Analysis
-
max time kernel
144s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe
Resource
win10v2004-20240426-en
2 signatures
150 seconds
General
-
Target
2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe
-
Size
520KB
-
MD5
648b8e16082d97271ac42388aa5edbab
-
SHA1
4381f4a6e2fd1eeffed11c8f1e5c93e6e0990ca7
-
SHA256
5bdac43f30db0105c111d02043a63fbc7c75e759ea623bd5ec3c9bd4eaf97f2a
-
SHA512
05e35a08ec4323884c7b93bfcb3a2a21af3bbb7cbdab5f9fe3e398a1cfb2847caefba41a3c8c9a49a4cde91230fb6a2baf63ffb624def287147fab08397eab22
-
SSDEEP
12288:roRXOQjmOyTJfgpDYoF4rIrIVHJjsmwaZNZ:rogQ9yTJBsi5phsmpN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 5848 3009.tmp 712 3066.tmp 2416 30B5.tmp 4164 3132.tmp 932 3180.tmp 5372 31CE.tmp 4968 322C.tmp 5732 3289.tmp 3912 32E7.tmp 5416 3335.tmp 4588 3393.tmp 4004 33F1.tmp 5232 343F.tmp 4944 349D.tmp 5280 34FA.tmp 3228 3548.tmp 5336 35A6.tmp 3316 35F4.tmp 3300 3652.tmp 4140 36B0.tmp 4512 370E.tmp 1440 375C.tmp 1428 37AA.tmp 2720 3817.tmp 2408 3875.tmp 3392 38C3.tmp 4828 3911.tmp 5448 395F.tmp 5824 39CD.tmp 5236 3A1B.tmp 3944 3A69.tmp 5704 3AC7.tmp 3676 3B24.tmp 2940 3B73.tmp 5084 3BC1.tmp 5612 3C0F.tmp 1644 3C5D.tmp 780 3CAB.tmp 2648 3CF9.tmp 5212 3D47.tmp 3488 3D86.tmp 4324 3DD4.tmp 100 3E22.tmp 3772 3E80.tmp 3184 3ECE.tmp 1344 3F2C.tmp 740 3F7A.tmp 4508 3FC8.tmp 2016 4016.tmp 1672 4093.tmp 4736 4120.tmp 1688 418D.tmp 3908 4268.tmp 2336 42F4.tmp 2884 4381.tmp 5124 43CF.tmp 1920 441D.tmp 5508 447B.tmp 3192 44D9.tmp 5536 4537.tmp 2300 4594.tmp 4408 45F2.tmp 2424 4650.tmp 1004 46AE.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 5848 2724 2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe 81 PID 2724 wrote to memory of 5848 2724 2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe 81 PID 2724 wrote to memory of 5848 2724 2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe 81 PID 5848 wrote to memory of 712 5848 3009.tmp 83 PID 5848 wrote to memory of 712 5848 3009.tmp 83 PID 5848 wrote to memory of 712 5848 3009.tmp 83 PID 712 wrote to memory of 2416 712 3066.tmp 85 PID 712 wrote to memory of 2416 712 3066.tmp 85 PID 712 wrote to memory of 2416 712 3066.tmp 85 PID 2416 wrote to memory of 4164 2416 30B5.tmp 87 PID 2416 wrote to memory of 4164 2416 30B5.tmp 87 PID 2416 wrote to memory of 4164 2416 30B5.tmp 87 PID 4164 wrote to memory of 932 4164 3132.tmp 88 PID 4164 wrote to memory of 932 4164 3132.tmp 88 PID 4164 wrote to memory of 932 4164 3132.tmp 88 PID 932 wrote to memory of 5372 932 3180.tmp 89 PID 932 wrote to memory of 5372 932 3180.tmp 89 PID 932 wrote to memory of 5372 932 3180.tmp 89 PID 5372 wrote to memory of 4968 5372 31CE.tmp 90 PID 5372 wrote to memory of 4968 5372 31CE.tmp 90 PID 5372 wrote to memory of 4968 5372 31CE.tmp 90 PID 4968 wrote to memory of 5732 4968 322C.tmp 91 PID 4968 wrote to memory of 5732 4968 322C.tmp 91 PID 4968 wrote to memory of 5732 4968 322C.tmp 91 PID 5732 wrote to memory of 3912 5732 3289.tmp 92 PID 5732 wrote to memory of 3912 5732 3289.tmp 92 PID 5732 wrote to memory of 3912 5732 3289.tmp 92 PID 3912 wrote to memory of 5416 3912 32E7.tmp 93 PID 3912 wrote to memory of 5416 3912 32E7.tmp 93 PID 3912 wrote to memory of 5416 3912 32E7.tmp 93 PID 5416 wrote to memory of 4588 5416 3335.tmp 94 PID 5416 wrote to memory of 4588 5416 3335.tmp 94 PID 5416 wrote to memory of 4588 5416 3335.tmp 94 PID 4588 wrote to memory of 4004 4588 3393.tmp 95 PID 4588 wrote to memory of 4004 4588 3393.tmp 95 PID 4588 wrote to memory of 4004 4588 3393.tmp 95 PID 4004 wrote to memory of 5232 4004 33F1.tmp 96 PID 4004 wrote to memory of 5232 4004 33F1.tmp 96 PID 4004 wrote to memory of 5232 4004 33F1.tmp 96 PID 5232 wrote to memory of 4944 5232 343F.tmp 97 PID 5232 wrote to memory of 4944 5232 343F.tmp 97 PID 5232 wrote to memory