Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
Resource
win7-20240220-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe
-
Size
536KB
-
MD5
3355c5b157f98c45704b739e429e099b
-
SHA1
32689a4e4b4c407aeaba3df45ee2b6053a27c6b3
-
SHA256
59e6a0adb3c14b46fbb1d6f98cc0e34a793d4fe958577a8625306eb31ef2195f
-
SHA512
fef0912fd32fdc7433536bb229f83993b094f08583d5216ee8a3e912cd7111de898636c80452bc78a23394a9029ae2f924ef5f29094cfd68ee9b0c9cf9ee3290
-
SSDEEP
12288:wU5rCOTeiUEm0mBgOwtxSCV5E24Q/x3IZxVJ0ZT9:wUQOJUEm0mBrwtxSC7T/dIRJ0ZT9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2880 413F.tmp 932 41BC.tmp 1532 4258.tmp 5116 42D5.tmp 3528 4371.tmp 3060 43DF.tmp 944 445C.tmp 2044 44C9.tmp 5012 4527.tmp 2016 45A4.tmp 5020 4650.tmp 4776 46BD.tmp 2376 472B.tmp 2072 4788.tmp 2516 47F6.tmp 3028 48A2.tmp 540 492E.tmp 1248 49AB.tmp 1216 4A38.tmp 3500 4AD4.tmp 1660 4B51.tmp 1584 4BED.tmp 744 4C5B.tmp 3212 4CC8.tmp 1068 4D64.tmp 3940 4DD2.tmp 3124 4E4F.tmp 3492 4EBC.tmp 3168 4F39.tmp 212 4FC6.tmp 4504 5033.tmp 4296 50B0.tmp 2176 513D.tmp 4792 518B.tmp 1996 51F8.tmp 3988 5256.tmp 1344 52D3.tmp 4452 5321.tmp 3900 536F.tmp 4312 53BD.tmp 2312 540B.tmp 4176 5479.tmp 1988 54C7.tmp 1208 5534.tmp 2228 55A2.tmp 556 560F.tmp 4944 568C.tmp 3644 5709.tmp 3428 5757.tmp 2236 57A5.tmp 468 5803.tmp 5020 5861.tmp 2832 58AF.tmp 3272 591C.tmp 3824 596A.tmp 1676 59B9.tmp 2592 5A07.tmp 4408 5A64.tmp 1948 5AB3.tmp 2168 5B10.tmp 412 5B6E.tmp 3476 5BBC.tmp 4084 5C0A.tmp 3676 5C58.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4336 wrote to memory of 2880 4336 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 82 PID 4336 wrote to memory of 2880 4336 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 82 PID 4336 wrote to memory of 2880 4336 2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe 82 PID 2880 wrote to memory of 932 2880 413F.tmp 84 PID 2880 wrote to memory of 932 2880 413F.tmp 84 PID 2880 wrote to memory of 932 2880 413F.tmp 84 PID 932 wrote to memory of 1532 932 41BC.tmp 85 PID 932 wrote to memory of 1532 932 41BC.tmp 85 PID 932 wrote to memory of 1532 932 41BC.tmp 85 PID 1532 wrote to memory of 5116 1532 4258.tmp 87 PID 1532 wrote to memory of 5116 1532 4258.tmp 87 PID 1532 wrote to memory of 5116 1532 4258.tmp 87 PID 5116 wrote to memory of 3528 5116 42D5.tmp 88 PID 5116 wrote to memory of 3528 5116 42D5.tmp 88 PID 5116 wrote to memory of 3528 5116 42D5.tmp 88 PID 3528 wrote to memory of 3060 3528 4371.tmp 90 PID 3528 wrote to memory of 3060 3528 4371.tmp 90 PID 3528 wrote to memory of 3060 3528 4371.tmp 90 PID 3060 wrote to memory of 944 3060 43DF.tmp 91 PID 3060 wrote to memory of 944 3060 43DF.tmp 91 PID 3060 wrote to memory of 944 3060 43DF.tmp 91 PID 944 wrote to memory of 2044 944 445C.tmp 92 PID 944 wrote to memory of 2044 944 445C.tmp 92 PID 944 wrote to memory of 2044 944 445C.tmp 92 PID 2044 wrote to memory of 5012 2044 44C9.tmp 93 PID 2044 wrote to memory of 5012 2044 44C9.tmp 93 PID 2044 wrote to memory of 5012 2044 44C9.tmp 93 PID 5012 wrote to memory of 2016 5012 4527.tmp 94 PID 5012 wrote to memory of 2016 5012 4527.tmp 94 PID 5012 wrote to memory of 2016 5012 4527.tmp 94 PID 2016 wrote to memory of 5020 2016 45A4.tmp 95 PID 2016 wrote to memory of 5020 2016 45A4.tmp 95 PID 2016 wrote to memory of 5020 2016 45A4.tmp 95 PID 5020 wrote to memory of 4776 5020 4650.tmp 96 PID 5020 wrote to memory of 4776 5020 4650.tmp 96 PID 5020 wrote to memory of 4776 5020 4650.tmp 96 PID 4776 wrote to memory of 2376 4776 46BD.tmp 97 PID 4776 wrote to memory of 2376 4776 46BD.tmp 97 PID 4776 wrote to memory of 2376 4776 46BD.tmp 97 PID 2376 wrote to memory of 2072 2376 472B.tmp 98 PID 2376 wrote to memory of 2072 2376 472B.tmp 98 PID 2376 wrote to memory of 2072 2376 472B.tmp 98 PID 2072 wrote to memory of 2516 2072 4788.tmp 99 PID 2072 wrote to memory of 2516 2072 4788.tmp 99 PID 2072 wrote to memory of 2516 2072 4788.tmp 99 PID 2516 wrote to memory of 3028 2516 47F6.tmp 100 PID 2516 wrote to memory of 3028 2516 47F6.tmp 100 PID 2516 wrote to memory of 3028 2516 47F6.tmp 100 PID 3028 wrote to memory of 540 3028 48A2.tmp 101 PID 3028 wrote to memory of 540 3028 48A2.tmp 101 PID 3028 wrote to memory of 540 3028 48A2.tmp 101 PID 540 wrote to memory of 1248 540 492E.tmp 102 PID 540 wrote to memory of 1248 540 492E.tmp 102 PID 540 wrote to memory of 1248 540 492E.tmp 102 PID 1248 wrote to memory of 1216 1248 49AB.tmp 103 PID 1248 wrote to memory of 1216 1248 49AB.tmp 103 PID 1248 wrote to memory of 1216 1248 49AB.tmp 103 PID 1216 wrote to memory of 3500 1216 4A38.tmp 106 PID 1216 wrote to memory of 3500 1216 4A38.tmp 106 PID 1216 wrote to memory of 3500 1216 4A38.tmp 106 PID 3500 wrote to memory of 1660 3500 4AD4.tmp 107 PID 3500 wrote to memory of 1660 3500 4AD4.tmp 107 PID 3500 wrote to memory of 1660 3500 4AD4.tmp 107 PID 1660 wrote to memory of 1584 1660 4B51.