Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2023 15:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe
Resource
win7-20230712-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe
-
Size
486KB
-
MD5
bb30ea1064e79b0f1527cb351c94f5ba
-
SHA1
fd5a4be50185799fa87204fb84894e4a920a2596
-
SHA256
4a2c987da3923bd6dd1d21ad27aeff1aabb884646a25d9cd54eaa03f85636b72
-
SHA512
05e9d4462720002cb1f64a50ba0b935745ceffc76991e5167fed0f953cea02918bca5116c67b05b8c9523555cb022b0f6ba4d8740e15a2e4a2d1acfdd707ef98
-
SSDEEP
12288:/U5rCOTeiDQaTvrCrKuS+X0BTa2tmPNZ:/UQOJDQOvrErWa2kN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1004 806B.tmp 4828 8126.tmp 4836 81C3.tmp 3964 827E.tmp 1244 831A.tmp 312 83B7.tmp 3248 8482.tmp 412 851E.tmp 5072 8628.tmp 4492 86F3.tmp 3860 878F.tmp 2360 882B.tmp 4068 88E7.tmp 3444 8993.tmp 2392 8A3E.tmp 2596 8B48.tmp 1668 8BE4.tmp 224 8C71.tmp 916 8D4C.tmp 2192 8E07.tmp 4772 8ED2.tmp 4972 8FFB.tmp 3660 9088.tmp 3924 9143.tmp 4468 91B1.tmp 4076 921E.tmp 684 92BA.tmp 4352 9357.tmp 1444 9402.tmp 2140 94BE.tmp 4100 955A.tmp 2820 9616.tmp 2132 9693.tmp 1540 9700.tmp 1536 976D.tmp 1688 97FA.tmp 4108 9887.tmp 4580 9913.tmp 212 9981.tmp 4500 9A1D.tmp 4684 9A8A.tmp 564 9B36.tmp 2136 9BC3.tmp 4152 9C6F.tmp 1012 9CFB.tmp 4340 9D88.tmp 2744 9DF5.tmp 1160 9E72.tmp 1332 9EFF.tmp 2168 9FBA.tmp 1468 A0A5.tmp 3792 A141.tmp 4616 A1CE.tmp 4188 A27A.tmp 1884 A2F7.tmp 1460 A3A2.tmp 2888 A42F.tmp 760 A4CB.tmp 668 A558.tmp 1148 A5E5.tmp 3304 A652.tmp 1124 A6CF.tmp 2640 A72D.tmp 3432 A7C9.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1004 1160 bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe 81 PID 1160 wrote to memory of 1004 1160 bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe 81 PID 1160 wrote to memory of 1004 1160 bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe 81 PID 1004 wrote to memory of 4828 1004 806B.tmp 82 PID 1004 wrote to memory of 4828 1004 806B.tmp 82 PID 1004 wrote to memory of 4828 1004 806B.tmp 82 PID 4828 wrote to memory of 4836 4828 8126.tmp 83 PID 4828 wrote to memory of 4836 4828 8126.tmp 83 PID 4828 wrote to memory of 4836 4828 8126.tmp 83 PID 4836 wrote to memory of 3964 4836 81C3.tmp 84 PID 4836 wrote to memory of 3964 4836 81C3.tmp 84 PID 4836 wrote to memory of 3964 4836 81C3.tmp 84 PID 3964 wrote to memory of 1244 3964 827E.tmp 85 PID 3964 wrote to memory of 1244 3964 827E.tmp 85 PID 3964 wrote to memory of 1244 3964 827E.tmp 85 PID 1244 wrote to memory of 312 1244 831A.tmp 86 PID 1244 wrote to memory of 312 1244 831A.tmp 86 PID 1244 wrote to memory of 312 1244 831A.tmp 86 PID 312 wrote to memory of 3248 312 83B7.tmp 87 PID 312 wrote to memory of 3248 312 83B7.tmp 87 PID 312 wrote to memory of 3248 312 83B7.tmp 87 PID 3248 wrote to memory of 412 3248 8482.tmp 88 PID 3248 wrote to memory of 412 3248 8482.tmp 88 PID 3248 wrote to memory of 412 3248 8482.tmp 88 PID 412 wrote to memory of 5072 412 851E.tmp 89 PID 412 wrote to memory of 5072 412 851E.tmp 89 PID 412 wrote to memory of 5072 412 851E.tmp 89 PID 5072 wrote to memory of 4492 5072 8628.tmp 90 PID 5072 wrote to memory of 4492 5072 8628.tmp 90 PID 5072 wrote to memory of 4492 5072 8628.tmp 90 PID 4492 wrote to memory of 3860 4492 86F3.tmp 91 PID 4492 wrote to memory of 3860 4492 86F3.tmp 91 PID 4492 wrote to memory of 3860 4492 86F3.tmp 91 PID 3860 wrote to memory of 2360 3860 878F.tmp 92 PID 3860 wrote to memory of 2360 3860 878F.tmp 92 PID 3860 wrote to memory of 2360 3860 878F.tmp 92 PID 2360 wrote to memory of 4068 2360 882B.tmp 93 PID 2360 wrote to memory of 4068 2360 882B.tmp 93 PID 2360 wrote to memory of 4068 2360 882B.tmp 93 PID 