Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe
-
Size
712KB
-
MD5
e1c8f4afba9bd259b78b881398c75139
-
SHA1
7f19d3f31db8066e0611c0cdc94b9ee3e11e9cc8
-
SHA256
d98d4fe770c90d88162f9a3f9f6abca58271353751dbb87d915fc65c0ff6e386
-
SHA512
336d85e1d0183d922ab0fb4b63652b03eee3b50dd24a80f6dfa2e8eabb48c01cd923582d9b6fd97c2f637109a85840daf992b2b7d4bba1a03377573462f606e7
-
SSDEEP
12288:FU5rCOTeiDjprQDkLha7XtRGuBOv6AgVYyTEONZdCvq5TJLCvY90D8/LVBlVk730:FUQOJDdrCkLhy926A2bNnCvq5TJLCvYR
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
6A04.tmp6A53.tmp6AA1.tmp6AFE.tmp6B6C.tmp6BCA.tmp6C18.tmp6C75.tmp6CD3.tmp6D31.tmp6D8F.tmp6DFC.tmp6E4A.tmp6EA8.tmp6F06.tmp6F54.tmp6FD1.tmp703E.tmp709C.tmp7109.tmp7157.tmp71B5.tmp7213.tmp72A0.tmp72FD.tmp734B.tmp739A.tmp73F7.tmp7445.tmp7494.tmp74E2.tmp753F.tmp758E.tmp75DC.tmp7668.tmp76B6.tmp7705.tmp7772.tmp77C0.tmp781E.tmp788B.tmp78D9.tmp7927.tmp7995.tmp79E3.tmp7A41.tmp7A8F.tmp7ADD.tmp7B3B.tmp7B89.tmp7BE7.tmp7C35.tmp7C83.tmp7CD1.tmp7D1F.tmp7D6D.tmp7DBB.tmp7E09.tmp7E58.tmp7EA6.tmp7EF4.tmp7F42.tmp7FA0.tmp7FEE.tmppid process 4860 6A04.tmp 2696 6A53.tmp 5036 6AA1.tmp 4124 6AFE.tmp 4284 6B6C.tmp 2044 6BCA.tmp 2144 6C18.tmp 1544 6C75.tmp 1584 6CD3.tmp 2284 6D31.tmp 1712 6D8F.tmp 3972 6DFC.tmp 2700 6E4A.tmp 2500 6EA8.tmp 4992 6F06.tmp 3984 6F54.tmp 4572 6FD1.tmp 4568 703E.tmp 3736 709C.tmp 4832 7109.tmp 3184 7157.tmp 2616 71B5.tmp 2656 7213.tmp 5048 72A0.tmp 4612 72FD.tmp 4640 734B.tmp 3620 739A.tmp 3464 73F7.tmp 2960 7445.tmp 4068 7494.tmp 64 74E2.tmp 1232 753F.tmp 8 758E.tmp 2040 75DC.tmp 3500 7668.tmp 4584 76B6.tmp 4296 7705.tmp 5040 7772.tmp 4160 77C0.tmp 4128 781E.tmp 4896 788B.tmp 3288 78D9.tmp 3548 7927.tmp 2776 7995.tmp 1204 79E3.tmp 2528 7A41.tmp 2156 7A8F.tmp 3328 7ADD.tmp 676 7B3B.tmp 2132 7B89.tmp 1540 7BE7.tmp 4252 7C35.tmp 4908 7C83.tmp 4768 7CD1.tmp 2248 7D1F.tmp 1712 7D6D.tmp 3068 7DBB.tmp 4328 7E09.tmp 4864 7E58.tmp 4676 7EA6.tmp 3224 7EF4.tmp 4672 7F42.tmp 1792 7FA0.tmp 1896 7FEE.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe6A04.tmp6A53.tmp6AA1.tmp6AFE.tmp6B6C.tmp6BCA.tmp6C18.tmp6C75.tmp6CD3.tmp6D31.tmp6D8F.tmp6DFC.tmp6E4A.tmp6EA8.tmp6F06.tmp6F54.tmp6FD1.tmp703E.tmp709C.tmp7109.tmp7157.tmpdescription pid process target process PID 1724 wrote to memory of 4860 1724 2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe 6A04.tmp PID 1724 wrote to memory of 4860 1724 2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe 6A04.tmp PID 1724 wrote to memory of 4860 1724 2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe 6A04.tmp PID 4860 wrote to memory of 2696 4860 6A04.tmp 6A53.tmp PID 4860 wrote to memory of 2696 4860 6A04.tmp 6A53.tmp PID 4860 wrote to memory of 2696 4860 6A04.tmp 6A53.tmp PID 2696 wrote to memory of 5036 2696 6A53.tmp 6AA1.tmp PID 2696 wrote to memory of 5036 2696 6A53.tmp 6AA1.tmp PID 2696 wrote to memory of 5036 2696 6A53.tmp 6AA1.tmp PID 5036 wrote to memory of 4124 5036 6AA1.tmp 6AFE.tmp PID 5036 wrote to memory of 4124 5036 6AA1.tmp 6AFE.tmp PID 5036 wrote to memory of 4124 5036 6AA1.tmp 6AFE.tmp PID 4124 wrote to memory of 4284 4124 6AFE.tmp 6B6C.tmp PID 4124 wrote to memory of 4284 4124 6AFE.tmp 6B6C.tmp PID 4124 wrote to memory of 4284 4124 6AFE.tmp 6B6C.tmp PID 4284 wrote to memory of 2044 4284 6B6C.tmp 6BCA.tmp PID 4284 wrote to memory of 2044 4284 6B6C.tmp 6BCA.tmp PID 4284 wrote to memory of 2044 4284 6B6C.tmp 6BCA.tmp PID 2044 wrote to memory of 2144 2044 6BCA.tmp 6C18.tmp PID 2044 wrote to memory of 2144 2044 6BCA.tmp 6C18.tmp PID 2044 wrote to memory of 2144 2044 6BCA.tmp 6C18.tmp PID 2144 wrote to memory of 1544 2144 6C18.tmp 6C75.tmp PID 2144 wrote to memory of 1544 2144 6C18.tmp 6C75.tmp PID 2144 wrote to memory of 1544 2144 6C18.tmp 6C75.tmp PID 1544 wrote to memory of 1584 1544 6C75.tmp 6CD3.tmp PID 1544 wrote to memory of 1584 1544 6C75.tmp 6CD3.tmp PID 1544 