Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2023, 09:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe
Resource
win7-20230712-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe
Resource
win10v2004-20230703-en
2 signatures
150 seconds
General
-
Target
4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe
-
Size
487KB
-
MD5
4e5bb394b5224e83aa96ec2267dddb06
-
SHA1
019357a586f9a5ac09ddeb9ddbd63791979c5e85
-
SHA256
573e4f5a7638696c09b987daa60bfd4db9bf8d30ba3564c79c878d957e6897c6
-
SHA512
c99d248e0c702a349bc58396696c25db9ad3e8bd2d147c7599b4ad46e0e5f346ae027f5f21c4a2adddc002a4f9b6fa3982cd2c682d6f2cc895ec484ec6f1f9d4
-
SSDEEP
12288:yU5rCOTeiN5RbiFGuCHfhj6q/BzfKkA9s2eTUxLu5bZ:yUQOJN5Rb+Ql6o49zCb
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4172 7B6A.tmp 2560 7C15.tmp 4904 7CD1.tmp 1964 7D8C.tmp 4608 7E86.tmp 2576 7F32.tmp 1676 7FDE.tmp 4524 80A9.tmp 2076 8155.tmp 1060 81F1.tmp 1252 829D.tmp 1572 8359.tmp 4376 83D6.tmp 1504 84B1.tmp 2096 854D.tmp 4508 85E9.tmp 4200 86B4.tmp 3572 8731.tmp 2492 87FC.tmp 1500 88C7.tmp 208 8FAD.tmp 2724 9059.tmp 924 90F5.tmp 2120 91C0.tmp 2412 924D.tmp 3148 92F9.tmp 4976 93C4.tmp 3524 947F.tmp 4188 955A.tmp 2836 95D7.tmp 2260 96C2.tmp 4816 97BC.tmp 1284 98A6.tmp 1976 9942.tmp 4696 99DE.tmp 2208 9A6B.tmp 1740 9B07.tmp 4380 9B94.tmp 1492 9C30.tmp 3212 9CAD.tmp 4152 9D3A.tmp 2796 9DE6.tmp 484 9E72.tmp 4392 9F0F.tmp 4244 9F8C.tmp 4624 A028.tmp 2176 A0C4.tmp 4556 A151.tmp 1008 A1DD.tmp 2588 A26A.tmp 2232 A316.tmp 1964 A4EB.tmp 3844 A558.tmp 3268 A5C5.tmp 5020 A671.tmp 3312 A6FE.tmp 3156 A79A.tmp 876 A817.tmp 872 A894.tmp 1868 A8F2.tmp 2488 A940.tmp 2988 A9AD.tmp 216 A9FB.tmp 4844 AA69.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 4172 1116 4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe 83 PID 1116 wrote to memory of 4172 1116 4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe 83 PID 1116 wrote to memory of 4172 1116 4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe 83 PID 4172 wrote to memory of 2560 4172 7B6A.tmp 84 PID 4172 wrote to memory of 2560 4172 7B6A.tmp 84 PID 4172 wrote to memory of 2560 4172 7B6A.tmp 84 PID 2560 wrote to memory of 4904 2560 7C15.tmp 85 PID 2560 wrote to memory of 4904 2560 7C15.tmp 85 PID 2560 wrote to memory of 4904 2560 7C15.tmp 85 PID 4904 wrote to memory of 1964 4904 7CD1.tmp 86 PID 4904 wrote to memory of 1964 4904 7CD1.tmp 86 PID 4904 wrote to memory of 1964 4904 7CD1.tmp 86 PID 1964 wrote to memory of 4608 1964 7D8C.tmp 87 PID 1964 wrote to memory of 4608 1964 7D8C.tmp 87 PID 1964 wrote to memory of 4608 1964 7D8C.tmp 87 PID 4608 wrote to memory of 2576 4608 7E86.tmp 88 PID 4608 wrote to memory of 2576 4608 7E86.tmp 88 PID 4608 wrote to memory of 2576 4608 7E86.tmp 88 PID 2576 wrote to memory of 1676 2576 7F32.tmp 89 PID 2576 wrote to memory of 1676 2576 7F32.tmp 89 PID 2576 wrote to memory of 1676 2576 7F32.tmp 89 PID 1676 wrote to memory of 4524 1676 7FDE.tmp 90 PID 1676 wrote to memory of 4524 1676 7FDE.tmp 90 PID 1676 wrote to memory of 4524 1676 7FDE.tmp 90 PID 4524 wrote to memory of 2076 4524 80A9.tmp 91 PID 4524 wrote to memory of 2076 4524 80A9.tmp 91 PID 4524 wrote to memory of 2076 4524 80A9.tmp 91 PID 2076 wrote to memory of 1060 2076 8155.tmp 92 PID 2076 wrote to memory of 1060 2076 8155.tmp 92 PID 2076 wrote to memory of 1060 2076 8155.tmp 92 PID 1060 wrote to memory of 1252 1060 81F1.tmp 93 PID 1060 wrote to memory of 1252 1060 81F1.tmp 93 PID 1060 wrote to memory of 1252 1060 81F1.tmp 93 PID 1252 wrote to memory of 1572 1252 829D.tmp 94 PID 1252 wrote to memory of 1572 1252 829D.tmp 94 PID 1252 wrote to memory of 1572 1252 