Analysis
-
max time kernel
151s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2023 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe
Resource
win7-20230712-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe
-
Size
520KB
-
MD5
71b1cb47fdb6ba889f69e85b7f2d1db2
-
SHA1
a3bb46a8fa1fd89e362ff980f14401676ef05198
-
SHA256
adf2fa018c9cc92ea605a835b8c40a98d5e504e045f789997030989ce90c3dac
-
SHA512
739d11392a368da34e0a6a1d251b38ee40facdc1eba0c305271bb82eda130dd12c45448fd47b5b415d9002678c8c2494e7907c21d2d998ebff61d653dbfec3a2
-
SSDEEP
6144:lLvd/XzCjUIF1UuXLyQjmOH+JjL0XlfWQTlwgofA/TAPhqrHaU9CmeIs7znCmv8a:roRXOQjmOyCl+QTlw14Ko7omeZHCKNZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 372 11DD.tmp 3000 13C2.tmp 4356 148D.tmp 4508 1577.tmp 1388 1633.tmp 408 16DE.tmp 1876 179A.tmp 1940 1894.tmp 984 198E.tmp 1620 1A3A.tmp 5032 1B53.tmp 4524 1C1E.tmp 3328 1D28.tmp 4532 1E70.tmp 1428 1F4B.tmp 2680 2006.tmp 3340 2093.tmp 892 216E.tmp 1516 2219.tmp 2728 22D5.tmp 3916 23BF.tmp 3296 245C.tmp 3120 2507.tmp 1528 25B3.tmp 2588 2630.tmp 1008 26FB.tmp 4608 2798.tmp 3932 2853.tmp 528 28FF.tmp 4728 29CA.tmp 2128 2A86.tmp 2364 2B03.tmp 3756 2BDD.tmp 900 2C7A.tmp 3816 2D06.tmp 4836 2D93.tmp 1816 2E10.tmp 2860 2E8D.tmp 1844 2EFA.tmp 668 2F87.tmp 3628 2FF4.tmp 1936 3071.tmp 2168 314C.tmp 4808 3217.tmp 4756 3285.tmp 1520 3302.tmp 3704 33BD.tmp 820 3459.tmp 4996 34F6.tmp 2176 35A1.tmp 3852 361E.tmp 3824 36CA.tmp 1768 3738.tmp 5024 37D4.tmp 4228 3851.tmp 2468 38DE.tmp 1964 395B.tmp 2140 39E7.tmp 488 3A55.tmp 1960 3AE1.tmp 2824 3BCC.tmp 1204 3C87.tmp 2880 3CF4.tmp 2116 3D81.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 372 1080 71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe 81 PID 1080 wrote to memory of 372 1080 71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe 81 PID 1080 wrote to memory of 372 1080 71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe 81 PID 372 wrote to memory of 3000 372 11DD.tmp 82 PID 372 wrote to memory of 3000 372 11DD.tmp 82 PID 372 wrote to memory of 3000 372 11DD.tmp 82 PID 3000 wrote to memory of 4356 3000 13C2.tmp 83 PID 3000 wrote to memory of 4356 3000 13C2.tmp 83 PID 3000 wrote to memory of 4356 3000 13C2.tmp 83 PID 4356 wrote to memory of 4508 4356 148D.tmp 84 PID 4356 wrote to memory of 4508 4356 148D.tmp 84 PID 4356 wrote to memory of 4508 4356 148D.tmp 84 PID 4508 wrote to memory of 1388 4508 1577.tmp 85 PID 4508 wrote to memory of 1388 4508 1577.tmp 85 PID 4508 wrote to memory of 1388 4508 1577.tmp 85 PID 1388 wrote to memory of 408 1388 1633.tmp 86 PID 1388 wrote to memory of 408 1388 1633.tmp 86 PID 1388 wrote to memory of 408 1388 1633.tmp 86 PID 408 wrote to memory of 1876 408 16DE.tmp 87 PID 408 wrote to memory of 1876 408 16DE.tmp 87 PID 408 wrote to memory of 1876 408 16DE.tmp 87 PID 1876 wrote to memory of 1940 1876 179A.tmp 88 PID 1876 wrote to memory of 1940 1876 179A.tmp 88 PID 1876 wrote to memory of 1940 1876 179A.tmp 88 PID 1940 wrote to memory of 984 1940 1894.tmp 89 PID 1940 wrote to memory of 984 1940 1894.tmp 89 PID 1940 wrote to memory of 984 1940 1894.tmp 89 PID 984 wrote to memory of 1620 984 198E.tmp 90 PID 984 wrote to memory of 1620 984 198E.tmp 90 PID 984 wrote to memory of 1620 984 198E.tmp 90 PID 1620 wrote to memory of 5032 1620 1A3A.tmp 91 PID 1620 wrote to memory of 5032 1620 1A3A.tmp 91 PID 1620 wrote to memory of 5032 1620 1A3A.tmp 91 PID 5032 wrote to memory of 4524 5032 1B53.tmp 92 PID 5032 wrote to memory of 4524 5032 1B53.tmp 92 PID 5032 wrote to memory of 4524 5032 1B53.tmp 92 PID 4524 wrote to memory of 3328 4524 1C1E.tmp 93 PID 4524 wrote to memory of 3328 4524 1C1E.tmp 93 PID 4524 wrote to memory of 3328 4524 1C1E.tmp 93 PID 3328 wrote to memory of 4532 3328 1D28.tmp 94 PID 3328 wrote to memory of 4532 3328 