Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe
Resource
win7-20240419-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe
-
Size
520KB
-
MD5
9afe5e6b007ae61f78455af2915a2757
-
SHA1
387466239901465060f4b6446ce6212acabb9d23
-
SHA256
1969c45eaf1a9e9c81a2cd62b97f327abbb14283d1dcd5f3d8699d8417044847
-
SHA512
ccaaf61dde185ca63f24f805493a74b05a5de08552b0d7fdf23e8b2ddfa561fba24781e3f503c9817173ad8352810e2db35b5de1867c7992c36bed3730585c73
-
SSDEEP
12288:gj8fuxR21t5i8fn3mhxAQP92kYF2CIsJP/mFfeNZ:gj8fuK1GY2gU7CIknrN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1956 4A09.tmp 2124 4A86.tmp 3312 4B03.tmp 3340 4B9F.tmp 3824 4C2C.tmp 1016 4C7A.tmp 4688 4CD8.tmp 2348 4D35.tmp 3700 4D84.tmp 320 4DD2.tmp 2192 4E3F.tmp 4036 4E8D.tmp 2052 4EEB.tmp 3608 4F49.tmp 3760 4FC6.tmp 5064 5023.tmp 2376 5072.tmp 1096 50DF.tmp 1384 516C.tmp 4968 51BA.tmp 4960 5227.tmp 3368 5285.tmp 2704 52D3.tmp 3096 5331.tmp 2176 539E.tmp 2992 53FC.tmp 2596 545A.tmp 2088 54C7.tmp 4528 5515.tmp 2016 5582.tmp 4568 55E0.tmp 2640 565D.tmp 5044 56CB.tmp 2180 5719.tmp 2612 5767.tmp 4992 57B5.tmp 4468 5803.tmp 2516 5880.tmp 2276 58DE.tmp 4596 592C.tmp 3484 597A.tmp 3288 59C8.tmp 1284 5A16.tmp 2204 5A64.tmp 4780 5AB3.tmp 2392 5B01.tmp 1160 5B5E.tmp 2300 5BAD.tmp 1964 5C0A.tmp 564 5C68.tmp 1380 5CB6.tmp 796 5D04.tmp 4428 5D52.tmp 2084 5DA1.tmp 1616 5DEF.tmp 2672 5E3D.tmp 3100 5E8B.tmp 220 5EC9.tmp 4068 5F18.tmp 5032 5F66.tmp 224 5FC3.tmp 3864 6012.tmp 2564 6060.tmp 3340 60AE.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 1956 3132 2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe 82 PID 3132 wrote to memory of 1956 3132 2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe 82 PID 3132 wrote to memory of 1956 3132 2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe 82 PID 1956 wrote to memory of 2124 1956 4A09.tmp 83 PID 1956 wrote to memory of 2124 1956 4A09.tmp 83 PID 1956 wrote to memory of 2124 1956 4A09.tmp 83 PID 2124 wrote to memory of 3312 2124 4A86.tmp 85 PID 2124 wrote to memory of 3312 2124 4A86.tmp 85 PID 2124 wrote to memory of 3312 2124 4A86.tmp 85 PID 3312 wrote to memory of 3340 3312 4B03.tmp 87 PID 3312 wrote to memory of 3340 3312 4B03.tmp 87 PID 3312 wrote to memory of 3340 3312 4B03.tmp 87 PID 3340 wrote to memory of 3824 3340 4B9F.tmp 89 PID 3340 wrote to memory of 3824 3340 4B9F.tmp 89 PID 3340 wrote to memory of 3824 3340 4B9F.tmp 89 PID 3824 wrote to memory of 1016 3824 4C2C.tmp 90 PID 3824 wrote to memory of 1016 3824 4C2C.tmp 90 PID 3824 wrote to memory of 1016 3824 4C2C.tmp 90 PID 1016 wrote to memory of 4688 1016 4C7A.tmp 91 PID 1016 wrote to memory of 4688 1016 4C7A.tmp 91 PID 1016 wrote to memory of 4688 1016 4C7A.tmp 91 PID 4688 wrote to memory of 2348 4688 4CD8.tmp 92 PID 4688 wrote to memory of 2348 4688 4CD8.tmp 92 PID 4688 wrote to memory of 2348 4688 4CD8.tmp 92 PID 2348 wrote to memory of 3700 2348 4D35.tmp 93 PID 2348 wrote to memory of 3700 2348 4D35.tmp 93 PID 2348 wrote to memory of 3700 2348 4D35.tmp 93 PID 3700 wrote to memory of 320 3700 4D84.tmp 94 PID 3700 wrote to memory of 320 3700 4D84.tmp 94 PID 3700 wrote to memory of 320 3700 4D84.tmp 94 PID 320 wrote to memory of 2192 320 4DD2.tmp 95 PID 320 wrote to memory of 2192 320 4DD2.tmp 95 PID 320 wrote to memory of 2192 320 4DD2.tmp 95 PID 2192 wrote to memory of 4036 2192 4E3F.tmp 96 PID 2192 wrote to memory of 4036 2192 4E3F.tmp 96 PID 2192 wrote to memory of 4036 2192 4E3F.tmp 96 PID 4036 wrote to memory of 2052 4036 4E8D.tmp 97 PID 4036 wrote to memory of 2052 4036 4E8D.tmp 97 PID 4036 wrote to memory of 2052 4036 4E8D.tmp 97 PID 2052 wrote to memory of 3608 2052 4EEB.tmp 98 PID 2052 wrote to memory of 3608 2052 4EEB.tmp 