wrote to memory of 1584 1544 6C75.tmp 6CD3.tmp PID 1584 wrote to memory of 2284 1584 6CD3.tmp 6D31.tmp PID 1584 wrote to memory of 2284 1584 6CD3.tmp 6D31.tmp PID 1584 wrote to memory of 2284 1584 6CD3.tmp 6D31.tmp PID 2284 wrote to memory of 1712 2284 6D31.tmp 6D8F.tmp PID 2284 wrote to memory of 1712 2284 6D31.tmp 6D8F.tmp PID 2284 wrote to memory of 1712 2284 6D31.tmp 6D8F.tmp PID 1712 wrote to memory of 3972 1712 6D8F.tmp 6DFC.tmp PID 1712 wrote to memory of 3972 1712 6D8F.tmp 6DFC.tmp PID 1712 wrote to memory of 3972 1712 6D8F.tmp 6DFC.tmp PID 3972 wrote to memory of 2700 3972 6DFC.tmp 6E4A.tmp PID 3972 wrote to memory of 2700 3972 6DFC.tmp 6E4A.tmp PID 3972 wrote to memory of 2700 3972 6DFC.tmp 6E4A.tmp PID 2700 wrote to memory of 2500 2700 6E4A.tmp 6EA8.tmp PID 2700 wrote to memory of 2500 2700 6E4A.tmp 6EA8.tmp PID 2700 wrote to memory of 2500 2700 6E4A.tmp 6EA8.tmp PID 2500 wrote to memory of 4992 2500 6EA8.tmp 6F06.tmp PID 2500 wrote to memory of 4992 2500 6EA8.tmp 6F06.tmp PID 2500 wrote to memory of 4992 2500 6EA8.tmp 6F06.tmp PID 4992 wrote to memory of 3984 4992 6F06.tmp 6F54.tmp PID 4992 wrote to memory of 3984 4992 6F06.tmp 6F54.tmp PID 4992 wrote to memory of 3984 4992 6F06.tmp 6F54.tmp PID 3984 wrote to memory of 4572 3984 6F54.tmp 6FD1.tmp PID 3984 wrote to memory of 4572 3984 6F54.tmp 6FD1.tmp PID 3984 wrote to memory of 4572 3984 6F54.tmp 6FD1.tmp PID 4572 wrote to memory of 4568 4572 6FD1.tmp 703E.tmp PID 4572 wrote to memory of 4568 4572 6FD1.tmp 703E.tmp PID 4572 wrote to memory of 4568 4572 6FD1.tmp 703E.tmp PID 4568 wrote to memory of 3736 4568 703E.tmp 709C.tmp PID 4568 wrote to memory of 3736 4568 703E.tmp 709C.tmp PID 4568 wrote to memory of 3736 4568 703E.tmp 709C.tmp PID 3736 wrote to memory of 4832 3736 709C.tmp 7109.tmp PID 3736 wrote to memory of 4832 3736 709C.tmp 7109.tmp PID 3736 wrote to memory of 4832 3736 709C.tmp 7109.tmp PID 4832 wrote to memory of 3184 4832 7109.tmp 7157.tmp PID 4832 wrote to memory of 3184 4832 7109.tmp 7157.tmp PID 4832 wrote to memory of 3184 4832 7109.tmp 7157.tmp PID 3184 wrote to memory of 2616 3184 7157.tmp 71B5.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_e1c8f4afba9bd259b78b881398c75139_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\6A04.tmp"C:\Users\Admin\AppData\Local\Temp\6A04.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\6A53.tmp"C:\Users\Admin\AppData\Local\Temp\6A53.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"C:\Users\Admin\AppData\Local\Temp\6AA1.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"C:\Users\Admin\AppData\Local\Temp\6AFE.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\6B6C.tmp"C:\Users\Admin\AppData\Local\Temp\6B6C.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"C:\Users\Admin\AppData\Local\Temp\6BCA.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\6C18.tmp"C:\Users\Admin\AppData\Local\Temp\6C18.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\6C75.tmp"C:\Users\Admin\AppData\Local\Temp\6C75.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\6DFC.tmp"C:\Users\Admin\AppData\Local\Temp\6DFC.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"C:\Users\Admin\AppData\Local\Temp\6E4A.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"C:\Users\Admin\AppData\Local\Temp\6EA8.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\6F06.tmp"C:\Users\Admin\AppData\Local\Temp\6F06.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\6F54.tmp"C:\Users\Admin\AppData\Local\Temp\6F54.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"C:\Users\Admin\AppData\Local\Temp\6FD1.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\703E.tmp"C:\Users\Admin\AppData\Local\Temp\703E.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\709C.tmp"C:\Users\Admin\AppData\Local\Temp\709C.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\7109.tmp"C:\Users\Admin\AppData\Local\Temp\7109.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\7157.tmp"C:\Users\Admin\AppData\Local\Temp\7157.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\71B5.tmp"C:\Users\Admin\AppData\Local\Temp\71B5.tmp"23⤵