1D28.tmp 94 PID 3328 wrote to memory of 4532 3328 1D28.tmp 94 PID 4532 wrote to memory of 1428 4532 1E70.tmp 95 PID 4532 wrote to memory of 1428 4532 1E70.tmp 95 PID 4532 wrote to memory of 1428 4532 1E70.tmp 95 PID 1428 wrote to memory of 2680 1428 1F4B.tmp 97 PID 1428 wrote to memory of 2680 1428 1F4B.tmp 97 PID 1428 wrote to memory of 2680 1428 1F4B.tmp 97 PID 2680 wrote to memory of 3340 2680 2006.tmp 98 PID 2680 wrote to memory of 3340 2680 2006.tmp 98 PID 2680 wrote to memory of 3340 2680 2006.tmp 98 PID 3340 wrote to memory of 892 3340 2093.tmp 99 PID 3340 wrote to memory of 892 3340 2093.tmp 99 PID 3340 wrote to memory of 892 3340 2093.tmp 99 PID 892 wrote to memory of 1516 892 216E.tmp 100 PID 892 wrote to memory of 1516 892 216E.tmp 100 PID 892 wrote to memory of 1516 892 216E.tmp 100 PID 1516 wrote to memory of 2728 1516 2219.tmp 101 PID 1516 wrote to memory of 2728 1516 2219.tmp 101 PID 1516 wrote to memory of 2728 1516 2219.tmp 101 PID 2728 wrote to memory of 3916 2728 22D5.tmp 102 PID 2728 wrote to memory of 3916 2728 22D5.tmp 102 PID 2728 wrote to memory of 3916 2728 22D5.tmp 102 PID 3916 wrote to memory of 3296 3916 23BF.tmp 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\71b1cb47fdb6ba889f69e85b7f2d1db2_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\11DD.tmp"C:\Users\Admin\AppData\Local\Temp\11DD.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\13C2.tmp"C:\Users\Admin\AppData\Local\Temp\13C2.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\148D.tmp"C:\Users\Admin\AppData\Local\Temp\148D.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\1577.tmp"C:\Users\Admin\AppData\Local\Temp\1577.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\1633.tmp"C:\Users\Admin\AppData\Local\Temp\1633.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\16DE.tmp"C:\Users\Admin\AppData\Local\Temp\16DE.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\179A.tmp"C:\Users\Admin\AppData\Local\Temp\179A.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\1894.tmp"C:\Users\Admin\AppData\Local\Temp\1894.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\198E.tmp"C:\Users\Admin\AppData\Local\Temp\198E.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\1A3A.tmp"C:\Users\Admin\AppData\Local\Temp\1A3A.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\1B53.tmp"C:\Users\Admin\AppData\Local\Temp\1B53.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\1C1E.tmp"C:\Users\Admin\AppData\Local\Temp\1C1E.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\1D28.tmp"C:\Users\Admin\AppData\Local\Temp\1D28.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\1E70.tmp"C:\Users\Admin\AppData\Local\Temp\1E70.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\1F4B.tmp"C:\Users\Admin\AppData\Local\Temp\1F4B.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\2006.tmp"C:\Users\Admin\AppData\Local\Temp\2006.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\2093.tmp"C:\Users\Admin\AppData\Local\Temp\2093.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\216E.tmp"C:\Users\Admin\AppData\Local\Temp\216E.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\2219.tmp"C:\Users\Admin\AppData\Local\Temp\2219.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\22D5.tmp"C:\Users\Admin\AppData\Local\Temp\22D5.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\23BF.tmp"C:\Users\Admin\AppData\Local\Temp\23BF.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\245C.tmp"C:\Users\Admin\AppData\Local\Temp\245C.tmp"23⤵
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\2507.tmp"C:\Users\Admin\AppData\Local\Temp\2507.tmp"24⤵
- Executes dropped EXE
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\25B3.tmp"C:\Users\Admin\AppData\Local\Temp\25B3.tmp"25⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\2630.tmp"C:\Users\Admin\AppData\Local\Temp\2630.tmp"26⤵
