Analysis
-
max time kernel
102s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-01-24_2478bb4eb35d100cfe14eaa71059253f_mafia.exe
Resource
win7-20231129-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-01-24_2478bb4eb35d100cfe14eaa71059253f_mafia.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2024-01-24_2478bb4eb35d100cfe14eaa71059253f_mafia.exe
-
Size
488KB
-
MD5
2478bb4eb35d100cfe14eaa71059253f
-
SHA1
3cc442bf5dda4e0ae9bf4134bc38e22919fc88c2
-
SHA256
9429da3c3183dda694ccc3d5b485dd3d7ca941846643528ada4afb150ac6e8fb
-
SHA512
bca85e9699af2fda1a18e9a9c44256fe58b4cd965e22af158d23f8783ae7ee0f58548288dc627b33e47bc5d5a48fd97d2858d439ff68e33e70e262f6be829216
-
SSDEEP
12288:/U5rCOTeiDa2ULrtxvyHEE3/lkinB5jNZ:/UQOJDPertlyHjdkinvjN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1692 1E1B.tmp 2564 1008.tmp 2676 1046.tmp 2584 1084.tmp 2712 10D2.tmp 2604 1120.tmp 2876 115F.tmp 2840 119D.tmp 2728 11FB.tmp 2484 1249.tmp 2556 1297.tmp 2960 12F4.tmp 2396 1342.tmp 1540 1381.tmp 1772 13CF.tmp 2192 140D.tmp 1708 144C.tmp 1844 148A.tmp 2780 14D8.tmp 960 1516.tmp 1352 1564.tmp 2852 15A3.tmp 2936 15E1.tmp 2132 24CF.tmp 2304 343A.tmp 2464 16AC.tmp 2340 16EA.tmp 2576 3524.tmp 596 3562.tmp 540 17A6.tmp 568 35DF.tmp 984 362D.tmp 1904 1861.tmp 2364 1890.tmp 1284 18DE.tmp 412 192C.tmp 3052 196A.tmp 1760 19A8.tmp 1548 19E7.tmp 1560 1A25.tmp 1976 1A64.tmp 1128 1AA2.tmp 1216 1AE0.tmp 780 1B1F.tmp 916 1B5D.tmp 564 1B8C.tmp 1704 1BCA.tmp 2680 1C09.tmp 2268 1C47.tmp 888 1C86.tmp 2444 1CB4.tmp 2384 1CF3.tmp 2984 1D31.tmp 2124 1D70.tmp 1608 1D9E.tmp 1876 1DDD.tmp 1692 1E1B.tmp 2564 1008.tmp 2440 1E79.tmp 2584 1084.tmp 2716 2E51.tmp 2640 1F34.tmp 1112 1F72.tmp 2596 1FA1.tmp -
Loads dropped DLL 64 IoCs
pid Process 2332 2C8C.tmp 1692 1E1B.tmp 2564 1008.tmp 2676 1046.tmp 2584 1084.tmp 2712 10D2.tmp 2604 1120.tmp 2876 115F.tmp 2840 119D.tmp 2728 11FB.tmp 2484 1249.tmp 2556 1297.tmp 2960 12F4.tmp 2396 1342.tmp 1540 1381.tmp 1772 13CF.tmp 2192 140D.tmp 1708 144C.tmp 1844 148A.tmp 2780 14D8.tmp 960 1516.tmp 1352 1564.tmp 2852 15A3.tmp 2936 15E1.tmp 2132 24CF.tmp 2304 343A.tmp 2464 16AC.tmp 2340 16EA.tmp 2576 3524.tmp 596 3562.tmp 540 17A6.tmp 568 35DF.tmp 984 362D.tmp 1904 1861.tmp 2364 1890.tmp 1284 18DE.tmp 412 192C.tmp 3052 196A.tmp 1760 19A8.tmp 1548 19E7.tmp 1560 1A25.tmp 1976 1A64.tmp 1128 1AA2.tmp 1216 1AE0.tmp 780 1B1F.tmp 916 1B5D.tmp 564 1B8C.tmp 1704 1BCA.tmp 2680 1C09.tmp 2268 1C47.tmp 888 1C86.tmp 2444 1CB4.tmp 2384 1CF3.tmp 2984 1D31.tmp 2124 1D70.tmp 1608 1D9E.tmp 1876 1DDD.tmp 1692 1E1B.tmp 2564 1008.tmp 2440 1E79.tmp 2584 1084.tmp 2716 2E51.tmp 2640 1F34.tmp 1112 1F72.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1692 2332 2C8C.tmp 33 PID 2332 wrote to memory of 1692 2332 2C8C.tmp 33 PID 2332 wrote to memory of 1692 2332 2C8C.tmp 33 PID 2332 wrote to memory of 1692 2332 2C8C.tmp 33 PID 1692 wrote to memory of 2564 1692 1E1B.tmp 168 PID 1692 wrote to memory of 2564 1692 1E1B.tmp 168 PID 1692 wrote to memory of 2564 1692 1E1B.tmp 168 PID 1692 wrote to memory of 2564 1692 1E1B.tmp 168 PID 2564 wrote to memory of 2676 2564 1008.tmp 167 PID 2564 wrote to memory of 2676 2564 1008.tmp 167 PID 2564 wrote to memory of 2676 2564 1008.tmp 167 PID 2564 wrote to memory of 2676 2564 1008.tmp 167 PID 2676 wrote to memory of 2584 2676 1046.tmp 166 PID 2676 wrote to memory of 2584 2676 1046.tmp 166 PID 2676 wrote to memory of 2584 2676 1046.tmp 166 PID 2676 wrote to memory of 2584 2676 1046.tmp 166 PID 2584 wrote to memory of 2712 2584 1084.tmp 18 PID 2584 wrote to memory of 2712 2584 1084.tmp 18 PID 2584 wrote to memory of 2712 2584 1084.tmp 18 PID 2584 wrote to memory of 2712 2584 1084.tmp 18 PID 2712 wrote to memory of 2604 2712 10D2.tmp 165 PID 2712 wrote to memory of 2604 2712 10D2.tmp 165 PID 2712 wrote to memory of 2604 2712 10D2.tmp 165 PID 2712 wrote to memory of 2604 2712 