- Executes dropped EXE
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\7213.tmp"C:\Users\Admin\AppData\Local\Temp\7213.tmp"24⤵
- Executes dropped EXE
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\72A0.tmp"C:\Users\Admin\AppData\Local\Temp\72A0.tmp"25⤵
- Executes dropped EXE
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\72FD.tmp"C:\Users\Admin\AppData\Local\Temp\72FD.tmp"26⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\734B.tmp"C:\Users\Admin\AppData\Local\Temp\734B.tmp"27⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\739A.tmp"C:\Users\Admin\AppData\Local\Temp\739A.tmp"28⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\73F7.tmp"C:\Users\Admin\AppData\Local\Temp\73F7.tmp"29⤵
- Executes dropped EXE
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\7445.tmp"C:\Users\Admin\AppData\Local\Temp\7445.tmp"30⤵
- Executes dropped EXE
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\7494.tmp"C:\Users\Admin\AppData\Local\Temp\7494.tmp"31⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\74E2.tmp"C:\Users\Admin\AppData\Local\Temp\74E2.tmp"32⤵
- Executes dropped EXE
PID:64 -
C:\Users\Admin\AppData\Local\Temp\753F.tmp"C:\Users\Admin\AppData\Local\Temp\753F.tmp"33⤵
- Executes dropped EXE
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\758E.tmp"C:\Users\Admin\AppData\Local\Temp\758E.tmp"34⤵
- Executes dropped EXE
PID:8 -
C:\Users\Admin\AppData\Local\Temp\75DC.tmp"C:\Users\Admin\AppData\Local\Temp\75DC.tmp"35⤵
- Executes dropped EXE
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\7668.tmp"C:\Users\Admin\AppData\Local\Temp\7668.tmp"36⤵
- Executes dropped EXE
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"37⤵
- Executes dropped EXE
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\7705.tmp"C:\Users\Admin\AppData\Local\Temp\7705.tmp"38⤵
- Executes dropped EXE
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\7772.tmp"C:\Users\Admin\AppData\Local\Temp\7772.tmp"39⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\77C0.tmp"C:\Users\Admin\AppData\Local\Temp\77C0.tmp"40⤵
- Executes dropped EXE
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\781E.tmp"C:\Users\Admin\AppData\Local\Temp\781E.tmp"41⤵
- Executes dropped EXE
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\788B.tmp"C:\Users\Admin\AppData\Local\Temp\788B.tmp"42⤵
- Executes dropped EXE
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\78D9.tmp"C:\Users\Admin\AppData\Local\Temp\78D9.tmp"43⤵
- Executes dropped EXE
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\7927.tmp"C:\Users\Admin\AppData\Local\Temp\7927.tmp"44⤵
- Executes dropped EXE
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\7995.tmp"C:\Users\Admin\AppData\Local\Temp\7995.tmp"45⤵
- Executes dropped EXE
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\79E3.tmp"C:\Users\Admin\AppData\Local\Temp\79E3.tmp"46⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\7A41.tmp"C:\Users\Admin\AppData\Local\Temp\7A41.tmp"47⤵
- Executes dropped EXE
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\7A8F.tmp"C:\Users\Admin\AppData\Local\Temp\7A8F.tmp"48⤵
- Executes dropped EXE
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\7ADD.tmp"C:\Users\Admin\AppData\Local\Temp\7ADD.tmp"49⤵
- Executes dropped EXE
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"C:\Users\Admin\AppData\Local\Temp\7B3B.tmp"50⤵
- Executes dropped EXE
PID:676 -
C:\Users\Admin\AppData\Local\Temp\7B89.tmp"C:\Users\Admin\AppData\Local\Temp\7B89.tmp"51⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"52⤵
