Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2023 18:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe
Resource
win7-20230712-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe
-
Size
520KB
-
MD5
87b8e4e778069eb3660ce6a96cd2403b
-
SHA1
1c349fec77f0afedcfe28f23911574ba65994a0b
-
SHA256
0cbf035a02b553257c11752cd309c249b0b897d0c8387e401d16c1c64fd66c66
-
SHA512
5a487ea755fc3ed639930b90ed8818a5e69f21e7efd392119a6f23cce146b465eb178088cb50e9c9db5169dae8a15c6e21d360c0740ff19b059e6b1d6041deca
-
SSDEEP
12288:XbB1mLVrShFkeuLY9RvCicDJF4etTw3pUBxy3aGjdapgNZ:XbGLshSNO5Cic9F4etU36BlAlN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2112 9B07.tmp 1664 9BF2.tmp 2776 9CAD.tmp 4084 9D88.tmp 5060 9E82.tmp 3608 9F2E.tmp 3888 9FE9.tmp 2136 A0B4.tmp 4208 A180.tmp 4016 A21C.tmp 4300 A2B8.tmp 4892 A3C2.tmp 4200 A46E.tmp 2064 A558.tmp 3376 A604.tmp 4668 A6CF.tmp 2512 A950.tmp 2296 AA3A.tmp 1780 AAD6.tmp 4880 ABEF.tmp 3456 AD18.tmp 4140 AE03.tmp 4356 AEBE.tmp 3164 AFC8.tmp 116 B0A3.tmp 4648 B14E.tmp 4796 B229.tmp 3632 B304.tmp 3060 B3EE.tmp 4224 B4B9.tmp 2524 B575.tmp 1120 B650.tmp 4964 B6FC.tmp 2240 B779.tmp 1880 B815.tmp 452 B8B1.tmp 904 B93E.tmp 932 B9EA.tmp 1104 BA76.tmp 776 BAE4.tmp 2684 BB80.tmp 3784 BBFD.tmp 1876 BC7A.tmp 1452 BD06.tmp 4460 BDA3.tmp 4420 BE10.tmp 4684 BE7D.tmp 4248 BEDB.tmp 2272 BF58.tmp 1636 C004.tmp 4352 C0A0.tmp 1796 C12D.tmp 4272 C1BA.tmp 2572 C256.tmp 3068 C2E2.tmp 4852 C37F.tmp 2828 C41B.tmp 2060 C4A8.tmp 988 C515.tmp 3768 C592.tmp 3740 C62E.tmp 5056 C6AB.tmp 4636 C747.tmp 4488 C7F3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 316 wrote to memory of 2112 316 87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe 82 PID 316 wrote to memory of 2112 316 87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe 82 PID 316 wrote to memory of 2112 316 87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe 82 PID 2112 wrote to memory of 1664 2112 9B07.tmp 83 PID 2112 wrote to memory of 1664 2112 9B07.tmp 83 PID 2112 wrote to memory of 1664 2112 9B07.tmp 83 PID 1664 wrote to memory of 2776 1664 9BF2.tmp 84 PID 1664 wrote to memory of 2776 1664 9BF2.tmp 84 PID 1664 wrote to memory of 2776 1664 9BF2.tmp 84 PID 2776 wrote to memory of 4084 2776 9CAD.tmp 85 PID 2776 wrote to memory of 4084 2776 9CAD.tmp 85 PID 2776 wrote to memory of 4084 2776 9CAD.tmp 85 PID 4084 wrote to memory of 5060 4084 9D88.tmp 86 PID 4084 wrote to memory of 5060 4084 9D88.tmp 86 PID 4084 wrote to memory of 5060 4084 9D88.tmp 86 PID 5060 wrote to memory of 3608 5060 9E82.tmp 87 PID 5060 wrote to memory of 3608 5060 9E82.tmp 87 PID 5060 wrote to memory of 3608 5060 9E82.tmp 87 PID 3608 wrote to memory of 3888 3608 9F2E.tmp 88 PID 3608 wrote to memory of 3888 3608 9F2E.tmp 88 PID 3608 wrote to memory of 3888 3608 9F2E.tmp 88 PID 3888 wrote to memory of 2136 3888 9FE9.tmp 89 PID 3888 wrote to memory of 2136 3888 9FE9.tmp 89 PID 3888 wrote to memory of 2136 3888 9FE9.tmp 89 PID 2136 wrote to memory of 4208 2136 A0B4.tmp 90 PID 2136 wrote to memory of 4208 2136 A0B4.tmp 90 PID 2136 wrote to memory of 4208 2136 A0B4.tmp 90 PID 4208 wrote to memory of 4016 4208 A180.tmp 91 PID 4208 wrote to memory of 4016 4208 A180.tmp 91 PID 4208 wrote to memory of 4016 4208 A180.tmp 91 PID 4016 wrote to memory of 4300 4016 A21C.tmp 92 PID 4016 wrote to memory of 4300 4016 A21C.tmp 92 PID 4016 wrote to memory of 4300 4016 A21C.tmp 92 PID 4300 wrote to memory of 4892 4300 A2B8.tmp 93 PID 4300 wrote to memory of 4892 4300 A2B8.tmp 93 PID 4300 wrote to memory of 4892 4300 A2B8.tmp 93 PID 4892 wrote to memory of 4200 4892 A3C2.tmp 94 PID 4892 wrote to memory of 4200 4892 A3C2.tmp 94 PID 4892 wrote to memory of 4200 4892 