Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe
-
Size
487KB
-
MD5
8cef6556f06103d7ea498e348fbd262f
-
SHA1
7450dd0c57530f775f2c363b36574958f84ad69e
-
SHA256
6d7b385f5625b88e1379064abeab2363d14d0a9ec9d26905367e13ab60bd1022
-
SHA512
9fb574efeeaa8f010f7638b09f5fa57fd3adfa3a7acfe1f284401d721dc15f76f72c5b0e5cded2a8a3d99e898cb101cda19396f5ad8304a8f919aa69721f11c9
-
SSDEEP
6144:qorf3lPvovsgZnqG2C7mOTeiL9DUPcS5G0HMgZ6AQbOhJ7c/eceTb61hFv4usH3j:HU5rCOTeiJCR8qMgZzQ4Jo/0fa7vSNZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 512 E6A7.tmp 3712 E714.tmp 1952 E791.tmp 1520 E7EF.tmp 2364 E87B.tmp 2056 E8F8.tmp 3288 E947.tmp 3992 E9C4.tmp 1888 EA21.tmp 4572 EA6F.tmp 3580 EABE.tmp 4196 EB0C.tmp 1440 EB79.tmp 1640 EBD7.tmp 2892 EC25.tmp 1892 ECA2.tmp 1460 ED0F.tmp 5016 ED5D.tmp 1992 EDCB.tmp 4064 EE29.tmp 4100 EE86.tmp 892 EED4.tmp 3628 EF51.tmp 3984 EFCE.tmp 3060 F01D.tmp 1956 F06B.tmp 4396 F0E8.tmp 2436 F155.tmp 4916 F1C2.tmp 4164 F211.tmp 1056 F25F.tmp 4688 F2CC.tmp 3972 F31A.tmp 2060 F378.tmp 1216 F3D6.tmp 1608 F424.tmp 4388 F472.tmp 3840 F4C0.tmp 1232 F50E.tmp 3288 F55C.tmp 1000 F5AA.tmp 3764 F608.tmp 1888 F666.tmp 1204 F6B4.tmp 1456 F702.tmp 4744 F750.tmp 3468 F7AE.tmp 1112 F7FC.tmp 2256 F84A.tmp 4392 F898.tmp 3680 F8E7.tmp 3768 F935.tmp 2092 F983.tmp 1200 F9E1.tmp 3816 FA3E.tmp 2604 FA8C.tmp 5004 FADB.tmp 1444 FB29.tmp 2576 FB77.tmp 4556 FBD5.tmp 1020 FC32.tmp 4588 FC90.tmp 4120 FCDE.tmp 3568 FD2C.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 512 1560 2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe 90 PID 1560 wrote to memory of 512 1560 2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe 90 PID 1560 wrote to memory of 512 1560 2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe 90 PID 512 wrote to memory of 3712 512 E6A7.tmp 91 PID 512 wrote to memory of 3712 512 E6A7.tmp 91 PID 512 wrote to memory of 3712 512 E6A7.tmp 91 PID 3712 wrote to memory of 1952 3712 E714.tmp 93 PID 3712 wrote to memory of 1952 3712 E714.tmp 93 PID 3712 wrote to memory of 1952 3712 E714.tmp 93 PID 1952 wrote to memory of 1520 1952 E791.tmp 95 PID 1952 wrote to memory of 1520 1952 E791.tmp 95 PID 1952 wrote to memory of 1520 1952 E791.tmp 95 PID 1520 wrote to memory of 2364 1520 E7EF.tmp 97 PID 1520 wrote to memory of 2364 1520 E7EF.tmp 97 PID 1520 wrote to memory of 2364 1520 E7EF.tmp 97 PID 2364 wrote to memory of 2056 2364 E87B.tmp 98 PID 2364 wrote to memory of 2056 2364 E87B.tmp 98 PID 2364 wrote to memory of 2056 2364 E87B.tmp 98 PID 2056 wrote to memory of 3288 2056 E8F8.tmp 99 PID 2056 wrote to memory of 3288 2056 E8F8.tmp 99 PID 2056 wrote to memory of 3288 2056 E8F8.tmp 99 PID 3288 wrote to memory of 3992 3288 E947.tmp 100 PID 3288 wrote to memory of 3992 3288 E947.tmp 100 PID 3288 wrote to memory of 3992 3288 E947.tmp 100 PID 3992 wrote to memory of 1888 3992 E9C4.tmp 101 PID 3992 wrote to memory of 1888 3992 E9C4.tmp 101 PID 3992 wrote to memory of 1888 3992 E9C4.tmp 101 PID 1888 wrote to memory of 4572 1888 EA21.tmp 102 PID 1888 wrote to memory of 4572 1888 EA21.tmp 102 PID 1888 wrote to memory of 4572 1888 EA21.tmp 102 PID 4572 wrote to memory of 3580 4572 EA6F.tmp 103 PID 4572 wrote to memory of 3580 4572 EA6F.tmp 103 PID 4572 wrote to memory of 3580 4572 EA6F.tmp 103 PID 3580 wrote to memory of 4196 3580 EABE.tmp 104 PID 3580 wrote to memory of 4196 3580 EABE.tmp 104 PID 3580 wrote to memory of 4196 3580 EABE.tmp 104 PID 4196 wrote to memory of 1440 4196 EB0C.tmp 105 PID 4196 wrote to memory of 1440 4196 EB0C.tmp 105 PID 4196 wrote to memory of 1440 4196 EB0C.tmp 105 PID 1440 wrote to memory of 1640 1440 EB79.tmp 106 PID 1440 wrote to memory of 1640 1440 EB79.tmp 106 PID 1440 wrote to memory of 1640 1440 EB79.tmp 