10D2.tmp 165 PID 2604 wrote to memory of 2876 2604 1120.tmp 164 PID 2604 wrote to memory of 2876 2604 1120.tmp 164 PID 2604 wrote to memory of 2876 2604 1120.tmp 164 PID 2604 wrote to memory of 2876 2604 1120.tmp 164 PID 2876 wrote to memory of 2840 2876 115F.tmp 162 PID 2876 wrote to memory of 2840 2876 115F.tmp 162 PID 2876 wrote to memory of 2840 2876 115F.tmp 162 PID 2876 wrote to memory of 2840 2876 115F.tmp 162 PID 2840 wrote to memory of 2728 2840 119D.tmp 161 PID 2840 wrote to memory of 2728 2840 119D.tmp 161 PID 2840 wrote to memory of 2728 2840 119D.tmp 161 PID 2840 wrote to memory of 2728 2840 119D.tmp 161 PID 2728 wrote to memory of 2484 2728 11FB.tmp 160 PID 2728 wrote to memory of 2484 2728 11FB.tmp 160 PID 2728 wrote to memory of 2484 2728 11FB.tmp 160 PID 2728 wrote to memory of 2484 2728 11FB.tmp 160 PID 2484 wrote to memory of 2556 2484 1249.tmp 159 PID 2484 wrote to memory of 2556 2484 1249.tmp 159 PID 2484 wrote to memory of 2556 2484 1249.tmp 159 PID 2484 wrote to memory of 2556 2484 1249.tmp 159 PID 2556 wrote to memory of 2960 2556 1297.tmp 157 PID 2556 wrote to memory of 2960 2556 1297.tmp 157 PID 2556 wrote to memory of 2960 2556 1297.tmp 157 PID 2556 wrote to memory of 2960 2556 1297.tmp 157 PID 2960 wrote to memory of 2396 2960 12F4.tmp 156 PID 2960 wrote to memory of 2396 2960 12F4.tmp 156 PID 2960 wrote to memory of 2396 2960 12F4.tmp 156 PID 2960 wrote to memory of 2396 2960 12F4.tmp 156 PID 2396 wrote to memory of 1540 2396 1342.tmp 155 PID 2396 wrote to memory of 1540 2396 1342.tmp 155 PID 2396 wrote to memory of 1540 2396 1342.tmp 155 PID 2396 wrote to memory of 1540 2396 1342.tmp 155 PID 1540 wrote to memory of 1772 1540 1381.tmp 154 PID 1540 wrote to memory of 1772 1540 1381.tmp 154 PID 1540 wrote to memory of 1772 1540 1381.tmp 154 PID 1540 wrote to memory of 1772 1540 1381.tmp 154 PID 1772 wrote to memory of 2192 1772 13CF.tmp 153 PID 1772 wrote to memory of 2192 1772 13CF.tmp 153 PID 1772 wrote to memory of 2192 1772 13CF.tmp 153 PID 1772 wrote to memory of 2192 1772 13CF.tmp 153
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-24_2478bb4eb35d100cfe14eaa71059253f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-24_2478bb4eb35d100cfe14eaa71059253f_mafia.exe"1⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\FC9.tmp"C:\Users\Admin\AppData\Local\Temp\FC9.tmp"2⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\10D2.tmp"C:\Users\Admin\AppData\Local\Temp\10D2.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\1120.tmp"C:\Users\Admin\AppData\Local\Temp\1120.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\162F.tmp"C:\Users\Admin\AppData\Local\Temp\162F.tmp"1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\24FE.tmp"C:\Users\Admin\AppData\Local\Temp\24FE.tmp"2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\253C.tmp"C:\Users\Admin\AppData\Local\Temp\253C.tmp"3⤵PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\16AC.tmp"C:\Users\Admin\AppData\Local\Temp\16AC.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\16EA.tmp"C:\Users\Admin\AppData\Local\Temp\16EA.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\1729.tmp"C:\Users\Admin\AppData\Local\Temp\1729.tmp"1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\1767.tmp"C:\Users\Admin\AppData\Local\Temp\1767.tmp"2⤵PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\17A6.tmp"C:\Users\Admin\AppData\Local\Temp\17A6.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Users\Admin\AppData\Local\Temp\17E4.tmp"C:\Users\Admin\AppData\Local\Temp\17E4.tmp"2⤵PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\1890.tmp"C:\Users\Admin\AppData\Local\Temp\1890.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\18DE.tmp"C:\Users\Admin\AppData\Local\Temp\18DE.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\192C.tmp"C:\Users\Admin\AppData\Local\Temp\192C.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412