829D.tmp 94 PID 1572 wrote to memory of 4376 1572 8359.tmp 95 PID 1572 wrote to memory of 4376 1572 8359.tmp 95 PID 1572 wrote to memory of 4376 1572 8359.tmp 95 PID 4376 wrote to memory of 1504 4376 83D6.tmp 96 PID 4376 wrote to memory of 1504 4376 83D6.tmp 96 PID 4376 wrote to memory of 1504 4376 83D6.tmp 96 PID 1504 wrote to memory of 2096 1504 84B1.tmp 97 PID 1504 wrote to memory of 2096 1504 84B1.tmp 97 PID 1504 wrote to memory of 2096 1504 84B1.tmp 97 PID 2096 wrote to memory of 4508 2096 854D.tmp 98 PID 2096 wrote to memory of 4508 2096 854D.tmp 98 PID 2096 wrote to memory of 4508 2096 854D.tmp 98 PID 4508 wrote to memory of 4200 4508 85E9.tmp 99 PID 4508 wrote to memory of 4200 4508 85E9.tmp 99 PID 4508 wrote to memory of 4200 4508 85E9.tmp 99 PID 4200 wrote to memory of 3572 4200 86B4.tmp 102 PID 4200 wrote to memory of 3572 4200 86B4.tmp 102 PID 4200 wrote to memory of 3572 4200 86B4.tmp 102 PID 3572 wrote to memory of 2492 3572 8731.tmp 103 PID 3572 wrote to memory of 2492 3572 8731.tmp 103 PID 3572 wrote to memory of 2492 3572 8731.tmp 103 PID 2492 wrote to memory of 1500 2492 87FC.tmp 104 PID 2492 wrote to memory of 1500 2492 87FC.tmp 104 PID 2492 wrote to memory of 1500 2492 87FC.tmp 104 PID 1500 wrote to memory of 208 1500 88C7.tmp 105 PID 1500 wrote to memory of 208 1500 88C7.tmp 105 PID 1500 wrote to memory of 208 1500 88C7.tmp 105 PID 208 wrote to memory of 2724 208 8FAD.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\4e5bb394b5224e83aa96ec2267dddb06_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"C:\Users\Admin\AppData\Local\Temp\7B6A.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\7C15.tmp"C:\Users\Admin\AppData\Local\Temp\7C15.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"C:\Users\Admin\AppData\Local\Temp\7D8C.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\7E86.tmp"C:\Users\Admin\AppData\Local\Temp\7E86.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\7F32.tmp"C:\Users\Admin\AppData\Local\Temp\7F32.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\7FDE.tmp"C:\Users\Admin\AppData\Local\Temp\7FDE.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\80A9.tmp"C:\Users\Admin\AppData\Local\Temp\80A9.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\8155.tmp"C:\Users\Admin\AppData\Local\Temp\8155.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\81F1.tmp"C:\Users\Admin\AppData\Local\Temp\81F1.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\829D.tmp"C:\Users\Admin\AppData\Local\Temp\829D.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\8359.tmp"C:\Users\Admin\AppData\Local\Temp\8359.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\83D6.tmp"C:\Users\Admin\AppData\Local\Temp\83D6.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\84B1.tmp"C:\Users\Admin\AppData\Local\Temp\84B1.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\854D.tmp"C:\Users\Admin\AppData\Local\Temp\854D.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\85E9.tmp"C:\Users\Admin\AppData\Local\Temp\85E9.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\86B4.tmp"C:\Users\Admin\AppData\Local\Temp\86B4.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\8731.tmp"C:\Users\Admin\AppData\Local\Temp\8731.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\87FC.tmp"C:\Users\Admin\AppData\Local\Temp\87FC.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\88C7.tmp"C:\Users\Admin\AppData\Local\Temp\88C7.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"C:\Users\Admin\AppData\Local\Temp\8FAD.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\9059.tmp"C:\Users\Admin\AppData\Local\Temp\9059.tmp"23⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\90F5.tmp"C:\Users\Admin\AppData\Local\Temp\90F5.tmp"24⤵