106 PID 1640 wrote to memory of 2892 1640 EBD7.tmp 107 PID 1640 wrote to memory of 2892 1640 EBD7.tmp 107 PID 1640 wrote to memory of 2892 1640 EBD7.tmp 107 PID 2892 wrote to memory of 1892 2892 EC25.tmp 108 PID 2892 wrote to memory of 1892 2892 EC25.tmp 108 PID 2892 wrote to memory of 1892 2892 EC25.tmp 108 PID 1892 wrote to memory of 1460 1892 ECA2.tmp 109 PID 1892 wrote to memory of 1460 1892 ECA2.tmp 109 PID 1892 wrote to memory of 1460 1892 ECA2.tmp 109 PID 1460 wrote to memory of 5016 1460 ED0F.tmp 110 PID 1460 wrote to memory of 5016 1460 ED0F.tmp 110 PID 1460 wrote to memory of 5016 1460 ED0F.tmp 110 PID 5016 wrote to memory of 1992 5016 ED5D.tmp 111 PID 5016 wrote to memory of 1992 5016 ED5D.tmp 111 PID 5016 wrote to memory of 1992 5016 ED5D.tmp 111 PID 1992 wrote to memory of 4064 1992 EDCB.tmp 112 PID 1992 wrote to memory of 4064 1992 EDCB.tmp 112 PID 1992 wrote to memory of 4064 1992 EDCB.tmp 112 PID 4064 wrote to memory of 4100 4064 EE29.tmp 113 PID 4064 wrote to memory of 4100 4064 EE29.tmp 113 PID 4064 wrote to memory of 4100 4064 EE29.tmp 113 PID 4100 wrote to memory of 892 4100 EE86.tmp 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8cef6556f06103d7ea498e348fbd262f_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\E6A7.tmp"C:\Users\Admin\AppData\Local\Temp\E6A7.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\E714.tmp"C:\Users\Admin\AppData\Local\Temp\E714.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\E791.tmp"C:\Users\Admin\AppData\Local\Temp\E791.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\E7EF.tmp"C:\Users\Admin\AppData\Local\Temp\E7EF.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\E87B.tmp"C:\Users\Admin\AppData\Local\Temp\E87B.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\E8F8.tmp"C:\Users\Admin\AppData\Local\Temp\E8F8.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\E947.tmp"C:\Users\Admin\AppData\Local\Temp\E947.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\E9C4.tmp"C:\Users\Admin\AppData\Local\Temp\E9C4.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\EA21.tmp"C:\Users\Admin\AppData\Local\Temp\EA21.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\EA6F.tmp"C:\Users\Admin\AppData\Local\Temp\EA6F.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\EABE.tmp"C:\Users\Admin\AppData\Local\Temp\EABE.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\EB0C.tmp"C:\Users\Admin\AppData\Local\Temp\EB0C.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\EB79.tmp"C:\Users\Admin\AppData\Local\Temp\EB79.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\EBD7.tmp"C:\Users\Admin\AppData\Local\Temp\EBD7.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\EC25.tmp"C:\Users\Admin\AppData\Local\Temp\EC25.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\ECA2.tmp"C:\Users\Admin\AppData\Local\Temp\ECA2.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\ED0F.tmp"C:\Users\Admin\AppData\Local\Temp\ED0F.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\ED5D.tmp"C:\Users\Admin\AppData\Local\Temp\ED5D.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\EDCB.tmp"C:\Users\Admin\AppData\Local\Temp\EDCB.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\EE29.tmp"C:\Users\Admin\AppData\Local\Temp\EE29.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\EE86.tmp"C:\Users\Admin\AppData\Local\Temp\EE86.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\EED4.tmp"C:\Users\Admin\AppData\Local\Temp\EED4.tmp"23⤵
- Executes dropped EXE
PID:892 -
C:\Users\Admin\AppData\Local\Temp\EF51.tmp"C:\Users\Admin\AppData\Local\Temp\EF51.tmp"24⤵
- Executes dropped EXE
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\EFCE.tmp"C:\Users\Admin\AppData\Local\Temp\EFCE.tmp"25⤵