-
-
-
C:\Users\Admin\AppData\Local\Temp\1861.tmp"C:\Users\Admin\AppData\Local\Temp\1861.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904
-
C:\Users\Admin\AppData\Local\Temp\19A8.tmp"C:\Users\Admin\AppData\Local\Temp\19A8.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\19E7.tmp"C:\Users\Admin\AppData\Local\Temp\19E7.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\1A64.tmp"C:\Users\Admin\AppData\Local\Temp\1A64.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\1B1F.tmp"C:\Users\Admin\AppData\Local\Temp\1B1F.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Users\Admin\AppData\Local\Temp\1B5D.tmp"C:\Users\Admin\AppData\Local\Temp\1B5D.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\1AE0.tmp"C:\Users\Admin\AppData\Local\Temp\1AE0.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216
-
C:\Users\Admin\AppData\Local\Temp\1BCA.tmp"C:\Users\Admin\AppData\Local\Temp\1BCA.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\1C09.tmp"C:\Users\Admin\AppData\Local\Temp\1C09.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\1CF3.tmp"C:\Users\Admin\AppData\Local\Temp\1CF3.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\1D31.tmp"C:\Users\Admin\AppData\Local\Temp\1D31.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\1D9E.tmp"C:\Users\Admin\AppData\Local\Temp\1D9E.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\1DDD.tmp"C:\Users\Admin\AppData\Local\Temp\1DDD.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\1E1B.tmp"C:\Users\Admin\AppData\Local\Temp\1E1B.tmp"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\1E4A.tmp"C:\Users\Admin\AppData\Local\Temp\1E4A.tmp"2⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\1046.tmp"C:\Users\Admin\AppData\Local\Temp\1046.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008.tmp"C:\Users\Admin\AppData\Local\Temp\1008.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\1EF6.tmp"C:\Users\Admin\AppData\Local\Temp\1EF6.tmp"1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\1FA1.tmp"C:\Users\Admin\AppData\Local\Temp\1FA1.tmp"1⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\1FE0.tmp"C:\Users\Admin\AppData\Local\Temp\1FE0.tmp"2⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\2F79.tmp"C:\Users\Admin\AppData\Local\Temp\2F79.tmp"3⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\2FB8.tmp"C:\Users\Admin\AppData\Local\Temp\2FB8.tmp"4⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"C:\Users\Admin\AppData\Local\Temp\2FF6.tmp"5⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\3034.tmp"C:\Users\Admin\AppData\Local\Temp\3034.tmp"6⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\3073.tmp"C:\Users\Admin\AppData\Local\Temp\3073.tmp"7⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\30A2.tmp"C:\Users\Admin\AppData\Local\Temp\30A2.tmp"8⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\30E0.tmp"C:\Users\Admin\AppData\Local\Temp\30E0.tmp"9⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\311E.tmp"C:\Users\Admin\AppData\Local\Temp\311E.tmp"10⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\315D.tmp"C:\Users\Admin\AppData\Local\Temp\315D.tmp"11⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\318C.tmp"C:\Users\Admin\AppData\Local\Temp\318C.tmp"12⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\31BA.tmp"C:\Users\Admin\AppData\Local\Temp\31BA.tmp"13⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\31E9.tmp"C:\Users\Admin\AppData\Local\Temp\31E9.tmp"14⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\3228.tmp"C:\Users\Admin\AppData\Local\Temp\3228.tmp"15⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\3266.tmp"C:\Users\Admin\AppData\Local\Temp\3266.tmp"16⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\32A4.tmp"C:\Users\Admin\AppData\Local\Temp\32A4.tmp"17⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