- Executes dropped EXE
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"53⤵
- Executes dropped EXE
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\7C83.tmp"C:\Users\Admin\AppData\Local\Temp\7C83.tmp"54⤵
- Executes dropped EXE
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"55⤵
- Executes dropped EXE
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"56⤵
- Executes dropped EXE
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"C:\Users\Admin\AppData\Local\Temp\7D6D.tmp"57⤵
- Executes dropped EXE
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"C:\Users\Admin\AppData\Local\Temp\7DBB.tmp"58⤵
- Executes dropped EXE
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\7E09.tmp"C:\Users\Admin\AppData\Local\Temp\7E09.tmp"59⤵
- Executes dropped EXE
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\7E58.tmp"C:\Users\Admin\AppData\Local\Temp\7E58.tmp"60⤵
- Executes dropped EXE
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"61⤵
- Executes dropped EXE
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\7EF4.tmp"C:\Users\Admin\AppData\Local\Temp\7EF4.tmp"62⤵
- Executes dropped EXE
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\7F42.tmp"C:\Users\Admin\AppData\Local\Temp\7F42.tmp"63⤵
- Executes dropped EXE
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"C:\Users\Admin\AppData\Local\Temp\7FA0.tmp"64⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"C:\Users\Admin\AppData\Local\Temp\7FEE.tmp"65⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\804C.tmp"C:\Users\Admin\AppData\Local\Temp\804C.tmp"66⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\809A.tmp"C:\Users\Admin\AppData\Local\Temp\809A.tmp"67⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\80F7.tmp"C:\Users\Admin\AppData\Local\Temp\80F7.tmp"68⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\8146.tmp"C:\Users\Admin\AppData\Local\Temp\8146.tmp"69⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\8194.tmp"C:\Users\Admin\AppData\Local\Temp\8194.tmp"70⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\81E2.tmp"C:\Users\Admin\AppData\Local\Temp\81E2.tmp"71⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\8230.tmp"C:\Users\Admin\AppData\Local\Temp\8230.tmp"72⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\829D.tmp"C:\Users\Admin\AppData\Local\Temp\829D.tmp"73⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\830B.tmp"C:\Users\Admin\AppData\Local\Temp\830B.tmp"74⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\8378.tmp"C:\Users\Admin\AppData\Local\Temp\8378.tmp"75⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\83F5.tmp"C:\Users\Admin\AppData\Local\Temp\83F5.tmp"76⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\8462.tmp"C:\Users\Admin\AppData\Local\Temp\8462.tmp"77⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\84DF.tmp"C:\Users\Admin\AppData\Local\Temp\84DF.tmp"78⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\857C.tmp"C:\Users\Admin\AppData\Local\Temp\857C.tmp"79⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\8618.tmp"C:\Users\Admin\AppData\Local\Temp\8618.tmp"80⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\86C4.tmp"C:\Users\Admin\AppData\Local\Temp\86C4.tmp"81⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\8760.tmp"C:\Users\Admin\AppData\Local\Temp\8760.tmp"82⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\882B.tmp"C:\Users\Admin\AppData\Local\Temp\882B.tmp"83⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\8889.tmp"C:\Users\Admin\AppData\Local\Temp\8889.tmp"84⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\8916.tmp"C:\Users\Admin\AppData\Local\Temp\8916.tmp"85⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\89D1.tmp"C:\Users\Admin\AppData\Local\Temp\89D1.tmp"86⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\8A2