Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe
Resource
win7-20240508-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe
-
Size
529KB
-
MD5
cc5c57927960eb4207248a2c8e97dace
-
SHA1
65f25daea7125405ba6660ebbf29f56d87982ff8
-
SHA256
606bb894e4be71d4114f41caf6bf8f04269d79e7f8e0926fd8fd389fa80b0fe4
-
SHA512
cf0e8cd6dd390149ca7af882fb620c19865189157b3d1874db1bd491c02ac5b031f7046837e35fabdf59db289301bd7b14084200dcebe2fcce2e4926c01cfccb
-
SSDEEP
12288:NU5rCOTeij9LltnjCYw6M07ddtNbzvA2Z4UUMwSkfoVTZwlH4Hp:NUQOJjhjCgMODtNbzo2zwLfoVTSlH4Hp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1808 38F2.tmp 4744 3950.tmp 760 39AD.tmp 1056 3A3A.tmp 1400 3AA7.tmp 4972 3B24.tmp 704 3B73.tmp 4888 3BF0.tmp 3888 3C5D.tmp 2280 3CAB.tmp 2064 3CF9.tmp 3296 3D47.tmp 1776 3DB5.tmp 756 3E22.tmp 3852 3E70.tmp 2032 3EED.tmp 1512 3F3B.tmp 2772 3FB8.tmp 4416 4026.tmp 620 4074.tmp 1992 40E1.tmp 4960 412F.tmp 4884 41AC.tmp 2744 420A.tmp 5104 4258.tmp 3572 42A6.tmp 1012 4314.tmp 4376 4362.tmp 3580 43C0.tmp 2364 440E.tmp 2804 445C.tmp 2020 44AA.tmp 2516 4508.tmp 2524 4565.tmp 4808 45B4.tmp 4172 4602.tmp 956 4650.tmp 1064 469E.tmp 4788 46EC.tmp 2300 474A.tmp 2588 47D6.tmp 4688 4844.tmp 3172 4892.tmp 4940 48E0.tmp 2436 492E.tmp 2956 497C.tmp 4368 49CA.tmp 760 4A28.tmp 1392 4A86.tmp 3444 4AE4.tmp 3476 4B41.tmp 1856 4B9F.tmp 2820 4BFD.tmp 2016 4C6A.tmp 4912 4CC8.tmp 3932 4D26.tmp 1084 4D84.tmp 2076 4DF1.tmp 4776 4E4F.tmp 2976 4EAC.tmp 2280 4F1A.tmp 3916 4F78.tmp 3212 4FD5.tmp 4148 5033.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 800 wrote to memory of 1808 800 2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe 82 PID 800 wrote to memory of 1808 800 2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe 82 PID 800 wrote to memory of 1808 800 2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe 82 PID 1808 wrote to memory of 4744 1808 38F2.tmp 83 PID 1808 wrote to memory of 4744 1808 38F2.tmp 83 PID 1808 wrote to memory of 4744 1808 38F2.tmp 83 PID 4744 wrote to memory of 760 4744 3950.tmp 84 PID 4744 wrote to memory of 760 4744 3950.tmp 84 PID 4744 wrote to memory of 760 4744 3950.tmp 84 PID 760 wrote to memory of 1056 760 39AD.tmp 87 PID 760 wrote to memory of 1056 760 39AD.tmp 87 PID 760 wrote to memory of 1056 760 39AD.tmp 87 PID 1056 wrote to memory of 1400 1056 3A3A.tmp 89 PID 1056 wrote to memory of 1400 1056 3A3A.tmp 89 PID 1056 wrote to memory of 1400 1056 3A3A.tmp 89 PID 1400 wrote to memory of 4972 1400 3AA7.tmp 90 PID 1400 wrote to memory of 4972 1400 3AA7.tmp 90 PID 1400 wrote to memory of 4972 1400 3AA7.tmp 90 PID 4972 wrote to memory of 704 4972 3B24.tmp 91 PID 4972 wrote to memory of 704 4972 3B24.tmp 91 PID 4972 wrote to memory of 704 4972 3B24.tmp 91 PID 704 wrote to memory of 4888 704 3B73.tmp 92 PID 704 wrote to memory of 4888 704 3B73.tmp 92 PID 704 wrote to memory of 4888 704 3B73.tmp 92 PID 4888 wrote to memory of 3888 4888 3BF0.tmp 93 PID 4888 wrote to memory of 3888 4888 3BF0.tmp 93 PID 4888 wrote to memory of 3888 4888 3BF0.tmp 93 PID 3888 wrote to memory of 2280 3888 3C5D.tmp 94 PID 3888 wrote to memory of 2280 3888 3C5D.tmp 94 PID 3888 wrote to memory of 2280 3888 3C5D.tmp 94 PID 2280 wrote to memory of 2064 2280 3CAB.tmp 95 PID 2280 wrote to memory of 2064 2280 3CAB.tmp 95 PID 2280 wrote to memory of 2064 2280 3CAB.tmp 95 PID 2064 wrote to memory of 3296 2064 3CF9.tmp 96 PID 2064 wrote to memory of 3296 2064 3CF9.tmp 96 PID 2064 wrote to memory of 3296 2064 3CF9.tmp 96 PID 3296 wrote to memory of 1776 3296 3D47.tmp 97 PID 3296 wrote to memory of 1776 3296 3D47.tmp 97 PID 3296 wrote to memory of 1776 3296 3D47.tmp 97 PID 1776 wrote to memory of 756 1776 3DB5.tmp 98 PID 1776 wrote to memory of 756 1776 3DB5.tmp 98 PID 1776 wrote to memory of 756 1776 3DB5.tmp 98 PID 756 wrote to memory of 3852 756 3E22.tmp 99 PID 756 wrote to memory of 3852 756 3E22.tmp 99 PID 756 wrote to memory of 3852 756 3E22.tmp 99 PID 3852 wrote to memory of 2032 3852 3E70.tmp 100 PID 3852 wrote to memory of 2032 3852 3E70.tmp 100 PID 3852 wrote to memory of 2032 3852 3E70.tmp 100 PID 2032 wrote to memory of 1512 2032 3EED.tmp 101 PID 2032 wrote to memory of 1512 2032 3EED.tmp 101 PID 2032 wrote to memory of 1512 2032 3EED.tmp 101 PID 1512 wrote to memory of 2772 1512 3F3B.tmp 102 PID 1512 wrote to memory of 2772 1512 3F3B.tmp 102 PID 1512 wrote to memory of 2772 1512 3F3B.tmp 102 PID 2772 wrote to memory of 4416 2772 3FB8.tmp 103 PID 2772 wrote to memory of 4416 2772 3FB8.tmp 103 PID 2772 wrote to memory of 4416 2772 3FB8.tmp 103 PID 4416 wrote to memory of 620 4416 4026.tmp 104 PID 4416 wrote to memory of 620 4416 4026.tmp 104 PID 4416 wrote to memory of 620 4416 4026.tmp 104 PID 620 wrote to memory of 1992 620 4074.tmp 105 PID 620 wrote to memory of 1992 620 4074.tmp 105 PID 620 wrote to memory of 1992 620 4074.tmp 105 PID 1992 wrote to memory of 4960 1992 40E1.