A3C2.tmp 94 PID 4200 wrote to memory of 2064 4200 A46E.tmp 95 PID 4200 wrote to memory of 2064 4200 A46E.tmp 95 PID 4200 wrote to memory of 2064 4200 A46E.tmp 95 PID 2064 wrote to memory of 3376 2064 A558.tmp 96 PID 2064 wrote to memory of 3376 2064 A558.tmp 96 PID 2064 wrote to memory of 3376 2064 A558.tmp 96 PID 3376 wrote to memory of 4668 3376 A604.tmp 97 PID 3376 wrote to memory of 4668 3376 A604.tmp 97 PID 3376 wrote to memory of 4668 3376 A604.tmp 97 PID 4668 wrote to memory of 2512 4668 A6CF.tmp 98 PID 4668 wrote to memory of 2512 4668 A6CF.tmp 98 PID 4668 wrote to memory of 2512 4668 A6CF.tmp 98 PID 2512 wrote to memory of 2296 2512 A950.tmp 99 PID 2512 wrote to memory of 2296 2512 A950.tmp 99 PID 2512 wrote to memory of 2296 2512 A950.tmp 99 PID 2296 wrote to memory of 1780 2296 AA3A.tmp 100 PID 2296 wrote to memory of 1780 2296 AA3A.tmp 100 PID 2296 wrote to memory of 1780 2296 AA3A.tmp 100 PID 1780 wrote to memory of 4880 1780 AAD6.tmp 101 PID 1780 wrote to memory of 4880 1780 AAD6.tmp 101 PID 1780 wrote to memory of 4880 1780 AAD6.tmp 101 PID 4880 wrote to memory of 3456 4880 ABEF.tmp 102 PID 4880 wrote to memory of 3456 4880 ABEF.tmp 102 PID 4880 wrote to memory of 3456 4880 ABEF.tmp 102 PID 3456 wrote to memory of 4140 3456 AD18.tmp 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\87b8e4e778069eb3660ce6a96cd2403b_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\9B07.tmp"C:\Users\Admin\AppData\Local\Temp\9B07.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"C:\Users\Admin\AppData\Local\Temp\9BF2.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"C:\Users\Admin\AppData\Local\Temp\9CAD.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\9D88.tmp"C:\Users\Admin\AppData\Local\Temp\9D88.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\9E82.tmp"C:\Users\Admin\AppData\Local\Temp\9E82.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\9F2E.tmp"C:\Users\Admin\AppData\Local\Temp\9F2E.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"C:\Users\Admin\AppData\Local\Temp\A0B4.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\A180.tmp"C:\Users\Admin\AppData\Local\Temp\A180.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\A21C.tmp"C:\Users\Admin\AppData\Local\Temp\A21C.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\A2B8.tmp"C:\Users\Admin\AppData\Local\Temp\A2B8.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\A46E.tmp"C:\Users\Admin\AppData\Local\Temp\A46E.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\A558.tmp"C:\Users\Admin\AppData\Local\Temp\A558.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\A604.tmp"C:\Users\Admin\AppData\Local\Temp\A604.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\A950.tmp"C:\Users\Admin\AppData\Local\Temp\A950.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\AA3A.tmp"C:\Users\Admin\AppData\Local\Temp\AA3A.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\AAD6.tmp"C:\Users\Admin\AppData\Local\Temp\AAD6.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\ABEF.tmp"C:\Users\Admin\AppData\Local\Temp\ABEF.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\AD18.tmp"C:\Users\Admin\AppData\Local\Temp\AD18.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\AE03.tmp"C:\Users\Admin\AppData\Local\Temp\AE03.tmp"23⤵
- Executes dropped EXE
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\AEBE.tmp"C:\Users\Admin\AppData\Local\Temp\AEBE.tmp"24⤵
- Executes dropped EXE
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\AFC8.tmp"C:\Users\Admin\AppData\Local\Temp\AFC8.tmp"25⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\B0A3.tmp"C:\Users\Admin\AppData\Local\Temp\B0A3.tmp"26⤵
- Executes dropped EXE