4068 wrote to memory of 3444 4068 88E7.tmp 94 PID 4068 wrote to memory of 3444 4068 88E7.tmp 94 PID 4068 wrote to memory of 3444 4068 88E7.tmp 94 PID 3444 wrote to memory of 2392 3444 8993.tmp 95 PID 3444 wrote to memory of 2392 3444 8993.tmp 95 PID 3444 wrote to memory of 2392 3444 8993.tmp 95 PID 2392 wrote to memory of 2596 2392 8A3E.tmp 96 PID 2392 wrote to memory of 2596 2392 8A3E.tmp 96 PID 2392 wrote to memory of 2596 2392 8A3E.tmp 96 PID 2596 wrote to memory of 1668 2596 8B48.tmp 97 PID 2596 wrote to memory of 1668 2596 8B48.tmp 97 PID 2596 wrote to memory of 1668 2596 8B48.tmp 97 PID 1668 wrote to memory of 224 1668 8BE4.tmp 100 PID 1668 wrote to memory of 224 1668 8BE4.tmp 100 PID 1668 wrote to memory of 224 1668 8BE4.tmp 100 PID 224 wrote to memory of 916 224 8C71.tmp 101 PID 224 wrote to memory of 916 224 8C71.tmp 101 PID 224 wrote to memory of 916 224 8C71.tmp 101 PID 916 wrote to memory of 2192 916 8D4C.tmp 102 PID 916 wrote to memory of 2192 916 8D4C.tmp 102 PID 916 wrote to memory of 2192 916 8D4C.tmp 102 PID 2192 wrote to memory of 4772 2192 8E07.tmp 103 PID 2192 wrote to memory of 4772 2192 8E07.tmp 103 PID 2192 wrote to memory of 4772 2192 8E07.tmp 103 PID 4772 wrote to memory of 4972 4772 8ED2.tmp 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\bb30ea1064e79b0f1527cb351c94f5ba_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\806B.tmp"C:\Users\Admin\AppData\Local\Temp\806B.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\8126.tmp"C:\Users\Admin\AppData\Local\Temp\8126.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\81C3.tmp"C:\Users\Admin\AppData\Local\Temp\81C3.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\827E.tmp"C:\Users\Admin\AppData\Local\Temp\827E.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\83B7.tmp"C:\Users\Admin\AppData\Local\Temp\83B7.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\8482.tmp"C:\Users\Admin\AppData\Local\Temp\8482.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\851E.tmp"C:\Users\Admin\AppData\Local\Temp\851E.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\8628.tmp"C:\Users\Admin\AppData\Local\Temp\8628.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\86F3.tmp"C:\Users\Admin\AppData\Local\Temp\86F3.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\878F.tmp"C:\Users\Admin\AppData\Local\Temp\878F.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\882B.tmp"C:\Users\Admin\AppData\Local\Temp\882B.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\88E7.tmp"C:\Users\Admin\AppData\Local\Temp\88E7.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\8993.tmp"C:\Users\Admin\AppData\Local\Temp\8993.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\8A3E.tmp"C:\Users\Admin\AppData\Local\Temp\8A3E.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\8B48.tmp"C:\Users\Admin\AppData\Local\Temp\8B48.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"C:\Users\Admin\AppData\Local\Temp\8BE4.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\8C71.tmp"C:\Users\Admin\AppData\Local\Temp\8C71.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\8D4C.tmp"C:\Users\Admin\AppData\Local\Temp\8D4C.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\8E07.tmp"C:\Users\Admin\AppData\Local\Temp\8E07.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"C:\Users\Admin\AppData\Local\Temp\8FFB.tmp"23⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\9088.tmp"C:\Users\Admin\AppData\Local\Temp\9088.tmp"24⤵
- Executes dropped EXE