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc5c57927960eb4207248a2c8e97dace_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\38F2.tmp"C:\Users\Admin\AppData\Local\Temp\38F2.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\3950.tmp"C:\Users\Admin\AppData\Local\Temp\3950.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\39AD.tmp"C:\Users\Admin\AppData\Local\Temp\39AD.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\3A3A.tmp"C:\Users\Admin\AppData\Local\Temp\3A3A.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\3AA7.tmp"C:\Users\Admin\AppData\Local\Temp\3AA7.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\3B24.tmp"C:\Users\Admin\AppData\Local\Temp\3B24.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\3B73.tmp"C:\Users\Admin\AppData\Local\Temp\3B73.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\3BF0.tmp"C:\Users\Admin\AppData\Local\Temp\3BF0.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\3C5D.tmp"C:\Users\Admin\AppData\Local\Temp\3C5D.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\3CAB.tmp"C:\Users\Admin\AppData\Local\Temp\3CAB.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\3D47.tmp"C:\Users\Admin\AppData\Local\Temp\3D47.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\3DB5.tmp"C:\Users\Admin\AppData\Local\Temp\3DB5.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\3E22.tmp"C:\Users\Admin\AppData\Local\Temp\3E22.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\3E70.tmp"C:\Users\Admin\AppData\Local\Temp\3E70.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\3EED.tmp"C:\Users\Admin\AppData\Local\Temp\3EED.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\3F3B.tmp"C:\Users\Admin\AppData\Local\Temp\3F3B.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\3FB8.tmp"C:\Users\Admin\AppData\Local\Temp\3FB8.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\4026.tmp"C:\Users\Admin\AppData\Local\Temp\4026.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\4074.tmp"C:\Users\Admin\AppData\Local\Temp\4074.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\40E1.tmp"C:\Users\Admin\AppData\Local\Temp\40E1.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\412F.tmp"C:\Users\Admin\AppData\Local\Temp\412F.tmp"23⤵
- Executes dropped EXE
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\41AC.tmp"C:\Users\Admin\AppData\Local\Temp\41AC.tmp"24⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\420A.tmp"C:\Users\Admin\AppData\Local\Temp\420A.tmp"25⤵
- Executes dropped EXE
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\4258.tmp"C:\Users\Admin\AppData\Local\Temp\4258.tmp"26⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\42A6.tmp"C:\Users\Admin\AppData\Local\Temp\42A6.tmp"27⤵
- Executes dropped EXE
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\4314.tmp"C:\Users\Admin\AppData\Local\Temp\4314.tmp"28⤵
- Executes dropped EXE
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\4362.tmp"C:\Users\Admin\AppData\Local\Temp\4362.tmp"29⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\43C0.tmp"C:\Users\Admin\AppData\Local\Temp\43C0.tmp"30⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\440E.tmp"C:\Users\Admin\AppData\Local\Temp\440E.tmp"31⤵
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\445C.tmp"C:\Users\Admin\AppData\Local\Temp\445C.tmp"32⤵
- Executes dropped EXE
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\44AA.tmp"C:\Users\Admin\AppData\Local\Temp\44AA.tmp"33⤵
- Executes dropped EXE
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\4508.tmp"C:\Users\Admin\AppData\Local\Temp\4508.tmp"34⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\4565.tmp"C:\Users\Admin\AppData\Local\Temp\4565.tmp"35⤵
- Executes dropped EXE
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\45B4.tmp"C:\Users\Admin\AppData\Local\Temp\45B4.tmp"36⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\4602.tmp"C:\Users\Admin\AppData\Local\Temp\4602.tmp"37⤵
- Executes dropped EXE
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\4650.tmp"C:\Users\Admin\AppData\Local\Temp\4650.tmp"38⤵
- Executes dropped EXE
PID:956 -