PID:116 -
C:\Users\Admin\AppData\Local\Temp\B14E.tmp"C:\Users\Admin\AppData\Local\Temp\B14E.tmp"27⤵
- Executes dropped EXE
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\B229.tmp"C:\Users\Admin\AppData\Local\Temp\B229.tmp"28⤵
- Executes dropped EXE
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\B304.tmp"C:\Users\Admin\AppData\Local\Temp\B304.tmp"29⤵
- Executes dropped EXE
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"C:\Users\Admin\AppData\Local\Temp\B3EE.tmp"30⤵
- Executes dropped EXE
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\B4B9.tmp"C:\Users\Admin\AppData\Local\Temp\B4B9.tmp"31⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\B575.tmp"C:\Users\Admin\AppData\Local\Temp\B575.tmp"32⤵
- Executes dropped EXE
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\B650.tmp"C:\Users\Admin\AppData\Local\Temp\B650.tmp"33⤵
- Executes dropped EXE
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"C:\Users\Admin\AppData\Local\Temp\B6FC.tmp"34⤵
- Executes dropped EXE
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\B779.tmp"C:\Users\Admin\AppData\Local\Temp\B779.tmp"35⤵
- Executes dropped EXE
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\B815.tmp"C:\Users\Admin\AppData\Local\Temp\B815.tmp"36⤵
- Executes dropped EXE
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"C:\Users\Admin\AppData\Local\Temp\B8B1.tmp"37⤵
- Executes dropped EXE
PID:452 -
C:\Users\Admin\AppData\Local\Temp\B93E.tmp"C:\Users\Admin\AppData\Local\Temp\B93E.tmp"38⤵
- Executes dropped EXE
PID:904 -
C:\Users\Admin\AppData\Local\Temp\B9EA.tmp"C:\Users\Admin\AppData\Local\Temp\B9EA.tmp"39⤵
- Executes dropped EXE
PID:932 -
C:\Users\Admin\AppData\Local\Temp\BA76.tmp"C:\Users\Admin\AppData\Local\Temp\BA76.tmp"40⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\BAE4.tmp"C:\Users\Admin\AppData\Local\Temp\BAE4.tmp"41⤵
- Executes dropped EXE
PID:776 -
C:\Users\Admin\AppData\Local\Temp\BB80.tmp"C:\Users\Admin\AppData\Local\Temp\BB80.tmp"42⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"C:\Users\Admin\AppData\Local\Temp\BBFD.tmp"43⤵
- Executes dropped EXE
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\BC7A.tmp"C:\Users\Admin\AppData\Local\Temp\BC7A.tmp"44⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\BD06.tmp"C:\Users\Admin\AppData\Local\Temp\BD06.tmp"45⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\BDA3.tmp"C:\Users\Admin\AppData\Local\Temp\BDA3.tmp"46⤵
- Executes dropped EXE
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\BE10.tmp"C:\Users\Admin\AppData\Local\Temp\BE10.tmp"47⤵
- Executes dropped EXE
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\BE7D.tmp"C:\Users\Admin\AppData\Local\Temp\BE7D.tmp"48⤵
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\BEDB.tmp"C:\Users\Admin\AppData\Local\Temp\BEDB.tmp"49⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\BF58.tmp"C:\Users\Admin\AppData\Local\Temp\BF58.tmp"50⤵
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\C004.tmp"C:\Users\Admin\AppData\Local\Temp\C004.tmp"51⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\C0A0.tmp"C:\Users\Admin\AppData\Local\Temp\C0A0.tmp"52⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\C12D.tmp"C:\Users\Admin\AppData\Local\Temp\C12D.tmp"53⤵
- Executes dropped EXE
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\C1BA.tmp"C:\Users\Admin\AppData\Local\Temp\C1BA.tmp"54⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\C256.tmp"C:\Users\Admin\AppData\Local\Temp\C256.tmp"55⤵
- Executes dropped EXE
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\C2E2.tmp"C:\Users\Admin\AppData\Local\Temp\C2E2.tmp"56⤵
- Executes dropped EXE