- Executes dropped EXE
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\26FB.tmp"C:\Users\Admin\AppData\Local\Temp\26FB.tmp"27⤵
- Executes dropped EXE
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\2798.tmp"C:\Users\Admin\AppData\Local\Temp\2798.tmp"28⤵
- Executes dropped EXE
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\2853.tmp"C:\Users\Admin\AppData\Local\Temp\2853.tmp"29⤵
- Executes dropped EXE
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\28FF.tmp"C:\Users\Admin\AppData\Local\Temp\28FF.tmp"30⤵
- Executes dropped EXE
PID:528 -
C:\Users\Admin\AppData\Local\Temp\29CA.tmp"C:\Users\Admin\AppData\Local\Temp\29CA.tmp"31⤵
- Executes dropped EXE
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\2A86.tmp"C:\Users\Admin\AppData\Local\Temp\2A86.tmp"32⤵
- Executes dropped EXE
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\2B03.tmp"C:\Users\Admin\AppData\Local\Temp\2B03.tmp"33⤵
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\2BDD.tmp"C:\Users\Admin\AppData\Local\Temp\2BDD.tmp"34⤵
- Executes dropped EXE
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\2C7A.tmp"C:\Users\Admin\AppData\Local\Temp\2C7A.tmp"35⤵
- Executes dropped EXE
PID:900 -
C:\Users\Admin\AppData\Local\Temp\2D06.tmp"C:\Users\Admin\AppData\Local\Temp\2D06.tmp"36⤵
- Executes dropped EXE
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\2D93.tmp"C:\Users\Admin\AppData\Local\Temp\2D93.tmp"37⤵
- Executes dropped EXE
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\2E10.tmp"C:\Users\Admin\AppData\Local\Temp\2E10.tmp"38⤵
- Executes dropped EXE
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"C:\Users\Admin\AppData\Local\Temp\2E8D.tmp"39⤵
- Executes dropped EXE
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\2EFA.tmp"C:\Users\Admin\AppData\Local\Temp\2EFA.tmp"40⤵
- Executes dropped EXE
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\2F87.tmp"C:\Users\Admin\AppData\Local\Temp\2F87.tmp"41⤵
- Executes dropped EXE
PID:668 -
C:\Users\Admin\AppData\Local\Temp\2FF4.tmp"C:\Users\Admin\AppData\Local\Temp\2FF4.tmp"42⤵
- Executes dropped EXE
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\3071.tmp"C:\Users\Admin\AppData\Local\Temp\3071.tmp"43⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\314C.tmp"C:\Users\Admin\AppData\Local\Temp\314C.tmp"44⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\3217.tmp"C:\Users\Admin\AppData\Local\Temp\3217.tmp"45⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\3285.tmp"C:\Users\Admin\AppData\Local\Temp\3285.tmp"46⤵
- Executes dropped EXE
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\3302.tmp"C:\Users\Admin\AppData\Local\Temp\3302.tmp"47⤵
- Executes dropped EXE
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\33BD.tmp"C:\Users\Admin\AppData\Local\Temp\33BD.tmp"48⤵
- Executes dropped EXE
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\3459.tmp"C:\Users\Admin\AppData\Local\Temp\3459.tmp"49⤵
- Executes dropped EXE
PID:820 -
C:\Users\Admin\AppData\Local\Temp\34F6.tmp"C:\Users\Admin\AppData\Local\Temp\34F6.tmp"50⤵
- Executes dropped EXE
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\35A1.tmp"C:\Users\Admin\AppData\Local\Temp\35A1.tmp"51⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\361E.tmp"C:\Users\Admin\AppData\Local\Temp\361E.tmp"52⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\36CA.tmp"C:\Users\Admin\AppData\Local\Temp\36CA.tmp"53⤵
- Executes dropped EXE
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\3738.tmp"C:\Users\Admin\AppData\Local\Temp\3738.tmp"54⤵
- Executes dropped EXE
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\37D4.tmp"C:\Users\Admin\AppData\Local\Temp\37D4.tmp"55⤵
