp 4740 5469.tmp 632 54B7.tmp 2256 5505.tmp 3160 5554.tmp 4052 55A2.tmp 4776 560F.tmp 2000 565D.tmp 4912 56DA.tmp 4048 5728.tmp 4388 5776.tmp 804 57C5.tmp 372 5813.tmp 5040 5851.tmp 4068 58AF.tmp 3692 58FD.tmp 1056 594B.tmp 5104 5999.tmp 452 59E7.tmp 916 5A36.tmp 3852 5A84.tmp 2612 5AD2.tmp 1696 5B20.tmp 3808 5B6E.tmp 2540 5BBC.tmp 4428 5C1A.tmp 1788 5C68.tmp 4812 5CB6.tmp 1324 5D14.tmp 3172 5D62.tmp 4992 5DB0.tmp 3620 5DFE.tmp 1876 5E4C.tmp 1032 5E9B.tmp 3528 5EF8.tmp 3744 5F46.tmp 956 5F95.tmp 5112 5FE3.tmp 3644 6040.tmp 3028 608F.tmp 648 60DD.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4336 wrote to memory of 404 4336 2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe 84 PID 4336 wrote to memory of 404 4336 2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe 84 PID 4336 wrote to memory of 404 4336 2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe 84 PID 404 wrote to memory of 4152 404 498C.tmp 85 PID 404 wrote to memory of 4152 404 498C.tmp 85 PID 404 wrote to memory of 4152 404 498C.tmp 85 PID 4152 wrote to memory of 1676 4152 4A09.tmp 86 PID 4152 wrote to memory of 1676 4152 4A09.tmp 86 PID 4152 wrote to memory of 1676 4152 4A09.tmp 86 PID 1676 wrote to memory of 2120 1676 4A96.tmp 87 PID 1676 wrote to memory of 2120 1676 4A96.tmp 87 PID 1676 wrote to memory of 2120 1676 4A96.tmp 87 PID 2120 wrote to memory of 3852 2120 4B03.tmp 88 PID 2120 wrote to memory of 3852 2120 4B03.tmp 88 PID 2120 wrote to memory of 3852 2120 4B03.tmp 88 PID 3852 wrote to memory of 3876 3852 4B90.tmp 89 PID 3852 wrote to memory of 3876 3852 4B90.tmp 89 PID 3852 wrote to memory of 3876 3852 4B90.tmp 89 PID 3876 wrote to memory of 1028 3876 4C0D.tmp 92 PID 3876 wrote to memory of 1028 3876 4C0D.tmp 92 PID 3876 wrote to memory of 1028 3876 4C0D.tmp 92 PID 1028 wrote to memory of 3508 1028 4C99.tmp 94 PID 1028 wrote to memory of 3508 1028 4C99.tmp 94 PID 1028 wrote to memory of 3508 1028 4C99.tmp 94 PID 3508 wrote to memory of 4812 3508 4D16.tmp 95 PID 3508 wrote to memory of 4812 3508 4D16.tmp 95 PID 3508 wrote to memory of 4812 3508 4D16.tmp 95 PID 4812 wrote to memory of 4880 4812 4D74.tmp 96 PID 4812 wrote to memory of 4880 4812 4D74.tmp 96 PID 4812 wrote to memory of 4880 4812 4D74.tmp 96 PID 4880 wrote to memory of 4992 4880 4E01.tmp 97 PID 4880 wrote to memory of 4992 4880 4E01.tmp 97 PID 4880 wrote to memory of 4992 4880 4E01.tmp 97 PID 4992 wrote to memory of 3620 4992 4E6E.tmp 98 PID 4992 wrote to memory of 3620 4992 4E6E.tmp 98 PID 4992 wrote to memory of 3620 4992 4E6E.tmp 98 PID 3620 wrote to memory of 3544 3620 4EFB.tmp 99 PID 3620 wrote to memory of 3544 3620 4EFB.tmp 99 PID 3620 wrote to memory of 3544 3620 4EFB.tmp 99 PID 3544 wrote to memory of 1512 3544 4F49.tmp 100 PID 3544 wrote to memory of 1512 3544 4F49.tmp 100 PID 3544 wrote to memory of 1512 3544 4F49.tmp 100 PID 1512 wrote to memory of 4472 1512 4F97.tmp 101 PID 1512 wrote to memory of 4472 1512 4F97.tmp 101 PID 1512 wrote to memory of 4472 1512 4F97.tmp 101 PID 4472 wrote to memory of 3632 4472 5014.tmp 102 PID 4472 wrote to memory of 3632 4472 5014.tmp 102 PID 4472 wrote to memory of 3632 4472 5014.tmp 102 PID 3632 wrote to memory of 3644 3632 5062.tmp 103 PID 3632 wrote to memory of 3644 3632 5062.tmp 103 PID 3632 wrote to memory of 3644 3632 5062.tmp 103 PID 3644 wrote to memory of 3352 3644 50CF.tmp 104 PID 3644 wrote to memory of 3352 3644 50CF.tmp 104 PID 3644 wrote to memory of 3352 3644 50CF.tmp 104 PID 3352 wrote to memory of 4536 3352 513D.tmp 105 PID 3352 wrote to memory of 4536 3352 513D.tmp 105 PID 3352 wrote to memory of 4536 3352 513D.tmp 105 PID 4536 wrote to memory of 2844 4536 51AA.tmp 106 PID 4536 wrote to memory of 2844 4536 51AA.tmp 106 PID 4536 wrote to memory of 2844 4536 51AA.tmp 106 PID 2844 wrote to memory of 2444 2844 5208.tmp 107 PID 2844 wrote to memory of 2444 2844 5208.tmp 107 PID 2844 wrote to memory of 2444 2844 5208.tmp 107 PID 2444 wrote to memory of 3792 2444 5266.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_cab823e6ed28bd3c7e926143ffda7c7d_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\498C.tmp"C:\Users\Admin\AppData\Local\Temp\498C.