- Executes dropped EXE
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\F01D.tmp"C:\Users\Admin\AppData\Local\Temp\F01D.tmp"26⤵
- Executes dropped EXE
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\F06B.tmp"C:\Users\Admin\AppData\Local\Temp\F06B.tmp"27⤵
- Executes dropped EXE
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"28⤵
- Executes dropped EXE
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\F155.tmp"C:\Users\Admin\AppData\Local\Temp\F155.tmp"29⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\F1C2.tmp"C:\Users\Admin\AppData\Local\Temp\F1C2.tmp"30⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\F211.tmp"C:\Users\Admin\AppData\Local\Temp\F211.tmp"31⤵
- Executes dropped EXE
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\F25F.tmp"C:\Users\Admin\AppData\Local\Temp\F25F.tmp"32⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"C:\Users\Admin\AppData\Local\Temp\F2CC.tmp"33⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\F31A.tmp"C:\Users\Admin\AppData\Local\Temp\F31A.tmp"34⤵
- Executes dropped EXE
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\F378.tmp"C:\Users\Admin\AppData\Local\Temp\F378.tmp"35⤵
- Executes dropped EXE
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\F3D6.tmp"C:\Users\Admin\AppData\Local\Temp\F3D6.tmp"36⤵
- Executes dropped EXE
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\F424.tmp"C:\Users\Admin\AppData\Local\Temp\F424.tmp"37⤵
- Executes dropped EXE
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\F472.tmp"C:\Users\Admin\AppData\Local\Temp\F472.tmp"38⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\F4C0.tmp"C:\Users\Admin\AppData\Local\Temp\F4C0.tmp"39⤵
- Executes dropped EXE
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\F50E.tmp"C:\Users\Admin\AppData\Local\Temp\F50E.tmp"40⤵
- Executes dropped EXE
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\F55C.tmp"C:\Users\Admin\AppData\Local\Temp\F55C.tmp"41⤵
- Executes dropped EXE
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\F5AA.tmp"C:\Users\Admin\AppData\Local\Temp\F5AA.tmp"42⤵
- Executes dropped EXE
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\F608.tmp"C:\Users\Admin\AppData\Local\Temp\F608.tmp"43⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\F666.tmp"C:\Users\Admin\AppData\Local\Temp\F666.tmp"44⤵
- Executes dropped EXE
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\F6B4.tmp"C:\Users\Admin\AppData\Local\Temp\F6B4.tmp"45⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\F702.tmp"C:\Users\Admin\AppData\Local\Temp\F702.tmp"46⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\F750.tmp"C:\Users\Admin\AppData\Local\Temp\F750.tmp"47⤵
- Executes dropped EXE
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\F7AE.tmp"C:\Users\Admin\AppData\Local\Temp\F7AE.tmp"48⤵
- Executes dropped EXE
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\F7FC.tmp"C:\Users\Admin\AppData\Local\Temp\F7FC.tmp"49⤵
- Executes dropped EXE
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\F84A.tmp"C:\Users\Admin\AppData\Local\Temp\F84A.tmp"50⤵
- Executes dropped EXE
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\F898.tmp"C:\Users\Admin\AppData\Local\Temp\F898.tmp"51⤵
- Executes dropped EXE
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\F8E7.tmp"C:\Users\Admin\AppData\Local\Temp\F8E7.tmp"52⤵
- Executes dropped EXE
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\F935.tmp"C:\Users\Admin\AppData\Local\Temp\F935.tmp"53⤵
- Executes dropped EXE
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\F983.tmp"C:\Users\Admin\AppData\Local\Temp\F983.tmp"54⤵
- Executes dropped EXE