\32E3.tmp"C:\Users\Admin\AppData\Local\Temp\32E3.tmp"18⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\3312.tmp"C:\Users\Admin\AppData\Local\Temp\3312.tmp"19⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\3350.tmp"C:\Users\Admin\AppData\Local\Temp\3350.tmp"20⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\338E.tmp"C:\Users\Admin\AppData\Local\Temp\338E.tmp"21⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\33BD.tmp"C:\Users\Admin\AppData\Local\Temp\33BD.tmp"22⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\33FC.tmp"C:\Users\Admin\AppData\Local\Temp\33FC.tmp"23⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\343A.tmp"C:\Users\Admin\AppData\Local\Temp\343A.tmp"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\3469.tmp"C:\Users\Admin\AppData\Local\Temp\3469.tmp"25⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\3498.tmp"C:\Users\Admin\AppData\Local\Temp\3498.tmp"26⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\34D6.tmp"C:\Users\Admin\AppData\Local\Temp\34D6.tmp"27⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\3524.tmp"C:\Users\Admin\AppData\Local\Temp\3524.tmp"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\3562.tmp"C:\Users\Admin\AppData\Local\Temp\3562.tmp"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Users\Admin\AppData\Local\Temp\35A1.tmp"C:\Users\Admin\AppData\Local\Temp\35A1.tmp"30⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\35DF.tmp"C:\Users\Admin\AppData\Local\Temp\35DF.tmp"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Users\Admin\AppData\Local\Temp\362D.tmp"C:\Users\Admin\AppData\Local\Temp\362D.tmp"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Users\Admin\AppData\Local\Temp\366C.tmp"C:\Users\Admin\AppData\Local\Temp\366C.tmp"33⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\36C9.tmp"C:\Users\Admin\AppData\Local\Temp\36C9.tmp"34⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\3727.tmp"C:\Users\Admin\AppData\Local\Temp\3727.tmp"35⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\3775.tmp"C:\Users\Admin\AppData\Local\Temp\3775.tmp"36⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\37D2.tmp"C:\Users\Admin\AppData\Local\Temp\37D2.tmp"37⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\385F.tmp"C:\Users\Admin\AppData\Local\Temp\385F.tmp"38⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\38AD.tmp"C:\Users\Admin\AppData\Local\Temp\38AD.tmp"39⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\38EB.tmp"C:\Users\Admin\AppData\Local\Temp\38EB.tmp"40⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\392A.tmp"C:\Users\Admin\AppData\Local\Temp\392A.tmp"41⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\3987.tmp"C:\Users\Admin\AppData\Local\Temp\3987.tmp"42⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\39E5.tmp"C:\Users\Admin\AppData\Local\Temp\39E5.tmp"43⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\3A71.tmp"C:\Users\Admin\AppData\Local\Temp\3A71.tmp"44⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\3ABF.tmp"C:\Users\Admin\AppData\Local\Temp\3ABF.tmp"45⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\3B0D.tmp"C:\Users\Admin\AppData\Local\Temp\3B0D.tmp"46⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\3B9A.tmp"C:\Users\Admin\AppData\Local\Temp\3B9A.tmp"47⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\3BD8.tmp"C:\Users\Admin\AppData\Local\Temp\3BD8.tmp"48⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\3C55.tmp"C:\Users\Admin\AppData\Local\Temp\3C55.tmp"49⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\3CB2.tmp"C:\Users\Admin\AppData\Local\Temp\3CB2.tmp"50⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\3D10.tmp"C:\Users\Admin\AppData\Local\Temp\3D10.tmp"51⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\3D5E.