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\4A09.tmp"C:\Users\Admin\AppData\Local\Temp\4A09.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\4A96.tmp"C:\Users\Admin\AppData\Local\Temp\4A96.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\4B03.tmp"C:\Users\Admin\AppData\Local\Temp\4B03.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\4B90.tmp"C:\Users\Admin\AppData\Local\Temp\4B90.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"C:\Users\Admin\AppData\Local\Temp\4C0D.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\4C99.tmp"C:\Users\Admin\AppData\Local\Temp\4C99.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\4D16.tmp"C:\Users\Admin\AppData\Local\Temp\4D16.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\4D74.tmp"C:\Users\Admin\AppData\Local\Temp\4D74.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\4E01.tmp"C:\Users\Admin\AppData\Local\Temp\4E01.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\4EFB.tmp"C:\Users\Admin\AppData\Local\Temp\4EFB.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\4F49.tmp"C:\Users\Admin\AppData\Local\Temp\4F49.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\4F97.tmp"C:\Users\Admin\AppData\Local\Temp\4F97.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\5014.tmp"C:\Users\Admin\AppData\Local\Temp\5014.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\5062.tmp"C:\Users\Admin\AppData\Local\Temp\5062.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\50CF.tmp"C:\Users\Admin\AppData\Local\Temp\50CF.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\51AA.tmp"C:\Users\Admin\AppData\Local\Temp\51AA.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\5208.tmp"C:\Users\Admin\AppData\Local\Temp\5208.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\5266.tmp"C:\Users\Admin\AppData\Local\Temp\5266.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\52E3.tmp"C:\Users\Admin\AppData\Local\Temp\52E3.tmp"23⤵
- Executes dropped EXE
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\539E.tmp"C:\Users\Admin\AppData\Local\Temp\539E.tmp"24⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\541B.tmp"C:\Users\Admin\AppData\Local\Temp\541B.tmp"25⤵
- Executes dropped EXE
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\5469.tmp"C:\Users\Admin\AppData\Local\Temp\5469.tmp"26⤵
- Executes dropped EXE
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\54B7.tmp"C:\Users\Admin\AppData\Local\Temp\54B7.tmp"27⤵
- Executes dropped EXE
PID:632 -
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"28⤵
- Executes dropped EXE
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"29⤵
- Executes dropped EXE
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\55A2.tmp"C:\Users\Admin\AppData\Local\Temp\55A2.tmp"30⤵
- Executes dropped EXE
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"31⤵
- Executes dropped EXE
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"32⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"33⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\5728.tmp"C:\Users\Admin\AppData\Local\Temp\5728.tmp"34⤵
- Executes dropped EXE
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\5776.tmp"C:\Users\Admin\AppData\Local\Temp\5776.tmp"35⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\57C5.tmp"C:\Users\Admin\AppData\Local\Temp\57C5.tmp"36⤵
- Executes dropped EXE
PID:804 -
C:\Users\Admin\AppData\Local\Temp\5813.tmp"C:\Users\Admin\AppData\Local\Temp\5813.tmp"37⤵
- Executes dropped EXE
PID:372 -
C:\Users\Admin\AppData\Local\Temp\5851.tmp"C:\Users\Admin\AppData\Local\Temp\5851.tmp"38⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\58AF.tmp"C:\Users\Admin\AppData\Local\Temp\58AF.tmp"39⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\58FD.tmp"C:\Users\Admin\AppData\Local\Temp\58FD.tmp"40⤵
- Executes dropped EXE
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\594B.tmp"C:\Users\Admin\AppData\Local\Temp\594B.tmp"41⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\5999.tmp"C:\Users\Admin\AppData\Local\Temp\5999.tmp"42⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\59E7.tmp"C:\Users\Admin\AppData\Local\Temp\59E7.tmp"43⤵