C:\Users\Admin\AppData\Local\Temp\469E.tmp"C:\Users\Admin\AppData\Local\Temp\469E.tmp"39⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\46EC.tmp"C:\Users\Admin\AppData\Local\Temp\46EC.tmp"40⤵
- Executes dropped EXE
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\474A.tmp"C:\Users\Admin\AppData\Local\Temp\474A.tmp"41⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\47D6.tmp"C:\Users\Admin\AppData\Local\Temp\47D6.tmp"42⤵
- Executes dropped EXE
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\4844.tmp"C:\Users\Admin\AppData\Local\Temp\4844.tmp"43⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\4892.tmp"C:\Users\Admin\AppData\Local\Temp\4892.tmp"44⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\48E0.tmp"C:\Users\Admin\AppData\Local\Temp\48E0.tmp"45⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\492E.tmp"C:\Users\Admin\AppData\Local\Temp\492E.tmp"46⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\497C.tmp"C:\Users\Admin\AppData\Local\Temp\497C.tmp"47⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\49CA.tmp"C:\Users\Admin\AppData\Local\Temp\49CA.tmp"48⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\4A28.tmp"C:\Users\Admin\AppData\Local\Temp\4A28.tmp"49⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\4A86.tmp"C:\Users\Admin\AppData\Local\Temp\4A86.tmp"50⤵
- Executes dropped EXE
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\4AE4.tmp"C:\Users\Admin\AppData\Local\Temp\4AE4.tmp"51⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\4B41.tmp"C:\Users\Admin\AppData\Local\Temp\4B41.tmp"52⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"53⤵
- Executes dropped EXE
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\4BFD.tmp"C:\Users\Admin\AppData\Local\Temp\4BFD.tmp"54⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\4C6A.tmp"C:\Users\Admin\AppData\Local\Temp\4C6A.tmp"55⤵
- Executes dropped EXE
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"56⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\4D26.tmp"C:\Users\Admin\AppData\Local\Temp\4D26.tmp"57⤵
- Executes dropped EXE
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\4D84.tmp"C:\Users\Admin\AppData\Local\Temp\4D84.tmp"58⤵
- Executes dropped EXE
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"C:\Users\Admin\AppData\Local\Temp\4DF1.tmp"59⤵
- Executes dropped EXE
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"60⤵
- Executes dropped EXE
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"C:\Users\Admin\AppData\Local\Temp\4EAC.tmp"61⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"62⤵
- Executes dropped EXE
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\4F78.tmp"C:\Users\Admin\AppData\Local\Temp\4F78.tmp"63⤵
- Executes dropped EXE
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"C:\Users\Admin\AppData\Local\Temp\4FD5.tmp"64⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\5033.tmp"C:\Users\Admin\AppData\Local\Temp\5033.tmp"65⤵
- Executes dropped EXE
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\5091.tmp"C:\Users\Admin\AppData\Local\Temp\5091.tmp"66⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\50EF.tmp"C:\Users\Admin\AppData\Local\Temp\50EF.tmp"67⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"68⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\519A.tmp"C:\Users\Admin\AppData\Local\Temp\519A.tmp"69⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\51F8.tmp"C:\Users\Admin\AppData\Local\Temp\51F8.tmp"70⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\5256.tmp"C:\Users\Admin\AppData\Local\Temp\5256.tmp"71⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\52B4.tmp"C:\Users\Admin\AppData\Local\Temp\52B4.tmp"72⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\5311.tmp"C:\Users\Admin\AppData\Local\Temp\5311.tmp"73⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\5360.tmp"C:\Users\Admin\AppData\Local\Temp\5360.tmp"74⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\53AE.tmp"C:\Users\Admin\AppData\Local\Temp\53AE.tmp"75⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\540B.tmp"C:\Users\Admin\AppData\Local\Temp\540B.tmp"76⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\5469.tmp"C:\Users\Admin\AppData\Local\Temp\5469.tmp"77⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\54B7.tmp"C:\Users\Admin\AppData\Local\Temp\54B7.tmp"78⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\5515.tmp"C:\Users\Admin\AppData\Local\Temp\5515.tmp"79⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