of 4944 5232 343F.tmp 97 PID 4944 wrote to memory of 5280 4944 349D.tmp 98 PID 4944 wrote to memory of 5280 4944 349D.tmp 98 PID 4944 wrote to memory of 5280 4944 349D.tmp 98 PID 5280 wrote to memory of 3228 5280 34FA.tmp 99 PID 5280 wrote to memory of 3228 5280 34FA.tmp 99 PID 5280 wrote to memory of 3228 5280 34FA.tmp 99 PID 3228 wrote to memory of 5336 3228 3548.tmp 100 PID 3228 wrote to memory of 5336 3228 3548.tmp 100 PID 3228 wrote to memory of 5336 3228 3548.tmp 100 PID 5336 wrote to memory of 3316 5336 35A6.tmp 101 PID 5336 wrote to memory of 3316 5336 35A6.tmp 101 PID 5336 wrote to memory of 3316 5336 35A6.tmp 101 PID 3316 wrote to memory of 3300 3316 35F4.tmp 102 PID 3316 wrote to memory of 3300 3316 35F4.tmp 102 PID 3316 wrote to memory of 3300 3316 35F4.tmp 102 PID 3300 wrote to memory of 4140 3300 3652.tmp 103 PID 3300 wrote to memory of 4140 3300 3652.tmp 103 PID 3300 wrote to memory of 4140 3300 3652.tmp 103 PID 4140 wrote to memory of 4512 4140 36B0.tmp 104 PID 4140 wrote to memory of 4512 4140 36B0.tmp 104 PID 4140 wrote to memory of 4512 4140 36B0.tmp 104 PID 4512 wrote to memory of 1440 4512 370E.tmp 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-09_648b8e16082d97271ac42388aa5edbab_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\3009.tmp"C:\Users\Admin\AppData\Local\Temp\3009.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\3066.tmp"C:\Users\Admin\AppData\Local\Temp\3066.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\30B5.tmp"C:\Users\Admin\AppData\Local\Temp\30B5.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\3132.tmp"C:\Users\Admin\AppData\Local\Temp\3132.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\3180.tmp"C:\Users\Admin\AppData\Local\Temp\3180.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\31CE.tmp"C:\Users\Admin\AppData\Local\Temp\31CE.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\322C.tmp"C:\Users\Admin\AppData\Local\Temp\322C.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\3289.tmp"C:\Users\Admin\AppData\Local\Temp\3289.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\32E7.tmp"C:\Users\Admin\AppData\Local\Temp\32E7.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\3335.tmp"C:\Users\Admin\AppData\Local\Temp\3335.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\3393.tmp"C:\Users\Admin\AppData\Local\Temp\3393.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\33F1.tmp"C:\Users\Admin\AppData\Local\Temp\33F1.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\343F.tmp"C:\Users\Admin\AppData\Local\Temp\343F.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\349D.tmp"C:\Users\Admin\AppData\Local\Temp\349D.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\34FA.tmp"C:\Users\Admin\AppData\Local\Temp\34FA.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Users\Admin\AppData\Local\Temp\3548.tmp"C:\Users\Admin\AppData\Local\Temp\3548.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\35A6.tmp"C:\Users\Admin\AppData\Local\Temp\35A6.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\35F4.tmp"C:\Users\Admin\AppData\Local\Temp\35F4.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\3652.tmp"C:\Users\Admin\AppData\Local\Temp\3652.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\36B0.tmp"C:\Users\Admin\AppData\Local\Temp\36B0.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\370E.tmp"C:\Users\Admin\AppData\Local\Temp\370E.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\375C.tmp"C:\Users\Admin\AppData\Local\Temp\375C.tmp"23⤵
- Executes dropped EXE
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\37AA.tmp"C:\Users\Admin\AppData\Local\Temp\37AA.tmp"24⤵
- Executes dropped EXE
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\3817.tmp"C:\Users\Admin\AppData\Local\Temp\3817.tmp"25⤵