F.tmp"C:\Users\Admin\AppData\Local\Temp\8A2F.tmp"87⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\8ACB.tmp"C:\Users\Admin\AppData\Local\Temp\8ACB.tmp"88⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\8B58.tmp"C:\Users\Admin\AppData\Local\Temp\8B58.tmp"89⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\8BB5.tmp"C:\Users\Admin\AppData\Local\Temp\8BB5.tmp"90⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\8C13.tmp"C:\Users\Admin\AppData\Local\Temp\8C13.tmp"91⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\8C71.tmp"C:\Users\Admin\AppData\Local\Temp\8C71.tmp"92⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"C:\Users\Admin\AppData\Local\Temp\8CCF.tmp"93⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"C:\Users\Admin\AppData\Local\Temp\8D3C.tmp"94⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"95⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp"C:\Users\Admin\AppData\Local\Temp\8DE8.tmp"96⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\8E46.tmp"C:\Users\Admin\AppData\Local\Temp\8E46.tmp"97⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\8EB3.tmp"C:\Users\Admin\AppData\Local\Temp\8EB3.tmp"98⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\8F20.tmp"C:\Users\Admin\AppData\Local\Temp\8F20.tmp"99⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"C:\Users\Admin\AppData\Local\Temp\8F6F.tmp"100⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\8FCC.tmp"C:\Users\Admin\AppData\Local\Temp\8FCC.tmp"101⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\902A.tmp"C:\Users\Admin\AppData\Local\Temp\902A.tmp"102⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\9088.tmp"C:\Users\Admin\AppData\Local\Temp\9088.tmp"103⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\90E6.tmp"C:\Users\Admin\AppData\Local\Temp\90E6.tmp"104⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\9143.tmp"C:\Users\Admin\AppData\Local\Temp\9143.tmp"105⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\91A1.tmp"C:\Users\Admin\AppData\Local\Temp\91A1.tmp"106⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\91EF.tmp"C:\Users\Admin\AppData\Local\Temp\91EF.tmp"107⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\923D.tmp"C:\Users\Admin\AppData\Local\Temp\923D.tmp"108⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\928B.tmp"C:\Users\Admin\AppData\Local\Temp\928B.tmp"109⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\92E9.tmp"C:\Users\Admin\AppData\Local\Temp\92E9.tmp"110⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\9347.tmp"C:\Users\Admin\AppData\Local\Temp\9347.tmp"111⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp"112⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\9402.tmp"C:\Users\Admin\AppData\Local\Temp\9402.tmp"113⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\9451.tmp"C:\Users\Admin\AppData\Local\Temp\9451.tmp"114⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\94AE.tmp"C:\Users\Admin\AppData\Local\Temp\94AE.tmp"115⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\94FC.tmp"C:\Users\Admin\AppData\Local\Temp\94FC.tmp"116⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\954B.tmp"C:\Users\Admin\AppData\Local\Temp\954B.tmp"117⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\9599.tmp"C:\Users\Admin\AppData\Local\Temp\9599.tmp"118⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\95F6.tmp"C:\Users\Admin\AppData\Local\Temp\95F6.tmp"119⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\9654.tmp"C:\Users\Admin\AppData\Local\Temp\9654.tmp"120⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\96B2.tmp"C:\Users\Admin\AppData\Local\Temp\96B2.tmp"121⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\9710.tmp"C:\Users\Admin\AppData\Local\Temp\9710.tmp"122⤵PID:3332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-