98 PID 2052 wrote to memory of 3608 2052 4EEB.tmp 98 PID 3608 wrote to memory of 3760 3608 4F49.tmp 99 PID 3608 wrote to memory of 3760 3608 4F49.tmp 99 PID 3608 wrote to memory of 3760 3608 4F49.tmp 99 PID 3760 wrote to memory of 5064 3760 4FC6.tmp 100 PID 3760 wrote to memory of 5064 3760 4FC6.tmp 100 PID 3760 wrote to memory of 5064 3760 4FC6.tmp 100 PID 5064 wrote to memory of 2376 5064 5023.tmp 101 PID 5064 wrote to memory of 2376 5064 5023.tmp 101 PID 5064 wrote to memory of 2376 5064 5023.tmp 101 PID 2376 wrote to memory of 1096 2376 5072.tmp 102 PID 2376 wrote to memory of 1096 2376 5072.tmp 102 PID 2376 wrote to memory of 1096 2376 5072.tmp 102 PID 1096 wrote to memory of 1384 1096 50DF.tmp 103 PID 1096 wrote to memory of 1384 1096 50DF.tmp 103 PID 1096 wrote to memory of 1384 1096 50DF.tmp 103 PID 1384 wrote to memory of 4968 1384 516C.tmp 104 PID 1384 wrote to memory of 4968 1384 516C.tmp 104 PID 1384 wrote to memory of 4968 1384 516C.tmp 104 PID 4968 wrote to memory of 4960 4968 51BA.tmp 105 PID 4968 wrote to memory of 4960 4968 51BA.tmp 105 PID 4968 wrote to memory of 4960 4968 51BA.tmp 105 PID 4960 wrote to memory of 3368 4960 5227.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9afe5e6b007ae61f78455af2915a2757_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\4A09.tmp"C:\Users\Admin\AppData\Local\Temp\4A09.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\4A86.tmp"C:\Users\Admin\AppData\Local\Temp\4A86.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\4B03.tmp"C:\Users\Admin\AppData\Local\Temp\4B03.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"C:\Users\Admin\AppData\Local\Temp\4B9F.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\4C2C.tmp"C:\Users\Admin\AppData\Local\Temp\4C2C.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"C:\Users\Admin\AppData\Local\Temp\4C7A.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"C:\Users\Admin\AppData\Local\Temp\4CD8.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\4D35.tmp"C:\Users\Admin\AppData\Local\Temp\4D35.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\4D84.tmp"C:\Users\Admin\AppData\Local\Temp\4D84.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"C:\Users\Admin\AppData\Local\Temp\4DD2.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\4E3F.tmp"C:\Users\Admin\AppData\Local\Temp\4E3F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\4E8D.tmp"C:\Users\Admin\AppData\Local\Temp\4E8D.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\4EEB.tmp"C:\Users\Admin\AppData\Local\Temp\4EEB.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\4F49.tmp"C:\Users\Admin\AppData\Local\Temp\4F49.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"C:\Users\Admin\AppData\Local\Temp\4FC6.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\5023.tmp"C:\Users\Admin\AppData\Local\Temp\5023.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\5072.tmp"C:\Users\Admin\AppData\Local\Temp\5072.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\50DF.tmp"C:\Users\Admin\AppData\Local\Temp\50DF.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\516C.tmp"C:\Users\Admin\AppData\Local\Temp\516C.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\51BA.tmp"C:\Users\Admin\AppData\Local\Temp\51BA.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\5227.tmp"C:\Users\Admin\AppData\Local\Temp\5227.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\5285.tmp"C:\Users\Admin\AppData\Local\Temp\5285.tmp"23⤵
- Executes dropped EXE
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\52D3.tmp"C:\Users\Admin\AppData\Local\Temp\52D3.tmp"24⤵