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_3355c5b157f98c45704b739e429e099b_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\413F.tmp"C:\Users\Admin\AppData\Local\Temp\413F.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\41BC.tmp"C:\Users\Admin\AppData\Local\Temp\41BC.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\4258.tmp"C:\Users\Admin\AppData\Local\Temp\4258.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\42D5.tmp"C:\Users\Admin\AppData\Local\Temp\42D5.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\4371.tmp"C:\Users\Admin\AppData\Local\Temp\4371.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\43DF.tmp"C:\Users\Admin\AppData\Local\Temp\43DF.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\445C.tmp"C:\Users\Admin\AppData\Local\Temp\445C.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\44C9.tmp"C:\Users\Admin\AppData\Local\Temp\44C9.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\4527.tmp"C:\Users\Admin\AppData\Local\Temp\4527.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\45A4.tmp"C:\Users\Admin\AppData\Local\Temp\45A4.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\4650.tmp"C:\Users\Admin\AppData\Local\Temp\4650.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\46BD.tmp"C:\Users\Admin\AppData\Local\Temp\46BD.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\472B.tmp"C:\Users\Admin\AppData\Local\Temp\472B.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\4788.tmp"C:\Users\Admin\AppData\Local\Temp\4788.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\47F6.tmp"C:\Users\Admin\AppData\Local\Temp\47F6.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\48A2.tmp"C:\Users\Admin\AppData\Local\Temp\48A2.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\492E.tmp"C:\Users\Admin\AppData\Local\Temp\492E.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\49AB.tmp"C:\Users\Admin\AppData\Local\Temp\49AB.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\4A38.tmp"C:\Users\Admin\AppData\Local\Temp\4A38.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\4AD4.tmp"C:\Users\Admin\AppData\Local\Temp\4AD4.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\4B51.tmp"C:\Users\Admin\AppData\Local\Temp\4B51.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\4BED.tmp"C:\Users\Admin\AppData\Local\Temp\4BED.tmp"23⤵
- Executes dropped EXE
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\4C5B.tmp"C:\Users\Admin\AppData\Local\Temp\4C5B.tmp"24⤵
- Executes dropped EXE
PID:744 -
C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"C:\Users\Admin\AppData\Local\Temp\4CC8.tmp"25⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\4D64.tmp"C:\Users\Admin\AppData\Local\Temp\4D64.tmp"26⤵
- Executes dropped EXE
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"27⤵
- Executes dropped EXE
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"C:\Users\Admin\AppData\Local\Temp\4E4F.tmp"28⤵
- Executes dropped EXE
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"C:\Users\Admin\AppData\Local\Temp\4EBC.tmp"29⤵
- Executes dropped EXE
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\4F39.tmp"C:\Users\Admin\AppData\Local\Temp\4F39.tmp"30⤵
- Executes dropped EXE
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"31⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\5033.tmp"C:\Users\Admin\AppData\Local\Temp\5033.tmp"32⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\50B0.tmp"C:\Users\Admin\AppData\Local\Temp\50B0.tmp"33⤵
- Executes dropped EXE
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\513D.tmp"C:\Users\Admin\AppData\Local\Temp\513D.tmp"34⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\518B.tmp"C:\Users\Admin\AppData\Local\Temp\518B.tmp"35⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\51F8.tmp"C:\Users\Admin\AppData\Local\Temp\51F8.tmp"36⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\5256.tmp"C:\Users\Admin\AppData\Local\Temp\5256.tmp"37⤵
- Executes dropped EXE
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\52D3.tmp"C:\Users\Admin\AppData\Local\Temp\52D3.tmp"38⤵
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\5321.tmp"C:\Users\Admin\AppData\Local\Temp\5321.tmp"39⤵
- Executes dropped EXE