\5573.tmp"C:\Users\Admin\AppData\Local\Temp\5573.tmp"80⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\55D1.tmp"C:\Users\Admin\AppData\Local\Temp\55D1.tmp"81⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\562E.tmp"C:\Users\Admin\AppData\Local\Temp\562E.tmp"82⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\568C.tmp"C:\Users\Admin\AppData\Local\Temp\568C.tmp"83⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\56DA.tmp"C:\Users\Admin\AppData\Local\Temp\56DA.tmp"84⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\5738.tmp"C:\Users\Admin\AppData\Local\Temp\5738.tmp"85⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\5796.tmp"C:\Users\Admin\AppData\Local\Temp\5796.tmp"86⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\57F3.tmp"C:\Users\Admin\AppData\Local\Temp\57F3.tmp"87⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\5851.tmp"C:\Users\Admin\AppData\Local\Temp\5851.tmp"88⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\589F.tmp"C:\Users\Admin\AppData\Local\Temp\589F.tmp"89⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\58FD.tmp"C:\Users\Admin\AppData\Local\Temp\58FD.tmp"90⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\595B.tmp"C:\Users\Admin\AppData\Local\Temp\595B.tmp"91⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\59A9.tmp"C:\Users\Admin\AppData\Local\Temp\59A9.tmp"92⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\59F7.tmp"C:\Users\Admin\AppData\Local\Temp\59F7.tmp"93⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\5A55.tmp"C:\Users\Admin\AppData\Local\Temp\5A55.tmp"94⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"95⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\5B10.tmp"C:\Users\Admin\AppData\Local\Temp\5B10.tmp"96⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"97⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"C:\Users\Admin\AppData\Local\Temp\5BCC.tmp"98⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"C:\Users\Admin\AppData\Local\Temp\5C2A.tmp"99⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\5C78.tmp"C:\Users\Admin\AppData\Local\Temp\5C78.tmp"100⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"C:\Users\Admin\AppData\Local\Temp\5CD5.tmp"101⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\5D33.tmp"C:\Users\Admin\AppData\Local\Temp\5D33.tmp"102⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\5D91.tmp"C:\Users\Admin\AppData\Local\Temp\5D91.tmp"103⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\5DDF.tmp"C:\Users\Admin\AppData\Local\Temp\5DDF.tmp"104⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\5E2D.tmp"C:\Users\Admin\AppData\Local\Temp\5E2D.tmp"105⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"106⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"107⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\5F46.tmp"C:\Users\Admin\AppData\Local\Temp\5F46.tmp"108⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\5F95.tmp"C:\Users\Admin\AppData\Local\Temp\5F95.tmp"109⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"C:\Users\Admin\AppData\Local\Temp\5FF2.tmp"110⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\6050.tmp"C:\Users\Admin\AppData\Local\Temp\6050.tmp"111⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\609E.tmp"C:\Users\Admin\AppData\Local\Temp\609E.tmp"112⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\60FC.tmp"C:\Users\Admin\AppData\Local\Temp\60FC.tmp"113⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\614A.tmp"C:\Users\Admin\AppData\Local\Temp\614A.tmp"114⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\61A8.tmp"C:\Users\Admin\AppData\Local\Temp\61A8.tmp"115⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\61F6.tmp"C:\Users\Admin\AppData\Local\Temp\61F6.tmp"116⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\6244.tmp"C:\Users\Admin\AppData\Local\Temp\6244.tmp"117⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\62A2.tmp"C:\Users\Admin\AppData\Local\Temp\62A2.tmp"118⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\62F0.tmp"C:\Users\Admin\AppData\Local\Temp\62F0.tmp"119⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\634E.tmp"C:\Users\Admin\AppData\Local\Temp\634E.tmp"120⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\639C.tmp"C:\Users\Admin\AppData\Local\Temp\639C.tmp"121⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\63EA.tmp"C:\Users\Admin\AppData\Local\Temp\63EA.tmp"122⤵PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-