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\9143.tmp"C:\Users\Admin\AppData\Local\Temp\9143.tmp"25⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\91B1.tmp"C:\Users\Admin\AppData\Local\Temp\91B1.tmp"26⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\921E.tmp"C:\Users\Admin\AppData\Local\Temp\921E.tmp"27⤵
- Executes dropped EXE
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\92BA.tmp"C:\Users\Admin\AppData\Local\Temp\92BA.tmp"28⤵
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\9357.tmp"C:\Users\Admin\AppData\Local\Temp\9357.tmp"29⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\9402.tmp"C:\Users\Admin\AppData\Local\Temp\9402.tmp"30⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\94BE.tmp"C:\Users\Admin\AppData\Local\Temp\94BE.tmp"31⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\955A.tmp"C:\Users\Admin\AppData\Local\Temp\955A.tmp"32⤵
- Executes dropped EXE
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\9616.tmp"C:\Users\Admin\AppData\Local\Temp\9616.tmp"33⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\9693.tmp"C:\Users\Admin\AppData\Local\Temp\9693.tmp"34⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\9700.tmp"C:\Users\Admin\AppData\Local\Temp\9700.tmp"35⤵
- Executes dropped EXE
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\976D.tmp"C:\Users\Admin\AppData\Local\Temp\976D.tmp"36⤵
- Executes dropped EXE
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\97FA.tmp"C:\Users\Admin\AppData\Local\Temp\97FA.tmp"37⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\9887.tmp"C:\Users\Admin\AppData\Local\Temp\9887.tmp"38⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\9913.tmp"C:\Users\Admin\AppData\Local\Temp\9913.tmp"39⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\9981.tmp"C:\Users\Admin\AppData\Local\Temp\9981.tmp"40⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\9A1D.tmp"C:\Users\Admin\AppData\Local\Temp\9A1D.tmp"41⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"42⤵
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\9B36.tmp"C:\Users\Admin\AppData\Local\Temp\9B36.tmp"43⤵
- Executes dropped EXE
PID:564 -
C:\Users\Admin\AppData\Local\Temp\9BC3.tmp"C:\Users\Admin\AppData\Local\Temp\9BC3.tmp"44⤵
- Executes dropped EXE
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\9C6F.tmp"C:\Users\Admin\AppData\Local\Temp\9C6F.tmp"45⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"46⤵
- Executes dropped EXE
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\9D88.tmp"C:\Users\Admin\AppData\Local\Temp\9D88.tmp"47⤵
- Executes dropped EXE
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\9DF5.tmp"C:\Users\Admin\AppData\Local\Temp\9DF5.tmp"48⤵
- Executes dropped EXE
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\9E72.tmp"C:\Users\Admin\AppData\Local\Temp\9E72.tmp"49⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\9EFF.tmp"C:\Users\Admin\AppData\Local\Temp\9EFF.tmp"50⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\9FBA.tmp"C:\Users\Admin\AppData\Local\Temp\9FBA.tmp"51⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\A0A5.tmp"C:\Users\Admin\AppData\Local\Temp\A0A5.tmp"52⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\A141.tmp"C:\Users\Admin\AppData\Local\Temp\A141.tmp"53⤵
- Executes dropped EXE
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\A1CE.tmp"C:\Users\Admin\AppData\Local\Temp\A1CE.tmp"54⤵
- Executes dropped EXE
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\A27A.tmp"C:\Users\Admin\AppData\Local\Temp\A27A.tmp"55⤵
- Executes dropped EXE
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\A2F7.tmp"C:\Users\Admin\AppData\Local\Temp\A2F7.tmp"56⤵
- Executes dropped EXE