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\F9E1.tmp"C:\Users\Admin\AppData\Local\Temp\F9E1.tmp"55⤵
- Executes dropped EXE
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\FA3E.tmp"C:\Users\Admin\AppData\Local\Temp\FA3E.tmp"56⤵
- Executes dropped EXE
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"57⤵
- Executes dropped EXE
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\FADB.tmp"C:\Users\Admin\AppData\Local\Temp\FADB.tmp"58⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\FB29.tmp"C:\Users\Admin\AppData\Local\Temp\FB29.tmp"59⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\FB77.tmp"C:\Users\Admin\AppData\Local\Temp\FB77.tmp"60⤵
- Executes dropped EXE
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\FBD5.tmp"C:\Users\Admin\AppData\Local\Temp\FBD5.tmp"61⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\FC32.tmp"C:\Users\Admin\AppData\Local\Temp\FC32.tmp"62⤵
- Executes dropped EXE
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\FC90.tmp"C:\Users\Admin\AppData\Local\Temp\FC90.tmp"63⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\FCDE.tmp"C:\Users\Admin\AppData\Local\Temp\FCDE.tmp"64⤵
- Executes dropped EXE
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\FD2C.tmp"C:\Users\Admin\AppData\Local\Temp\FD2C.tmp"65⤵
- Executes dropped EXE
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\FD7A.tmp"C:\Users\Admin\AppData\Local\Temp\FD7A.tmp"66⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\FDC9.tmp"C:\Users\Admin\AppData\Local\Temp\FDC9.tmp"67⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\FE17.tmp"C:\Users\Admin\AppData\Local\Temp\FE17.tmp"68⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\FE55.tmp"C:\Users\Admin\AppData\Local\Temp\FE55.tmp"69⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\FEA3.tmp"C:\Users\Admin\AppData\Local\Temp\FEA3.tmp"70⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\FF01.tmp"C:\Users\Admin\AppData\Local\Temp\FF01.tmp"71⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"72⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\FF9D.tmp"C:\Users\Admin\AppData\Local\Temp\FF9D.tmp"73⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"C:\Users\Admin\AppData\Local\Temp\FFEB.tmp"74⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\3A.tmp"C:\Users\Admin\AppData\Local\Temp\3A.tmp"75⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\88.tmp"C:\Users\Admin\AppData\Local\Temp\88.tmp"76⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\D6.tmp"C:\Users\Admin\AppData\Local\Temp\D6.tmp"77⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\134.tmp"C:\Users\Admin\AppData\Local\Temp\134.tmp"78⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\182.tmp"C:\Users\Admin\AppData\Local\Temp\182.tmp"79⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\1D0.tmp"C:\Users\Admin\AppData\Local\Temp\1D0.tmp"80⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\21E.tmp"C:\Users\Admin\AppData\Local\Temp\21E.tmp"81⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\26C.tmp"C:\Users\Admin\AppData\Local\Temp\26C.tmp"82⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2CA.tmp"C:\Users\Admin\AppData\Local\Temp\2CA.tmp"83⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\318.tmp"C:\Users\Admin\AppData\Local\Temp\318.tmp"84⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\366.tmp"C:\Users\Admin\AppData\Local\Temp\366.tmp"85⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\3C4.tmp"C:\Users\Admin\AppData\Local\Temp\3C4.tmp"86⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\422.tmp"C:\Users\Admin\AppData\Local\Temp\422.tmp"87⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\47F.tmp"C:\Users\Admin\AppData\Local\Temp\47F.tmp"88⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