- Executes dropped EXE
PID:452 -
C:\Users\Admin\AppData\Local\Temp\5A36.tmp"C:\Users\Admin\AppData\Local\Temp\5A36.tmp"44⤵
- Executes dropped EXE
PID:916 -
C:\Users\Admin\AppData\Local\Temp\5A84.tmp"C:\Users\Admin\AppData\Local\Temp\5A84.tmp"45⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"C:\Users\Admin\AppData\Local\Temp\5AD2.tmp"46⤵
- Executes dropped EXE
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\5B20.tmp"C:\Users\Admin\AppData\Local\Temp\5B20.tmp"47⤵
- Executes dropped EXE
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"48⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"49⤵
- Executes dropped EXE
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"C:\Users\Admin\AppData\Local\Temp\5C1A.tmp"50⤵
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\5C68.tmp"C:\Users\Admin\AppData\Local\Temp\5C68.tmp"51⤵
- Executes dropped EXE
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"52⤵
- Executes dropped EXE
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\5D14.tmp"C:\Users\Admin\AppData\Local\Temp\5D14.tmp"53⤵
- Executes dropped EXE
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\5D62.tmp"C:\Users\Admin\AppData\Local\Temp\5D62.tmp"54⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"55⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"56⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"57⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"58⤵
- Executes dropped EXE
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"C:\Users\Admin\AppData\Local\Temp\5EF8.tmp"59⤵
- Executes dropped EXE
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\5F46.tmp"C:\Users\Admin\AppData\Local\Temp\5F46.tmp"60⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\5F95.tmp"C:\Users\Admin\AppData\Local\Temp\5F95.tmp"61⤵
- Executes dropped EXE
PID:956 -
C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"62⤵
- Executes dropped EXE
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\6040.tmp"C:\Users\Admin\AppData\Local\Temp\6040.tmp"63⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\608F.tmp"C:\Users\Admin\AppData\Local\Temp\608F.tmp"64⤵
- Executes dropped EXE
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\60DD.tmp"C:\Users\Admin\AppData\Local\Temp\60DD.tmp"65⤵
- Executes dropped EXE
PID:648 -
C:\Users\Admin\AppData\Local\Temp\612B.tmp"C:\Users\Admin\AppData\Local\Temp\612B.tmp"66⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\6189.tmp"C:\Users\Admin\AppData\Local\Temp\6189.tmp"67⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\61D7.tmp"C:\Users\Admin\AppData\Local\Temp\61D7.tmp"68⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\6234.tmp"C:\Users\Admin\AppData\Local\Temp\6234.tmp"69⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\6283.tmp"C:\Users\Admin\AppData\Local\Temp\6283.tmp"70⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\62D1.tmp"C:\Users\Admin\AppData\Local\Temp\62D1.tmp"71⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\632E.tmp"C:\Users\Admin\AppData\Local\Temp\632E.tmp"72⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\637D.tmp"C:\Users\Admin\AppData\Local\Temp\637D.tmp"73⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\63DA.tmp"C:\Users\Admin\AppData\Local\Temp\63DA.tmp"74⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"75⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\6486.tmp"C:\Users\Admin\AppData\Local\Temp\6486.tmp"76⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\64E4.tmp"C:\Users\Admin\AppData\Local\Temp\64E4.tmp"77⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\6542.tmp"C:\Users\Admin\AppData\Local\Temp\6542.tmp"78⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\659F.tmp"C:\Users\Admin\AppData\Local\Temp\659F.tmp"79⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\65FD.tmp"C:\Users\Admin\AppData\Local\Temp\65FD.tmp"80⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\664B.tmp"C:\Users\Admin\AppData\Local\Temp\664B.tmp"81⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\66A9.tmp"C:\Users\Admin\AppData\Local\Temp\66A9.tmp"82⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