- Executes dropped EXE
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\3875.tmp"C:\Users\Admin\AppData\Local\Temp\3875.tmp"26⤵
- Executes dropped EXE
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\38C3.tmp"C:\Users\Admin\AppData\Local\Temp\38C3.tmp"27⤵
- Executes dropped EXE
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\3911.tmp"C:\Users\Admin\AppData\Local\Temp\3911.tmp"28⤵
- Executes dropped EXE
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\395F.tmp"C:\Users\Admin\AppData\Local\Temp\395F.tmp"29⤵
- Executes dropped EXE
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\39CD.tmp"C:\Users\Admin\AppData\Local\Temp\39CD.tmp"30⤵
- Executes dropped EXE
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\3A1B.tmp"C:\Users\Admin\AppData\Local\Temp\3A1B.tmp"31⤵
- Executes dropped EXE
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\3A69.tmp"C:\Users\Admin\AppData\Local\Temp\3A69.tmp"32⤵
- Executes dropped EXE
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\3AC7.tmp"C:\Users\Admin\AppData\Local\Temp\3AC7.tmp"33⤵
- Executes dropped EXE
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\3B24.tmp"C:\Users\Admin\AppData\Local\Temp\3B24.tmp"34⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\3B73.tmp"C:\Users\Admin\AppData\Local\Temp\3B73.tmp"35⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\3BC1.tmp"C:\Users\Admin\AppData\Local\Temp\3BC1.tmp"36⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\3C0F.tmp"C:\Users\Admin\AppData\Local\Temp\3C0F.tmp"37⤵
- Executes dropped EXE
PID:5612 -
C:\Users\Admin\AppData\Local\Temp\3C5D.tmp"C:\Users\Admin\AppData\Local\Temp\3C5D.tmp"38⤵
- Executes dropped EXE
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\3CAB.tmp"C:\Users\Admin\AppData\Local\Temp\3CAB.tmp"39⤵
- Executes dropped EXE
PID:780 -
C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"C:\Users\Admin\AppData\Local\Temp\3CF9.tmp"40⤵
- Executes dropped EXE
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\3D47.tmp"C:\Users\Admin\AppData\Local\Temp\3D47.tmp"41⤵
- Executes dropped EXE
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\3D86.tmp"C:\Users\Admin\AppData\Local\Temp\3D86.tmp"42⤵
- Executes dropped EXE
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\3DD4.tmp"C:\Users\Admin\AppData\Local\Temp\3DD4.tmp"43⤵
- Executes dropped EXE
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\3E22.tmp"C:\Users\Admin\AppData\Local\Temp\3E22.tmp"44⤵
- Executes dropped EXE
PID:100 -
C:\Users\Admin\AppData\Local\Temp\3E80.tmp"C:\Users\Admin\AppData\Local\Temp\3E80.tmp"45⤵
- Executes dropped EXE
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\3ECE.tmp"C:\Users\Admin\AppData\Local\Temp\3ECE.tmp"46⤵
- Executes dropped EXE
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\3F2C.tmp"C:\Users\Admin\AppData\Local\Temp\3F2C.tmp"47⤵
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\3F7A.tmp"C:\Users\Admin\AppData\Local\Temp\3F7A.tmp"48⤵
- Executes dropped EXE
PID:740 -
C:\Users\Admin\AppData\Local\Temp\3FC8.tmp"C:\Users\Admin\AppData\Local\Temp\3FC8.tmp"49⤵
- Executes dropped EXE
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\4016.tmp"C:\Users\Admin\AppData\Local\Temp\4016.tmp"50⤵
- Executes dropped EXE
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\4093.tmp"C:\Users\Admin\AppData\Local\Temp\4093.tmp"51⤵
- Executes dropped EXE
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\4120.tmp"C:\Users\Admin\AppData\Local\Temp\4120.tmp"52⤵
- Executes dropped EXE
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\418D.tmp"C:\Users\Admin\AppData\Local\Temp\418D.tmp"53⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\4268.tmp"C:\Users\Admin\AppData\Local\Temp\4268.tmp"54⤵
- Executes dropped EXE