tmp"C:\Users\Admin\AppData\Local\Temp\3D5E.tmp"52⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\3D9C.tmp"C:\Users\Admin\AppData\Local\Temp\3D9C.tmp"53⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\3DEA.tmp"C:\Users\Admin\AppData\Local\Temp\3DEA.tmp"54⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\3E38.tmp"C:\Users\Admin\AppData\Local\Temp\3E38.tmp"55⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\3E86.tmp"C:\Users\Admin\AppData\Local\Temp\3E86.tmp"56⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\3EF4.tmp"C:\Users\Admin\AppData\Local\Temp\3EF4.tmp"57⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\3F42.tmp"C:\Users\Admin\AppData\Local\Temp\3F42.tmp"58⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\3F80.tmp"C:\Users\Admin\AppData\Local\Temp\3F80.tmp"59⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\3FCE.tmp"C:\Users\Admin\AppData\Local\Temp\3FCE.tmp"60⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\401C.tmp"C:\Users\Admin\AppData\Local\Temp\401C.tmp"61⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\405A.tmp"C:\Users\Admin\AppData\Local\Temp\405A.tmp"62⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\4099.tmp"C:\Users\Admin\AppData\Local\Temp\4099.tmp"63⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\40D7.tmp"C:\Users\Admin\AppData\Local\Temp\40D7.tmp"64⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\4116.tmp"C:\Users\Admin\AppData\Local\Temp\4116.tmp"65⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\4154.tmp"C:\Users\Admin\AppData\Local\Temp\4154.tmp"66⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\4192.tmp"C:\Users\Admin\AppData\Local\Temp\4192.tmp"67⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\41D1.tmp"C:\Users\Admin\AppData\Local\Temp\41D1.tmp"68⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\420F.tmp"C:\Users\Admin\AppData\Local\Temp\420F.tmp"69⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\424E.tmp"C:\Users\Admin\AppData\Local\Temp\424E.tmp"70⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\429C.tmp"C:\Users\Admin\AppData\Local\Temp\429C.tmp"71⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\42DA.tmp"C:\Users\Admin\AppData\Local\Temp\42DA.tmp"72⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\4318.tmp"C:\Users\Admin\AppData\Local\Temp\4318.tmp"73⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\4357.tmp"C:\Users\Admin\AppData\Local\Temp\4357.tmp"74⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\4395.tmp"C:\Users\Admin\AppData\Local\Temp\4395.tmp"75⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\43D4.tmp"C:\Users\Admin\AppData\Local\Temp\43D4.tmp"76⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\4412.tmp"C:\Users\Admin\AppData\Local\Temp\4412.tmp"77⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\4450.tmp"C:\Users\Admin\AppData\Local\Temp\4450.tmp"78⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\448F.tmp"C:\Users\Admin\AppData\Local\Temp\448F.tmp"79⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\44CD.tmp"C:\Users\Admin\AppData\Local\Temp\44CD.tmp"80⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\450C.tmp"C:\Users\Admin\AppData\Local\Temp\450C.tmp"81⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\454A.tmp"C:\Users\Admin\AppData\Local\Temp\454A.tmp"82⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\4588.tmp"C:\Users\Admin\AppData\Local\Temp\4588.tmp"83⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\45C7.tmp"C:\Users\Admin\AppData\Local\Temp\45C7.tmp"84⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\4605.tmp"C:\Users\Admin\AppData\Local\Temp\4605.tmp"85⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\4644.tmp"C:\Users\Admin\AppData\Local\Temp\4644.tmp"86⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\4682.tmp"C:\Users\Admin\AppData