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\A3A2.tmp"C:\Users\Admin\AppData\Local\Temp\A3A2.tmp"57⤵
- Executes dropped EXE
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\A42F.tmp"C:\Users\Admin\AppData\Local\Temp\A42F.tmp"58⤵
- Executes dropped EXE
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"C:\Users\Admin\AppData\Local\Temp\A4CB.tmp"59⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\A558.tmp"C:\Users\Admin\AppData\Local\Temp\A558.tmp"60⤵
- Executes dropped EXE
PID:668 -
C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"61⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\A652.tmp"C:\Users\Admin\AppData\Local\Temp\A652.tmp"62⤵
- Executes dropped EXE
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"C:\Users\Admin\AppData\Local\Temp\A6CF.tmp"63⤵
- Executes dropped EXE
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\A72D.tmp"C:\Users\Admin\AppData\Local\Temp\A72D.tmp"64⤵
- Executes dropped EXE
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"65⤵
- Executes dropped EXE
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\A856.tmp"C:\Users\Admin\AppData\Local\Temp\A856.tmp"66⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"C:\Users\Admin\AppData\Local\Temp\A8E2.tmp"67⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\A950.tmp"C:\Users\Admin\AppData\Local\Temp\A950.tmp"68⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\A9CD.tmp"C:\Users\Admin\AppData\Local\Temp\A9CD.tmp"69⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\AA2A.tmp"C:\Users\Admin\AppData\Local\Temp\AA2A.tmp"70⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\AA88.tmp"C:\Users\Admin\AppData\Local\Temp\AA88.tmp"71⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\AB24.tmp"C:\Users\Admin\AppData\Local\Temp\AB24.tmp"72⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\AB92.tmp"C:\Users\Admin\AppData\Local\Temp\AB92.tmp"73⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\AC0F.tmp"C:\Users\Admin\AppData\Local\Temp\AC0F.tmp"74⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\AC8C.tmp"C:\Users\Admin\AppData\Local\Temp\AC8C.tmp"75⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"C:\Users\Admin\AppData\Local\Temp\ACF9.tmp"76⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\AD86.tmp"C:\Users\Admin\AppData\Local\Temp\AD86.tmp"77⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\ADF3.tmp"C:\Users\Admin\AppData\Local\Temp\ADF3.tmp"78⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\AE51.tmp"C:\Users\Admin\AppData\Local\Temp\AE51.tmp"79⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\AEDD.tmp"C:\Users\Admin\AppData\Local\Temp\AEDD.tmp"80⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\AF7A.tmp"C:\Users\Admin\AppData\Local\Temp\AF7A.tmp"81⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\AFF7.tmp"C:\Users\Admin\AppData\Local\Temp\AFF7.tmp"82⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\B083.tmp"C:\Users\Admin\AppData\Local\Temp\B083.tmp"83⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\B110.tmp"C:\Users\Admin\AppData\Local\Temp\B110.tmp"84⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\B18D.tmp"C:\Users\Admin\AppData\Local\Temp\B18D.tmp"85⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\B20A.tmp"C:\Users\Admin\AppData\Local\Temp\B20A.tmp"86⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\B287.tmp"C:\Users\Admin\AppData\Local\Temp\B287.tmp"87⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\B304.tmp"C:\Users\Admin\AppData\Local\Temp\B304.tmp"88⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\B3A0.tmp"C:\Users\Admin\AppData\Local\Temp\B3A0.tmp"89⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