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\5331.tmp"C:\Users\Admin\AppData\Local\Temp\5331.tmp"25⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\539E.tmp"C:\Users\Admin\AppData\Local\Temp\539E.tmp"26⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\53FC.tmp"C:\Users\Admin\AppData\Local\Temp\53FC.tmp"27⤵
- Executes dropped EXE
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\545A.tmp"C:\Users\Admin\AppData\Local\Temp\545A.tmp"28⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\54C7.tmp"C:\Users\Admin\AppData\Local\Temp\54C7.tmp"29⤵
- Executes dropped EXE
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\5515.tmp"C:\Users\Admin\AppData\Local\Temp\5515.tmp"30⤵
- Executes dropped EXE
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\5582.tmp"C:\Users\Admin\AppData\Local\Temp\5582.tmp"31⤵
- Executes dropped EXE
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\55E0.tmp"C:\Users\Admin\AppData\Local\Temp\55E0.tmp"32⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\565D.tmp"C:\Users\Admin\AppData\Local\Temp\565D.tmp"33⤵
- Executes dropped EXE
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\56CB.tmp"C:\Users\Admin\AppData\Local\Temp\56CB.tmp"34⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\5719.tmp"C:\Users\Admin\AppData\Local\Temp\5719.tmp"35⤵
- Executes dropped EXE
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\5767.tmp"C:\Users\Admin\AppData\Local\Temp\5767.tmp"36⤵
- Executes dropped EXE
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\57B5.tmp"C:\Users\Admin\AppData\Local\Temp\57B5.tmp"37⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\5803.tmp"C:\Users\Admin\AppData\Local\Temp\5803.tmp"38⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\5880.tmp"C:\Users\Admin\AppData\Local\Temp\5880.tmp"39⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\58DE.tmp"C:\Users\Admin\AppData\Local\Temp\58DE.tmp"40⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\592C.tmp"C:\Users\Admin\AppData\Local\Temp\592C.tmp"41⤵
- Executes dropped EXE
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\597A.tmp"C:\Users\Admin\AppData\Local\Temp\597A.tmp"42⤵
- Executes dropped EXE
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\59C8.tmp"C:\Users\Admin\AppData\Local\Temp\59C8.tmp"43⤵
- Executes dropped EXE
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\5A16.tmp"C:\Users\Admin\AppData\Local\Temp\5A16.tmp"44⤵
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\5A64.tmp"C:\Users\Admin\AppData\Local\Temp\5A64.tmp"45⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"C:\Users\Admin\AppData\Local\Temp\5AB3.tmp"46⤵
- Executes dropped EXE
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\5B01.tmp"C:\Users\Admin\AppData\Local\Temp\5B01.tmp"47⤵
- Executes dropped EXE
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"C:\Users\Admin\AppData\Local\Temp\5B5E.tmp"48⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\5BAD.tmp"C:\Users\Admin\AppData\Local\Temp\5BAD.tmp"49⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\5C0A.tmp"C:\Users\Admin\AppData\Local\Temp\5C0A.tmp"50⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\5C68.tmp"C:\Users\Admin\AppData\Local\Temp\5C68.tmp"51⤵
- Executes dropped EXE
PID:564 -
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"C:\Users\Admin\AppData\Local\Temp\5CB6.tmp"52⤵
- Executes dropped EXE
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\5D04.tmp"C:\Users\Admin\AppData\Local\Temp\5D04.tmp"53⤵
- Executes dropped EXE
PID:796 -
C:\Users\Admin\AppData\Local\Temp\5D52.tmp"C:\Users\Admin\AppData\Local\Temp\5D52.tmp"54⤵