\Local\Temp\4682.tmp"87⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\46D0.tmp"C:\Users\Admin\AppData\Local\Temp\46D0.tmp"88⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\470E.tmp"C:\Users\Admin\AppData\Local\Temp\470E.tmp"89⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\476C.tmp"C:\Users\Admin\AppData\Local\Temp\476C.tmp"90⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\47AA.tmp"C:\Users\Admin\AppData\Local\Temp\47AA.tmp"91⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\47E9.tmp"C:\Users\Admin\AppData\Local\Temp\47E9.tmp"92⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\4827.tmp"C:\Users\Admin\AppData\Local\Temp\4827.tmp"93⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\4875.tmp"C:\Users\Admin\AppData\Local\Temp\4875.tmp"94⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\48B4.tmp"C:\Users\Admin\AppData\Local\Temp\48B4.tmp"95⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\48F2.tmp"C:\Users\Admin\AppData\Local\Temp\48F2.tmp"96⤵PID:292
-
C:\Users\Admin\AppData\Local\Temp\4930.tmp"C:\Users\Admin\AppData\Local\Temp\4930.tmp"97⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\496F.tmp"C:\Users\Admin\AppData\Local\Temp\496F.tmp"98⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\49AD.tmp"C:\Users\Admin\AppData\Local\Temp\49AD.tmp"99⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\49EC.tmp"C:\Users\Admin\AppData\Local\Temp\49EC.tmp"100⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\4A2A.tmp"C:\Users\Admin\AppData\Local\Temp\4A2A.tmp"101⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\4A68.tmp"C:\Users\Admin\AppData\Local\Temp\4A68.tmp"102⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\4AA7.tmp"C:\Users\Admin\AppData\Local\Temp\4AA7.tmp"103⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\4AE5.tmp"C:\Users\Admin\AppData\Local\Temp\4AE5.tmp"104⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\4B24.tmp"C:\Users\Admin\AppData\Local\Temp\4B24.tmp"105⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\4B62.tmp"C:\Users\Admin\AppData\Local\Temp\4B62.tmp"106⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\4BB0.tmp"C:\Users\Admin\AppData\Local\Temp\4BB0.tmp"107⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\4BEE.tmp"C:\Users\Admin\AppData\Local\Temp\4BEE.tmp"108⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\4C2D.tmp"C:\Users\Admin\AppData\Local\Temp\4C2D.tmp"109⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\4C6B.tmp"C:\Users\Admin\AppData\Local\Temp\4C6B.tmp"110⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\4CAA.tmp"C:\Users\Admin\AppData\Local\Temp\4CAA.tmp"111⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\4CE8.tmp"C:\Users\Admin\AppData\Local\Temp\4CE8.tmp"112⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\4D26.tmp"C:\Users\Admin\AppData\Local\Temp\4D26.tmp"113⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\4D65.tmp"C:\Users\Admin\AppData\Local\Temp\4D65.tmp"114⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"C:\Users\Admin\AppData\Local\Temp\4DA3.tmp"115⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\4DE2.tmp"C:\Users\Admin\AppData\Local\Temp\4DE2.tmp"116⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\4E20.tmp"C:\Users\Admin\AppData\Local\Temp\4E20.tmp"117⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp"118⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\4E9D.tmp"C:\Users\Admin\AppData\Local\Temp\4E9D.tmp"119⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"C:\Users\Admin\AppData\Local\Temp\4EDB.tmp"120⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"C:\Users\Admin\AppData\Local\Temp\4F1A.tmp"121⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\4F58.tmp"C:\Users\Admin\AppData\Local\Temp\4F58.tmp"122⤵PID:1064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-