- Executes dropped EXE
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\3851.tmp"C:\Users\Admin\AppData\Local\Temp\3851.tmp"56⤵
- Executes dropped EXE
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\38DE.tmp"C:\Users\Admin\AppData\Local\Temp\38DE.tmp"57⤵
- Executes dropped EXE
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\395B.tmp"C:\Users\Admin\AppData\Local\Temp\395B.tmp"58⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\39E7.tmp"C:\Users\Admin\AppData\Local\Temp\39E7.tmp"59⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\3A55.tmp"C:\Users\Admin\AppData\Local\Temp\3A55.tmp"60⤵
- Executes dropped EXE
PID:488 -
C:\Users\Admin\AppData\Local\Temp\3AE1.tmp"C:\Users\Admin\AppData\Local\Temp\3AE1.tmp"61⤵
- Executes dropped EXE
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\3BCC.tmp"C:\Users\Admin\AppData\Local\Temp\3BCC.tmp"62⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\3C87.tmp"C:\Users\Admin\AppData\Local\Temp\3C87.tmp"63⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp"C:\Users\Admin\AppData\Local\Temp\3CF4.tmp"64⤵
- Executes dropped EXE
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3D81.tmp"C:\Users\Admin\AppData\Local\Temp\3D81.tmp"65⤵
- Executes dropped EXE
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\3E0E.tmp"C:\Users\Admin\AppData\Local\Temp\3E0E.tmp"66⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\3E8B.tmp"C:\Users\Admin\AppData\Local\Temp\3E8B.tmp"67⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\3F37.tmp"C:\Users\Admin\AppData\Local\Temp\3F37.tmp"68⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\3FB4.tmp"C:\Users\Admin\AppData\Local\Temp\3FB4.tmp"69⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\4050.tmp"C:\Users\Admin\AppData\Local\Temp\4050.tmp"70⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\40FC.tmp"C:\Users\Admin\AppData\Local\Temp\40FC.tmp"71⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\4188.tmp"C:\Users\Admin\AppData\Local\Temp\4188.tmp"72⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\4225.tmp"C:\Users\Admin\AppData\Local\Temp\4225.tmp"73⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\42C1.tmp"C:\Users\Admin\AppData\Local\Temp\42C1.tmp"74⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\434D.tmp"C:\Users\Admin\AppData\Local\Temp\434D.tmp"75⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\43DA.tmp"C:\Users\Admin\AppData\Local\Temp\43DA.tmp"76⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\4467.tmp"C:\Users\Admin\AppData\Local\Temp\4467.tmp"77⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\4513.tmp"C:\Users\Admin\AppData\Local\Temp\4513.tmp"78⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\45AF.tmp"C:\Users\Admin\AppData\Local\Temp\45AF.tmp"79⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\464B.tmp"C:\Users\Admin\AppData\Local\Temp\464B.tmp"80⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\46C8.tmp"C:\Users\Admin\AppData\Local\Temp\46C8.tmp"81⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\4745.tmp"C:\Users\Admin\AppData\Local\Temp\4745.tmp"82⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\47D2.tmp"C:\Users\Admin\AppData\Local\Temp\47D2.tmp"83⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\484F.tmp"C:\Users\Admin\AppData\Local\Temp\484F.tmp"84⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\48BC.tmp"C:\Users\Admin\AppData\Local\Temp\48BC.tmp"85⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\4929.tmp"C:\Users\Admin\AppData\Local\Temp\4929.tmp"86⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\49A6.tmp"C:\Users\Admin\AppData\Local\Temp\49A6.tmp"87⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\4A33.tmp"C:\Users\Admin\AppData\Local\Temp\4A33.tmp"88⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