- Executes dropped EXE
PID:924 -
C:\Users\Admin\AppData\Local\Temp\91C0.tmp"C:\Users\Admin\AppData\Local\Temp\91C0.tmp"25⤵
- Executes dropped EXE
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\924D.tmp"C:\Users\Admin\AppData\Local\Temp\924D.tmp"26⤵
- Executes dropped EXE
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\92F9.tmp"C:\Users\Admin\AppData\Local\Temp\92F9.tmp"27⤵
- Executes dropped EXE
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\93C4.tmp"C:\Users\Admin\AppData\Local\Temp\93C4.tmp"28⤵
- Executes dropped EXE
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\947F.tmp"C:\Users\Admin\AppData\Local\Temp\947F.tmp"29⤵
- Executes dropped EXE
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\955A.tmp"C:\Users\Admin\AppData\Local\Temp\955A.tmp"30⤵
- Executes dropped EXE
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\95D7.tmp"C:\Users\Admin\AppData\Local\Temp\95D7.tmp"31⤵
- Executes dropped EXE
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\96C2.tmp"C:\Users\Admin\AppData\Local\Temp\96C2.tmp"32⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\97BC.tmp"C:\Users\Admin\AppData\Local\Temp\97BC.tmp"33⤵
- Executes dropped EXE
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\98A6.tmp"C:\Users\Admin\AppData\Local\Temp\98A6.tmp"34⤵
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\9942.tmp"C:\Users\Admin\AppData\Local\Temp\9942.tmp"35⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\99DE.tmp"C:\Users\Admin\AppData\Local\Temp\99DE.tmp"36⤵
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\9A6B.tmp"C:\Users\Admin\AppData\Local\Temp\9A6B.tmp"37⤵
- Executes dropped EXE
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\9B07.tmp"C:\Users\Admin\AppData\Local\Temp\9B07.tmp"38⤵
- Executes dropped EXE
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\9B94.tmp"C:\Users\Admin\AppData\Local\Temp\9B94.tmp"39⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\9C30.tmp"C:\Users\Admin\AppData\Local\Temp\9C30.tmp"40⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"41⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"42⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"43⤵
- Executes dropped EXE
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\9E72.tmp"C:\Users\Admin\AppData\Local\Temp\9E72.tmp"44⤵
- Executes dropped EXE
PID:484 -
C:\Users\Admin\AppData\Local\Temp\9F0F.tmp"C:\Users\Admin\AppData\Local\Temp\9F0F.tmp"45⤵
- Executes dropped EXE
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\9F8C.tmp"C:\Users\Admin\AppData\Local\Temp\9F8C.tmp"46⤵
- Executes dropped EXE
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\A028.tmp"C:\Users\Admin\AppData\Local\Temp\A028.tmp"47⤵
- Executes dropped EXE
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\A0C4.tmp"C:\Users\Admin\AppData\Local\Temp\A0C4.tmp"48⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\A151.tmp"C:\Users\Admin\AppData\Local\Temp\A151.tmp"49⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\A1DD.tmp"C:\Users\Admin\AppData\Local\Temp\A1DD.tmp"50⤵
- Executes dropped EXE
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\A26A.tmp"C:\Users\Admin\AppData\Local\Temp\A26A.tmp"51⤵
- Executes dropped EXE
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\A316.tmp"C:\Users\Admin\AppData\Local\Temp\A316.tmp"52⤵
- Executes dropped EXE