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\C37F.tmp"C:\Users\Admin\AppData\Local\Temp\C37F.tmp"57⤵
- Executes dropped EXE
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\C41B.tmp"C:\Users\Admin\AppData\Local\Temp\C41B.tmp"58⤵
- Executes dropped EXE
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\C4A8.tmp"C:\Users\Admin\AppData\Local\Temp\C4A8.tmp"59⤵
- Executes dropped EXE
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\C515.tmp"C:\Users\Admin\AppData\Local\Temp\C515.tmp"60⤵
- Executes dropped EXE
PID:988 -
C:\Users\Admin\AppData\Local\Temp\C592.tmp"C:\Users\Admin\AppData\Local\Temp\C592.tmp"61⤵
- Executes dropped EXE
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\C62E.tmp"C:\Users\Admin\AppData\Local\Temp\C62E.tmp"62⤵
- Executes dropped EXE
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\C6AB.tmp"C:\Users\Admin\AppData\Local\Temp\C6AB.tmp"63⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\C747.tmp"C:\Users\Admin\AppData\Local\Temp\C747.tmp"64⤵
- Executes dropped EXE
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\C7F3.tmp"C:\Users\Admin\AppData\Local\Temp\C7F3.tmp"65⤵
- Executes dropped EXE
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\C890.tmp"C:\Users\Admin\AppData\Local\Temp\C890.tmp"66⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\C90D.tmp"C:\Users\Admin\AppData\Local\Temp\C90D.tmp"67⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\CC39.tmp"C:\Users\Admin\AppData\Local\Temp\CC39.tmp"68⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\CCC6.tmp"C:\Users\Admin\AppData\Local\Temp\CCC6.tmp"69⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\CD72.tmp"C:\Users\Admin\AppData\Local\Temp\CD72.tmp"70⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\CE2D.tmp"C:\Users\Admin\AppData\Local\Temp\CE2D.tmp"71⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\CEBA.tmp"C:\Users\Admin\AppData\Local\Temp\CEBA.tmp"72⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\CF37.tmp"C:\Users\Admin\AppData\Local\Temp\CF37.tmp"73⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\CFC3.tmp"C:\Users\Admin\AppData\Local\Temp\CFC3.tmp"74⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\D07F.tmp"C:\Users\Admin\AppData\Local\Temp\D07F.tmp"75⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\D0FC.tmp"C:\Users\Admin\AppData\Local\Temp\D0FC.tmp"76⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\D188.tmp"C:\Users\Admin\AppData\Local\Temp\D188.tmp"77⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\D205.tmp"C:\Users\Admin\AppData\Local\Temp\D205.tmp"78⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\D292.tmp"C:\Users\Admin\AppData\Local\Temp\D292.tmp"79⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\D31F.tmp"C:\Users\Admin\AppData\Local\Temp\D31F.tmp"80⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"81⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\D457.tmp"C:\Users\Admin\AppData\Local\Temp\D457.tmp"82⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\D4F3.tmp"C:\Users\Admin\AppData\Local\Temp\D4F3.tmp"83⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\D580.tmp"C:\Users\Admin\AppData\Local\Temp\D580.tmp"84⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\D62C.tmp"C:\Users\Admin\AppData\Local\Temp\D62C.tmp"85⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\D6D8.tmp"C:\Users\Admin\AppData\Local\Temp\D6D8.tmp"86⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\D774.tmp"C:\Users\Admin\AppData\Local\Temp\D774.tmp"87⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\D801.tmp"C:\Users\Admin\AppData\Local\Temp\D801.tmp"88⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\D88D.tmp"C:\Users\Admin\AppData\Local\Temp\D88D.tmp"89⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\D91A.tmp"C:\Users\Admin\AppData\Local\Temp\D91A.tmp"90⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\D9C6.tmp"C:\Users\Admin\AppData\Local\Temp\D9C6.tmp"91⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\DA33.tmp"C:\Users\Admin\AppData\Local\Temp\DA33.tmp"92⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\DAA1.tmp"C:\Users\Admin\AppData\Local\Temp\DAA1.tmp"93⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\DB3D.tmp"C:\Users\Admin\AppData\Local\Temp\DB3D.tmp"94⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\DBD9.tmp"C:\Users\Admin\AppData\Local\Temp\DBD9.tmp"95⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\DC75.tmp"C:\Users\Admin\AppData\Local\Temp\DC75.tmp"96⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\DD12.tmp"C:\Users\Admin\AppData\Local\Temp\DD12.tmp"97⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"98⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\DE2B.tmp"C:\Users\Admin\AppData\Local\Temp\DE2B.tmp"99⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\DEC7.tmp"C:\Users\Admin\AppData\Local\Temp\DEC7.tmp"100⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\DF34.tmp"C:\Users\Admin\AppData\Local\Temp\DF34.tmp"101⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\DFC1.tmp"C:\Users\Admin\AppData\Local\Temp\DFC1.tmp"102⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\E02E.tmp"C:\Users\Admin\AppData\Local\Temp\E02E.tmp"103⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\E08C.tmp"C:\Users\Admin\AppData\Local\Temp\E08C.tmp"104⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\E0EA.tmp"C:\Users\Admin\AppData\Local\Temp\E0EA.tmp"105⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\E157.tmp"C:\Users\Admin\AppData\Local\Temp\E157.tmp"106⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\E1C5.tmp"C:\Users\Admin\AppData\Local\Temp\E1C5.tmp"107⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\E261.tmp"C:\Users\Admin\AppData\Local\Temp\E261.tmp"108⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\E2CE.tmp"C:\Users\Admin\AppData\Local\Temp\E2CE.tmp"109⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\E37A.tmp"C:\Users\Admin\AppData\Local\Temp\E37A.tmp"110⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\E416.tmp"C:\Users\Admin\AppData\Local\Temp\E416.tmp"111⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\E5CC.tmp"C:\Users\Admin\AppData\Local\Temp\E5CC.tmp"112⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\E659.tmp"C:\Users\Admin\AppData\Local\Temp\E659.tmp"113⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\E6F5.tmp"C:\Users\Admin\AppData\Local\Temp\E6F5.tmp"114⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\E772.tmp"C:\Users\Admin\AppData\Local\Temp\E772.tmp"115⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\E80E.tmp"C:\Users\Admin\AppData\Local\Temp\E80E.tmp"116⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\E89B.tmp"C:\Users\Admin\AppData\Local\Temp\E89B.tmp"117⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\E927.tmp"C:\Users\Admin\AppData\Local\Temp\E927.tmp"118⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"C:\Users\Admin\AppData\Local\Temp\E9D3.tmp"119⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\EA60.tmp"C:\Users\Admin\AppData\Local\Temp\EA60.tmp"120⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\EAEC.tmp"C:\Users\Admin\AppData\Local\Temp\EAEC.tmp"121⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\EB69.tmp"C:\Users\Admin\AppData\Local\Temp\EB69.tmp"122⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-