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\536F.tmp"C:\Users\Admin\AppData\Local\Temp\536F.tmp"40⤵
- Executes dropped EXE
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\53BD.tmp"C:\Users\Admin\AppData\Local\Temp\53BD.tmp"41⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\540B.tmp"C:\Users\Admin\AppData\Local\Temp\540B.tmp"42⤵
- Executes dropped EXE
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\5479.tmp"C:\Users\Admin\AppData\Local\Temp\5479.tmp"43⤵
- Executes dropped EXE
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\54C7.tmp"C:\Users\Admin\AppData\Local\Temp\54C7.tmp"44⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\5534.tmp"C:\Users\Admin\AppData\Local\Temp\5534.tmp"45⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\55A2.tmp"C:\Users\Admin\AppData\Local\Temp\55A2.tmp"46⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"47⤵
- Executes dropped EXE
PID:556 -
C:\Users\Admin\AppData\Local\Temp\568C.tmp"C:\Users\Admin\AppData\Local\Temp\568C.tmp"48⤵
- Executes dropped EXE
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\5709.tmp"C:\Users\Admin\AppData\Local\Temp\5709.tmp"49⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\5757.tmp"C:\Users\Admin\AppData\Local\Temp\5757.tmp"50⤵
- Executes dropped EXE
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\57A5.tmp"C:\Users\Admin\AppData\Local\Temp\57A5.tmp"51⤵
- Executes dropped EXE
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"52⤵
- Executes dropped EXE
PID:468 -
C:\Users\Admin\AppData\Local\Temp\5861.tmp"C:\Users\Admin\AppData\Local\Temp\5861.tmp"53⤵
- Executes dropped EXE
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\58AF.tmp"C:\Users\Admin\AppData\Local\Temp\58AF.tmp"54⤵
- Executes dropped EXE
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\591C.tmp"C:\Users\Admin\AppData\Local\Temp\591C.tmp"55⤵
- Executes dropped EXE
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\596A.tmp"C:\Users\Admin\AppData\Local\Temp\596A.tmp"56⤵
- Executes dropped EXE
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\59B9.tmp"C:\Users\Admin\AppData\Local\Temp\59B9.tmp"57⤵
- Executes dropped EXE
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\5A07.tmp"C:\Users\Admin\AppData\Local\Temp\5A07.tmp"58⤵
- Executes dropped EXE
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\5A64.tmp"C:\Users\Admin\AppData\Local\Temp\5A64.tmp"59⤵
- Executes dropped EXE
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"60⤵
- Executes dropped EXE
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\5B10.tmp"C:\Users\Admin\AppData\Local\Temp\5B10.tmp"61⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\5B6E.tmp"62⤵
- Executes dropped EXE
PID:412 -
C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"C:\Users\Admin\AppData\Local\Temp\5BBC.tmp"63⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\5C0A.tmp"C:\Users\Admin\AppData\Local\Temp\5C0A.tmp"64⤵
- Executes dropped EXE
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\5C58.tmp"C:\Users\Admin\AppData\Local\Temp\5C58.tmp"65⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"66⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\5D04.tmp"C:\Users\Admin\AppData\Local\Temp\5D04.tmp"67⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\5D52.tmp"C:\Users\Admin\AppData\Local\Temp\5D52.tmp"68⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"C:\Users\Admin\AppData\Local\Temp\5DB0.tmp"69⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"C:\Users\Admin\AppData\Local\Temp\5DFE.tmp"70⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"C:\Users\Admin\AppData\Local\Temp\5E4C.tmp"71⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"C:\Users\Admin\AppData\Local\Temp\5E9B.tmp"72⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"C:\Users\Admin\AppData\Local\Temp\5EE9.tmp"73⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\5F37.tmp"C:\Users\Admin\AppData\Local\Temp\5F37.tmp"74⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\5F95.tmp"C:\Users\Admin\AppData\Local\Temp\5F95.tmp"75⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"C:\Users\Admin\AppData\Local\Temp\5FE3.tmp"76⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\6031.tmp"C:\Users\Admin\AppData\Local\Temp\6031.tmp"77⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\608F.tmp"C:\Users\Admin\AppData\Local\Temp\608F.tmp"78⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\60EC.tmp"C:\Users\Admin\AppData\Local\Temp\60EC.tmp"79⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