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\A4EB.tmp"C:\Users\Admin\AppData\Local\Temp\A4EB.tmp"53⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\A558.tmp"C:\Users\Admin\AppData\Local\Temp\A558.tmp"54⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\A5C5.tmp"C:\Users\Admin\AppData\Local\Temp\A5C5.tmp"55⤵
- Executes dropped EXE
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\A671.tmp"C:\Users\Admin\AppData\Local\Temp\A671.tmp"56⤵
- Executes dropped EXE
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\A6FE.tmp"C:\Users\Admin\AppData\Local\Temp\A6FE.tmp"57⤵
- Executes dropped EXE
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\A79A.tmp"C:\Users\Admin\AppData\Local\Temp\A79A.tmp"58⤵
- Executes dropped EXE
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\A817.tmp"C:\Users\Admin\AppData\Local\Temp\A817.tmp"59⤵
- Executes dropped EXE
PID:876 -
C:\Users\Admin\AppData\Local\Temp\A894.tmp"C:\Users\Admin\AppData\Local\Temp\A894.tmp"60⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\A8F2.tmp"C:\Users\Admin\AppData\Local\Temp\A8F2.tmp"61⤵
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\A940.tmp"C:\Users\Admin\AppData\Local\Temp\A940.tmp"62⤵
- Executes dropped EXE
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"63⤵
- Executes dropped EXE
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\A9FB.tmp"C:\Users\Admin\AppData\Local\Temp\A9FB.tmp"64⤵
- Executes dropped EXE
PID:216 -
C:\Users\Admin\AppData\Local\Temp\AA69.tmp"C:\Users\Admin\AppData\Local\Temp\AA69.tmp"65⤵
- Executes dropped EXE
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\AAF5.tmp"C:\Users\Admin\AppData\Local\Temp\AAF5.tmp"66⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\ABB1.tmp"C:\Users\Admin\AppData\Local\Temp\ABB1.tmp"67⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\AC3E.tmp"C:\Users\Admin\AppData\Local\Temp\AC3E.tmp"68⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"69⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"70⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\ADA5.tmp"C:\Users\Admin\AppData\Local\Temp\ADA5.tmp"71⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\AE12.tmp"C:\Users\Admin\AppData\Local\Temp\AE12.tmp"72⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\AE70.tmp"C:\Users\Admin\AppData\Local\Temp\AE70.tmp"73⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\AECE.tmp"C:\Users\Admin\AppData\Local\Temp\AECE.tmp"74⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\AF5A.tmp"C:\Users\Admin\AppData\Local\Temp\AF5A.tmp"75⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\AFD7.tmp"C:\Users\Admin\AppData\Local\Temp\AFD7.tmp"76⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\B083.tmp"C:\Users\Admin\AppData\Local\Temp\B083.tmp"77⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\B100.tmp"C:\Users\Admin\AppData\Local\Temp\B100.tmp"78⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\B17D.tmp"C:\Users\Admin\AppData\Local\Temp\B17D.tmp"79⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\B1FA.tmp"C:\Users\Admin\AppData\Local\Temp\B1FA.tmp"80⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\B268.tmp"C:\Users\Admin\AppData\Local\Temp\B268.tmp"81⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\B2E5.tmp"C:\Users\Admin\AppData\Local\Temp\B2E5.tmp"82⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\B371.tmp"C:\Users\Admin\AppData\Local\Temp\B371.tmp"83⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\B40E.tmp"C:\Users\Admin\AppData\Local\Temp\B40E.tmp"84⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\B47B.tmp"C:\Users\Admin\AppData\Local\Temp\B47B.tmp"85⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\B4D9.tmp"C:\Users\Admin\AppData\Local\Temp\B4D9.tmp"86⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