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"C:\Users\Admin\AppData\Local\Temp\5DA1.tmp"55⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"C:\Users\Admin\AppData\Local\Temp\5DEF.tmp"56⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"C:\Users\Admin\AppData\Local\Temp\5E3D.tmp"57⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"C:\Users\Admin\AppData\Local\Temp\5E8B.tmp"58⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"C:\Users\Admin\AppData\Local\Temp\5EC9.tmp"59⤵
- Executes dropped EXE
PID:220 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp"C:\Users\Admin\AppData\Local\Temp\5F18.tmp"60⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\5F66.tmp"C:\Users\Admin\AppData\Local\Temp\5F66.tmp"61⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\5FC3.tmp"C:\Users\Admin\AppData\Local\Temp\5FC3.tmp"62⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Local\Temp\6012.tmp"C:\Users\Admin\AppData\Local\Temp\6012.tmp"63⤵
- Executes dropped EXE
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\6060.tmp"C:\Users\Admin\AppData\Local\Temp\6060.tmp"64⤵
- Executes dropped EXE
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\60AE.tmp"C:\Users\Admin\AppData\Local\Temp\60AE.tmp"65⤵
- Executes dropped EXE
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\60FC.tmp"C:\Users\Admin\AppData\Local\Temp\60FC.tmp"66⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\614A.tmp"C:\Users\Admin\AppData\Local\Temp\614A.tmp"67⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\6198.tmp"C:\Users\Admin\AppData\Local\Temp\6198.tmp"68⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\61E6.tmp"C:\Users\Admin\AppData\Local\Temp\61E6.tmp"69⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\6244.tmp"C:\Users\Admin\AppData\Local\Temp\6244.tmp"70⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\6292.tmp"C:\Users\Admin\AppData\Local\Temp\6292.tmp"71⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\62E0.tmp"C:\Users\Admin\AppData\Local\Temp\62E0.tmp"72⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\632E.tmp"C:\Users\Admin\AppData\Local\Temp\632E.tmp"73⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\637D.tmp"C:\Users\Admin\AppData\Local\Temp\637D.tmp"74⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\63CB.tmp"C:\Users\Admin\AppData\Local\Temp\63CB.tmp"75⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\6419.tmp"C:\Users\Admin\AppData\Local\Temp\6419.tmp"76⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\6467.tmp"C:\Users\Admin\AppData\Local\Temp\6467.tmp"77⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\64C5.tmp"C:\Users\Admin\AppData\Local\Temp\64C5.tmp"78⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\6522.tmp"C:\Users\Admin\AppData\Local\Temp\6522.tmp"79⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\6571.tmp"C:\Users\Admin\AppData\Local\Temp\6571.tmp"80⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\65CE.tmp"C:\Users\Admin\AppData\Local\Temp\65CE.tmp"81⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\662C.tmp"C:\Users\Admin\AppData\Local\Temp\662C.tmp"82⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\667A.tmp"C:\Users\Admin\AppData\Local\Temp\667A.tmp"83⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\66C8.tmp"C:\Users\Admin\AppData\Local\Temp\66C8.tmp"84⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\6716.tmp"C:\Users\Admin\AppData\Local\Temp\6716.tmp"85⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\6765.tmp"C:\Users\Admin\AppData\Local\Temp\6765.tmp"86⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\67C2.tmp"C:\Users\Admin\AppData\Local\Temp\67C2.tmp"87⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\6810.tmp"C:\Users\Admin\AppData\Local\Temp\6810.tmp"88⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