\6707.tmp"C:\Users\Admin\AppData\Local\Temp\6707.tmp"83⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\6755.tmp"C:\Users\Admin\AppData\Local\Temp\6755.tmp"84⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\67A3.tmp"C:\Users\Admin\AppData\Local\Temp\67A3.tmp"85⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\6801.tmp"C:\Users\Admin\AppData\Local\Temp\6801.tmp"86⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"87⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\68BC.tmp"C:\Users\Admin\AppData\Local\Temp\68BC.tmp"88⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\691A.tmp"C:\Users\Admin\AppData\Local\Temp\691A.tmp"89⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\6968.tmp"C:\Users\Admin\AppData\Local\Temp\6968.tmp"90⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\69C6.tmp"C:\Users\Admin\AppData\Local\Temp\69C6.tmp"91⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\6A24.tmp"C:\Users\Admin\AppData\Local\Temp\6A24.tmp"92⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\6A81.tmp"C:\Users\Admin\AppData\Local\Temp\6A81.tmp"93⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\6AD0.tmp"C:\Users\Admin\AppData\Local\Temp\6AD0.tmp"94⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"C:\Users\Admin\AppData\Local\Temp\6B2D.tmp"95⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"96⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"C:\Users\Admin\AppData\Local\Temp\6BE9.tmp"97⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\6C37.tmp"C:\Users\Admin\AppData\Local\Temp\6C37.tmp"98⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\6C95.tmp"C:\Users\Admin\AppData\Local\Temp\6C95.tmp"99⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"C:\Users\Admin\AppData\Local\Temp\6CF2.tmp"100⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\6D50.tmp"C:\Users\Admin\AppData\Local\Temp\6D50.tmp"101⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"C:\Users\Admin\AppData\Local\Temp\6D9E.tmp"102⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"C:\Users\Admin\AppData\Local\Temp\6DEC.tmp"103⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"104⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"105⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"C:\Users\Admin\AppData\Local\Temp\6EF6.tmp"106⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\6F54.tmp"C:\Users\Admin\AppData\Local\Temp\6F54.tmp"107⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"108⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\7000.tmp"C:\Users\Admin\AppData\Local\Temp\7000.tmp"109⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\704E.tmp"C:\Users\Admin\AppData\Local\Temp\704E.tmp"110⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\709C.tmp"C:\Users\Admin\AppData\Local\Temp\709C.tmp"111⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\70EA.tmp"C:\Users\Admin\AppData\Local\Temp\70EA.tmp"112⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\7148.tmp"C:\Users\Admin\AppData\Local\Temp\7148.tmp"113⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\7196.tmp"C:\Users\Admin\AppData\Local\Temp\7196.tmp"114⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\71E4.tmp"C:\Users\Admin\AppData\Local\Temp\71E4.tmp"115⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\7232.tmp"C:\Users\Admin\AppData\Local\Temp\7232.tmp"116⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\7290.tmp"C:\Users\Admin\AppData\Local\Temp\7290.tmp"117⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\72DE.tmp"C:\Users\Admin\AppData\Local\Temp\72DE.tmp"118⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\733C.tmp"C:\Users\Admin\AppData\Local\Temp\733C.tmp"119⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\738A.tmp"C:\Users\Admin\AppData\Local\Temp\738A.tmp"120⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\73D8.tmp"C:\Users\Admin\AppData\Local\Temp\73D8.tmp"121⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\7436.tmp"C:\Users\Admin\AppData\Local\Temp\7436.tmp"122⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-