\B546.tmp"C:\Users\Admin\AppData\Local\Temp\B546.tmp"87⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\B5D3.tmp"C:\Users\Admin\AppData\Local\Temp\B5D3.tmp"88⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\B65F.tmp"C:\Users\Admin\AppData\Local\Temp\B65F.tmp"89⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"90⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\B788.tmp"C:\Users\Admin\AppData\Local\Temp\B788.tmp"91⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\B824.tmp"C:\Users\Admin\AppData\Local\Temp\B824.tmp"92⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"93⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\B93E.tmp"C:\Users\Admin\AppData\Local\Temp\B93E.tmp"94⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\B9CA.tmp"C:\Users\Admin\AppData\Local\Temp\B9CA.tmp"95⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\BA47.tmp"C:\Users\Admin\AppData\Local\Temp\BA47.tmp"96⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\BAD4.tmp"C:\Users\Admin\AppData\Local\Temp\BAD4.tmp"97⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\BB51.tmp"C:\Users\Admin\AppData\Local\Temp\BB51.tmp"98⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\BBCE.tmp"C:\Users\Admin\AppData\Local\Temp\BBCE.tmp"99⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"100⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"101⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\BD35.tmp"C:\Users\Admin\AppData\Local\Temp\BD35.tmp"102⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\BDB2.tmp"C:\Users\Admin\AppData\Local\Temp\BDB2.tmp"103⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\BE2F.tmp"C:\Users\Admin\AppData\Local\Temp\BE2F.tmp"104⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\BECC.tmp"C:\Users\Admin\AppData\Local\Temp\BECC.tmp"105⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\BF49.tmp"C:\Users\Admin\AppData\Local\Temp\BF49.tmp"106⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"107⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\C071.tmp"C:\Users\Admin\AppData\Local\Temp\C071.tmp"108⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\C12D.tmp"C:\Users\Admin\AppData\Local\Temp\C12D.tmp"109⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\C1BA.tmp"C:\Users\Admin\AppData\Local\Temp\C1BA.tmp"110⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\C246.tmp"C:\Users\Admin\AppData\Local\Temp\C246.tmp"111⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"112⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\C331.tmp"C:\Users\Admin\AppData\Local\Temp\C331.tmp"113⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"114⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\C469.tmp"C:\Users\Admin\AppData\Local\Temp\C469.tmp"115⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"C:\Users\Admin\AppData\Local\Temp\C4E6.tmp"116⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\C582.tmp"C:\Users\Admin\AppData\Local\Temp\C582.tmp"117⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\C61F.tmp"C:\Users\Admin\AppData\Local\Temp\C61F.tmp"118⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\C6CA.tmp"C:\Users\Admin\AppData\Local\Temp\C6CA.tmp"119⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\C757.tmp"C:\Users\Admin\AppData\Local\Temp\C757.tmp"120⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\C803.tmp"C:\Users\Admin\AppData\Local\Temp\C803.tmp"121⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\C880.tmp"C:\Users\Admin\AppData\Local\Temp\C880.tmp"122⤵PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-