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\42F4.tmp"C:\Users\Admin\AppData\Local\Temp\42F4.tmp"55⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\4381.tmp"C:\Users\Admin\AppData\Local\Temp\4381.tmp"56⤵
- Executes dropped EXE
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\43CF.tmp"C:\Users\Admin\AppData\Local\Temp\43CF.tmp"57⤵
- Executes dropped EXE
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\441D.tmp"C:\Users\Admin\AppData\Local\Temp\441D.tmp"58⤵
- Executes dropped EXE
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\447B.tmp"C:\Users\Admin\AppData\Local\Temp\447B.tmp"59⤵
- Executes dropped EXE
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\44D9.tmp"C:\Users\Admin\AppData\Local\Temp\44D9.tmp"60⤵
- Executes dropped EXE
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\4537.tmp"C:\Users\Admin\AppData\Local\Temp\4537.tmp"61⤵
- Executes dropped EXE
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\4594.tmp"C:\Users\Admin\AppData\Local\Temp\4594.tmp"62⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\45F2.tmp"C:\Users\Admin\AppData\Local\Temp\45F2.tmp"63⤵
- Executes dropped EXE
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\4650.tmp"C:\Users\Admin\AppData\Local\Temp\4650.tmp"64⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\46AE.tmp"C:\Users\Admin\AppData\Local\Temp\46AE.tmp"65⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\471B.tmp"C:\Users\Admin\AppData\Local\Temp\471B.tmp"66⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\4779.tmp"C:\Users\Admin\AppData\Local\Temp\4779.tmp"67⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\47D6.tmp"C:\Users\Admin\AppData\Local\Temp\47D6.tmp"68⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\4844.tmp"C:\Users\Admin\AppData\Local\Temp\4844.tmp"69⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\48A2.tmp"C:\Users\Admin\AppData\Local\Temp\48A2.tmp"70⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\48FF.tmp"C:\Users\Admin\AppData\Local\Temp\48FF.tmp"71⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\495D.tmp"C:\Users\Admin\AppData\Local\Temp\495D.tmp"72⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\49CA.tmp"C:\Users\Admin\AppData\Local\Temp\49CA.tmp"73⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\4A19.tmp"C:\Users\Admin\AppData\Local\Temp\4A19.tmp"74⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\4A76.tmp"C:\Users\Admin\AppData\Local\Temp\4A76.tmp"75⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\4AC4.tmp"C:\Users\Admin\AppData\Local\Temp\4AC4.tmp"76⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\4B13.tmp"C:\Users\Admin\AppData\Local\Temp\4B13.tmp"77⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\4B70.tmp"C:\Users\Admin\AppData\Local\Temp\4B70.tmp"78⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\4BCE.tmp"C:\Users\Admin\AppData\Local\Temp\4BCE.tmp"79⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"C:\Users\Admin\AppData\Local\Temp\4C3B.tmp"80⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\4C99.tmp"C:\Users\Admin\AppData\Local\Temp\4C99.tmp"81⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"C:\Users\Admin\AppData\Local\Temp\4CF7.tmp"82⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\4D55.tmp"C:\Users\Admin\AppData\Local\Temp\4D55.tmp"83⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\4DB2.tmp"C:\Users\Admin\AppData\Local\Temp\4DB2.tmp"84⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\4E10.tmp"C:\Users\Admin\AppData\Local\Temp\4E10.tmp"85⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"C:\Users\Admin\AppData\Local\Temp\4E6E.tmp"86⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\4ECC.tmp"C:\Users\Admin\AppData\Local\Temp\4ECC.tmp"87⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