\613A.tmp"C:\Users\Admin\AppData\Local\Temp\613A.tmp"80⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\6189.tmp"C:\Users\Admin\AppData\Local\Temp\6189.tmp"81⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\61D7.tmp"C:\Users\Admin\AppData\Local\Temp\61D7.tmp"82⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\6225.tmp"C:\Users\Admin\AppData\Local\Temp\6225.tmp"83⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\6273.tmp"C:\Users\Admin\AppData\Local\Temp\6273.tmp"84⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\62D1.tmp"C:\Users\Admin\AppData\Local\Temp\62D1.tmp"85⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\631F.tmp"C:\Users\Admin\AppData\Local\Temp\631F.tmp"86⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\637D.tmp"C:\Users\Admin\AppData\Local\Temp\637D.tmp"87⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\63DA.tmp"C:\Users\Admin\AppData\Local\Temp\63DA.tmp"88⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\6438.tmp"C:\Users\Admin\AppData\Local\Temp\6438.tmp"89⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\6486.tmp"C:\Users\Admin\AppData\Local\Temp\6486.tmp"90⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\64D4.tmp"C:\Users\Admin\AppData\Local\Temp\64D4.tmp"91⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\6522.tmp"C:\Users\Admin\AppData\Local\Temp\6522.tmp"92⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"93⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\65CE.tmp"C:\Users\Admin\AppData\Local\Temp\65CE.tmp"94⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\662C.tmp"C:\Users\Admin\AppData\Local\Temp\662C.tmp"95⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\6699.tmp"C:\Users\Admin\AppData\Local\Temp\6699.tmp"96⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\66E8.tmp"C:\Users\Admin\AppData\Local\Temp\66E8.tmp"97⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\6736.tmp"C:\Users\Admin\AppData\Local\Temp\6736.tmp"98⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\6784.tmp"C:\Users\Admin\AppData\Local\Temp\6784.tmp"99⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\67D2.tmp"C:\Users\Admin\AppData\Local\Temp\67D2.tmp"100⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\6820.tmp"C:\Users\Admin\AppData\Local\Temp\6820.tmp"101⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\687E.tmp"C:\Users\Admin\AppData\Local\Temp\687E.tmp"102⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\68CC.tmp"C:\Users\Admin\AppData\Local\Temp\68CC.tmp"103⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\691A.tmp"C:\Users\Admin\AppData\Local\Temp\691A.tmp"104⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\6978.tmp"C:\Users\Admin\AppData\Local\Temp\6978.tmp"105⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\69C6.tmp"C:\Users\Admin\AppData\Local\Temp\69C6.tmp"106⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\6A14.tmp"C:\Users\Admin\AppData\Local\Temp\6A14.tmp"107⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\6A62.tmp"C:\Users\Admin\AppData\Local\Temp\6A62.tmp"108⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\6AC0.tmp"C:\Users\Admin\AppData\Local\Temp\6AC0.tmp"109⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"C:\Users\Admin\AppData\Local\Temp\6B0E.tmp"110⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"C:\Users\Admin\AppData\Local\Temp\6B5C.tmp"111⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"C:\Users\Admin\AppData\Local\Temp\6BAA.tmp"112⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\6BF8.tmp"C:\Users\Admin\AppData\Local\Temp\6BF8.tmp"113⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\6C47.tmp"C:\Users\Admin\AppData\Local\Temp\6C47.tmp"114⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\6C95.tmp"C:\Users\Admin\AppData\Local\Temp\6C95.tmp"115⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"C:\Users\Admin\AppData\Local\Temp\6CE3.tmp"116⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\6D41.tmp"C:\Users\Admin\AppData\Local\Temp\6D41.tmp"117⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"118⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"119⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"C:\Users\Admin\AppData\Local\Temp\6E2B.tmp"120⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\6E79.tmp"C:\Users\Admin\AppData\Local\Temp\6E79.tmp"121⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\6EC7.tmp"C:\Users\Admin\AppData\Local\Temp\6EC7.tmp"122⤵PID:4004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-