\685F.tmp"C:\Users\Admin\AppData\Local\Temp\685F.tmp"89⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\68AD.tmp"C:\Users\Admin\AppData\Local\Temp\68AD.tmp"90⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\68FB.tmp"C:\Users\Admin\AppData\Local\Temp\68FB.tmp"91⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\6949.tmp"C:\Users\Admin\AppData\Local\Temp\6949.tmp"92⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\69A7.tmp"C:\Users\Admin\AppData\Local\Temp\69A7.tmp"93⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\69F5.tmp"C:\Users\Admin\AppData\Local\Temp\69F5.tmp"94⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\6A43.tmp"C:\Users\Admin\AppData\Local\Temp\6A43.tmp"95⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\6A91.tmp"C:\Users\Admin\AppData\Local\Temp\6A91.tmp"96⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"C:\Users\Admin\AppData\Local\Temp\6ADF.tmp"97⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"C:\Users\Admin\AppData\Local\Temp\6B3D.tmp"98⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"C:\Users\Admin\AppData\Local\Temp\6B8B.tmp"99⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"C:\Users\Admin\AppData\Local\Temp\6BD9.tmp"100⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\6C27.tmp"C:\Users\Admin\AppData\Local\Temp\6C27.tmp"101⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\6C75.tmp"C:\Users\Admin\AppData\Local\Temp\6C75.tmp"102⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"C:\Users\Admin\AppData\Local\Temp\6CD3.tmp"103⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\6D31.tmp"C:\Users\Admin\AppData\Local\Temp\6D31.tmp"104⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"C:\Users\Admin\AppData\Local\Temp\6D8F.tmp"105⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"C:\Users\Admin\AppData\Local\Temp\6DDD.tmp"106⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"C:\Users\Admin\AppData\Local\Temp\6E3B.tmp"107⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\6E89.tmp"C:\Users\Admin\AppData\Local\Temp\6E89.tmp"108⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"C:\Users\Admin\AppData\Local\Temp\6EE6.tmp"109⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\6F44.tmp"C:\Users\Admin\AppData\Local\Temp\6F44.tmp"110⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"C:\Users\Admin\AppData\Local\Temp\6FA2.tmp"111⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"C:\Users\Admin\AppData\Local\Temp\6FF0.tmp"112⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\703E.tmp"C:\Users\Admin\AppData\Local\Temp\703E.tmp"113⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\708C.tmp"C:\Users\Admin\AppData\Local\Temp\708C.tmp"114⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\70DA.tmp"C:\Users\Admin\AppData\Local\Temp\70DA.tmp"115⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\7129.tmp"C:\Users\Admin\AppData\Local\Temp\7129.tmp"116⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\7186.tmp"C:\Users\Admin\AppData\Local\Temp\7186.tmp"117⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\71D4.tmp"C:\Users\Admin\AppData\Local\Temp\71D4.tmp"118⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\7223.tmp"C:\Users\Admin\AppData\Local\Temp\7223.tmp"119⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\7271.tmp"C:\Users\Admin\AppData\Local\Temp\7271.tmp"120⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\72BF.tmp"C:\Users\Admin\AppData\Local\Temp\72BF.tmp"121⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\730D.tmp"C:\Users\Admin\AppData\Local\Temp\730D.tmp"122⤵PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-