\B41D.tmp"C:\Users\Admin\AppData\Local\Temp\B41D.tmp"90⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\B4B9.tmp"C:\Users\Admin\AppData\Local\Temp\B4B9.tmp"91⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\B527.tmp"C:\Users\Admin\AppData\Local\Temp\B527.tmp"92⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\B594.tmp"C:\Users\Admin\AppData\Local\Temp\B594.tmp"93⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\B602.tmp"C:\Users\Admin\AppData\Local\Temp\B602.tmp"94⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\B69E.tmp"C:\Users\Admin\AppData\Local\Temp\B69E.tmp"95⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\B71B.tmp"C:\Users\Admin\AppData\Local\Temp\B71B.tmp"96⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\B7A7.tmp"C:\Users\Admin\AppData\Local\Temp\B7A7.tmp"97⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\B815.tmp"C:\Users\Admin\AppData\Local\Temp\B815.tmp"98⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\B8A1.tmp"C:\Users\Admin\AppData\Local\Temp\B8A1.tmp"99⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\B93E.tmp"C:\Users\Admin\AppData\Local\Temp\B93E.tmp"100⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\B9BB.tmp"C:\Users\Admin\AppData\Local\Temp\B9BB.tmp"101⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\BA28.tmp"C:\Users\Admin\AppData\Local\Temp\BA28.tmp"102⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"C:\Users\Admin\AppData\Local\Temp\BAA5.tmp"103⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\BB32.tmp"C:\Users\Admin\AppData\Local\Temp\BB32.tmp"104⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\BBAF.tmp"C:\Users\Admin\AppData\Local\Temp\BBAF.tmp"105⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"C:\Users\Admin\AppData\Local\Temp\BC4B.tmp"106⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"C:\Users\Admin\AppData\Local\Temp\BCC8.tmp"107⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\BD35.tmp"C:\Users\Admin\AppData\Local\Temp\BD35.tmp"108⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\BDB2.tmp"C:\Users\Admin\AppData\Local\Temp\BDB2.tmp"109⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\BE20.tmp"C:\Users\Admin\AppData\Local\Temp\BE20.tmp"110⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\BE9D.tmp"C:\Users\Admin\AppData\Local\Temp\BE9D.tmp"111⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"C:\Users\Admin\AppData\Local\Temp\BF0A.tmp"112⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\BF97.tmp"C:\Users\Admin\AppData\Local\Temp\BF97.tmp"113⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\C033.tmp"C:\Users\Admin\AppData\Local\Temp\C033.tmp"114⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\C0CF.tmp"C:\Users\Admin\AppData\Local\Temp\C0CF.tmp"115⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\C14C.tmp"C:\Users\Admin\AppData\Local\Temp\C14C.tmp"116⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\C1C9.tmp"C:\Users\Admin\AppData\Local\Temp\C1C9.tmp"117⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\C256.tmp"C:\Users\Admin\AppData\Local\Temp\C256.tmp"118⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\C2C3.tmp"C:\Users\Admin\AppData\Local\Temp\C2C3.tmp"119⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\C340.tmp"C:\Users\Admin\AppData\Local\Temp\C340.tmp"120⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"C:\Users\Admin\AppData\Local\Temp\C3CD.tmp"121⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\C44A.tmp"C:\Users\Admin\AppData\Local\Temp\C44A.tmp"122⤵PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-