\4CD.tmp"C:\Users\Admin\AppData\Local\Temp\4CD.tmp"89⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\52B.tmp"C:\Users\Admin\AppData\Local\Temp\52B.tmp"90⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\589.tmp"C:\Users\Admin\AppData\Local\Temp\589.tmp"91⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\5D7.tmp"C:\Users\Admin\AppData\Local\Temp\5D7.tmp"92⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\625.tmp"C:\Users\Admin\AppData\Local\Temp\625.tmp"93⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\673.tmp"C:\Users\Admin\AppData\Local\Temp\673.tmp"94⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\6C1.tmp"C:\Users\Admin\AppData\Local\Temp\6C1.tmp"95⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\71F.tmp"C:\Users\Admin\AppData\Local\Temp\71F.tmp"96⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\76D.tmp"C:\Users\Admin\AppData\Local\Temp\76D.tmp"97⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\7BB.tmp"C:\Users\Admin\AppData\Local\Temp\7BB.tmp"98⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\819.tmp"C:\Users\Admin\AppData\Local\Temp\819.tmp"99⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\867.tmp"C:\Users\Admin\AppData\Local\Temp\867.tmp"100⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\8B5.tmp"C:\Users\Admin\AppData\Local\Temp\8B5.tmp"101⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\913.tmp"C:\Users\Admin\AppData\Local\Temp\913.tmp"102⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\961.tmp"C:\Users\Admin\AppData\Local\Temp\961.tmp"103⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\9AF.tmp"C:\Users\Admin\AppData\Local\Temp\9AF.tmp"104⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\9FE.tmp"C:\Users\Admin\AppData\Local\Temp\9FE.tmp"105⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\A4C.tmp"C:\Users\Admin\AppData\Local\Temp\A4C.tmp"106⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\AA9.tmp"C:\Users\Admin\AppData\Local\Temp\AA9.tmp"107⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\AF8.tmp"C:\Users\Admin\AppData\Local\Temp\AF8.tmp"108⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\B46.tmp"C:\Users\Admin\AppData\Local\Temp\B46.tmp"109⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\B94.tmp"C:\Users\Admin\AppData\Local\Temp\B94.tmp"110⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\BF2.tmp"C:\Users\Admin\AppData\Local\Temp\BF2.tmp"111⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\C40.tmp"C:\Users\Admin\AppData\Local\Temp\C40.tmp"112⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\C8E.tmp"C:\Users\Admin\AppData\Local\Temp\C8E.tmp"113⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\CDC.tmp"C:\Users\Admin\AppData\Local\Temp\CDC.tmp"114⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\D2A.tmp"C:\Users\Admin\AppData\Local\Temp\D2A.tmp"115⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\D78.tmp"C:\Users\Admin\AppData\Local\Temp\D78.tmp"116⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\DC6.tmp"C:\Users\Admin\AppData\Local\Temp\DC6.tmp"117⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\E14.tmp"C:\Users\Admin\AppData\Local\Temp\E14.tmp"118⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\E63.tmp"C:\Users\Admin\AppData\Local\Temp\E63.tmp"119⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\EC0.tmp"C:\Users\Admin\AppData\Local\Temp\EC0.tmp"120⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\F0E.tmp"C:\Users\Admin\AppData\Local\Temp\F0E.tmp"121⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\F5D.tmp"C:\Users\Admin\AppData\Local\Temp\F5D.tmp"122⤵PID:3972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-