\4F29.tmp"C:\Users\Admin\AppData\Local\Temp\4F29.tmp"88⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\4F87.tmp"C:\Users\Admin\AppData\Local\Temp\4F87.tmp"89⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\4FF5.tmp"C:\Users\Admin\AppData\Local\Temp\4FF5.tmp"90⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\5052.tmp"C:\Users\Admin\AppData\Local\Temp\5052.tmp"91⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\50A0.tmp"C:\Users\Admin\AppData\Local\Temp\50A0.tmp"92⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\50FE.tmp"C:\Users\Admin\AppData\Local\Temp\50FE.tmp"93⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\515C.tmp"C:\Users\Admin\AppData\Local\Temp\515C.tmp"94⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\51BA.tmp"C:\Users\Admin\AppData\Local\Temp\51BA.tmp"95⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\5217.tmp"C:\Users\Admin\AppData\Local\Temp\5217.tmp"96⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\5285.tmp"C:\Users\Admin\AppData\Local\Temp\5285.tmp"97⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\52D3.tmp"C:\Users\Admin\AppData\Local\Temp\52D3.tmp"98⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\5331.tmp"C:\Users\Admin\AppData\Local\Temp\5331.tmp"99⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\538E.tmp"C:\Users\Admin\AppData\Local\Temp\538E.tmp"100⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\53EC.tmp"C:\Users\Admin\AppData\Local\Temp\53EC.tmp"101⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\544A.tmp"C:\Users\Admin\AppData\Local\Temp\544A.tmp"102⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\54A8.tmp"C:\Users\Admin\AppData\Local\Temp\54A8.tmp"103⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\5505.tmp"C:\Users\Admin\AppData\Local\Temp\5505.tmp"104⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\5554.tmp"C:\Users\Admin\AppData\Local\Temp\5554.tmp"105⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\55B1.tmp"C:\Users\Admin\AppData\Local\Temp\55B1.tmp"106⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\560F.tmp"C:\Users\Admin\AppData\Local\Temp\560F.tmp"107⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"108⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\56AB.tmp"C:\Users\Admin\AppData\Local\Temp\56AB.tmp"109⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\56F9.tmp"C:\Users\Admin\AppData\Local\Temp\56F9.tmp"110⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\5748.tmp"C:\Users\Admin\AppData\Local\Temp\5748.tmp"111⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\57A5.tmp"C:\Users\Admin\AppData\Local\Temp\57A5.tmp"112⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"113⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\5851.tmp"C:\Users\Admin\AppData\Local\Temp\5851.tmp"114⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\58AF.tmp"C:\Users\Admin\AppData\Local\Temp\58AF.tmp"115⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\58FD.tmp"C:\Users\Admin\AppData\Local\Temp\58FD.tmp"116⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\594B.tmp"C:\Users\Admin\AppData\Local\Temp\594B.tmp"117⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\5999.tmp"C:\Users\Admin\AppData\Local\Temp\5999.tmp"118⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\59E7.tmp"C:\Users\Admin\AppData\Local\Temp\59E7.tmp"119⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\5A45.tmp"C:\Users\Admin\AppData\Local\Temp\5A45.tmp"120⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"C:\Users\Admin\AppData\Local\Temp\5AA3.tmp"121⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\5AF1.tmp"C:\Users\Admin\AppData\Local\Temp\5AF1.tmp"122⤵PID:4520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-