\4ACF.tmp"C:\Users\Admin\AppData\Local\Temp\4ACF.tmp"89⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\4B4C.tmp"C:\Users\Admin\AppData\Local\Temp\4B4C.tmp"90⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\4BE9.tmp"C:\Users\Admin\AppData\Local\Temp\4BE9.tmp"91⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\4C66.tmp"C:\Users\Admin\AppData\Local\Temp\4C66.tmp"92⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\4CE3.tmp"C:\Users\Admin\AppData\Local\Temp\4CE3.tmp"93⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\4D60.tmp"C:\Users\Admin\AppData\Local\Temp\4D60.tmp"94⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\4DDD.tmp"C:\Users\Admin\AppData\Local\Temp\4DDD.tmp"95⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\4F63.tmp"C:\Users\Admin\AppData\Local\Temp\4F63.tmp"96⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\500F.tmp"C:\Users\Admin\AppData\Local\Temp\500F.tmp"97⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\50BB.tmp"C:\Users\Admin\AppData\Local\Temp\50BB.tmp"98⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\5157.tmp"C:\Users\Admin\AppData\Local\Temp\5157.tmp"99⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\51F3.tmp"C:\Users\Admin\AppData\Local\Temp\51F3.tmp"100⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\5270.tmp"C:\Users\Admin\AppData\Local\Temp\5270.tmp"101⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\52FD.tmp"C:\Users\Admin\AppData\Local\Temp\52FD.tmp"102⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\5399.tmp"C:\Users\Admin\AppData\Local\Temp\5399.tmp"103⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\5426.tmp"C:\Users\Admin\AppData\Local\Temp\5426.tmp"104⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\54A3.tmp"C:\Users\Admin\AppData\Local\Temp\54A3.tmp"105⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\5510.tmp"C:\Users\Admin\AppData\Local\Temp\5510.tmp"106⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\55DB.tmp"C:\Users\Admin\AppData\Local\Temp\55DB.tmp"107⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\5658.tmp"C:\Users\Admin\AppData\Local\Temp\5658.tmp"108⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\56E5.tmp"C:\Users\Admin\AppData\Local\Temp\56E5.tmp"109⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\5772.tmp"C:\Users\Admin\AppData\Local\Temp\5772.tmp"110⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\57DF.tmp"C:\Users\Admin\AppData\Local\Temp\57DF.tmp"111⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\585C.tmp"C:\Users\Admin\AppData\Local\Temp\585C.tmp"112⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\58D9.tmp"C:\Users\Admin\AppData\Local\Temp\58D9.tmp"113⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\5966.tmp"C:\Users\Admin\AppData\Local\Temp\5966.tmp"114⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\59F2.tmp"C:\Users\Admin\AppData\Local\Temp\59F2.tmp"115⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\5A8F.tmp"C:\Users\Admin\AppData\Local\Temp\5A8F.tmp"116⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\5B0C.tmp"C:\Users\Admin\AppData\Local\Temp\5B0C.tmp"117⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\5B89.tmp"C:\Users\Admin\AppData\Local\Temp\5B89.tmp"118⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\5C06.tmp"C:\Users\Admin\AppData\Local\Temp\5C06.tmp"119⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\5C83.tmp"C:\Users\Admin\AppData\Local\Temp\5C83.tmp"120⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\5CF0.tmp"C:\Users\Admin\AppData\Local\Temp\5CF0.tmp"121⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\5D9C.tmp"C:\Users\Admin\AppData\Local\Temp\5D9C.tmp"122⤵PID:1184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-