Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2023 15:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe
Resource
win7-20230831-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe
Resource
win10v2004-20230831-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe
-
Size
486KB
-
MD5
1ee749cbb705c590a16227540469804f
-
SHA1
7b09253f5429321569f57e0d5ecd6ece653e9187
-
SHA256
85f9a80228f19522ad9f400fb088200346d3eb149a4373776e365fe7e125996b
-
SHA512
6e8a1b868843b779a41738486ac08265c9a07f2e289b49b9ec0759a67c9a9cde414bc764e8b3fdac6b3479c1c8ffbd6168b1f07797312ae94f7def5eee2d90a9
-
SSDEEP
12288:UU5rCOTeiDthZ2XWUMwhzO5OsnHcvphyZjbeNZ:UUQOJDDZYkqzqnHcOjbeN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4672 BAC4.tmp 3232 BC3B.tmp 412 BD16.tmp 2128 BE10.tmp 4040 BF1A.tmp 4020 BFF4.tmp 1604 C19A.tmp 4852 C2B4.tmp 672 C38E.tmp 1960 C498.tmp 4216 C544.tmp 1484 C64D.tmp 2264 C709.tmp 2352 C796.tmp 1032 C851.tmp 3328 C91C.tmp 492 C9E7.tmp 1776 CAB2.tmp 4648 CB6E.tmp 2568 CC58.tmp 4556 CD04.tmp 1452 CDEF.tmp 3172 CEC9.tmp 4584 CFC3.tmp 2228 D07F.tmp 4152 D15A.tmp 2872 D225.tmp 396 D2D1.tmp 232 D3BB.tmp 2000 D496.tmp 3452 D580.tmp 3436 D64B.tmp 4960 D745.tmp 1252 D83F.tmp 4400 D8DB.tmp 3204 D958.tmp 2176 DA04.tmp 2868 DA81.tmp 820 DAEF.tmp 5092 DBD9.tmp 3896 DC95.tmp 3240 DD31.tmp 3476 DD9E.tmp 4716 DE2B.tmp 1576 DEA8.tmp 4208 DF25.tmp 3164 DFD1.tmp 4612 E05D.tmp 3308 E0EA.tmp 1640 E167.tmp 4940 E213.tmp 4720 E2AF.tmp 4412 E34B.tmp 3724 E3E8.tmp 412 E493.tmp 1900 E53F.tmp 1548 E5EB.tmp 436 E678.tmp 1588 E6E5.tmp 1748 E7B0.tmp 4016 E83D.tmp 3888 E8E9.tmp 4376 E966.tmp 860 EA12.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4672 4504 2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe 86 PID 4504 wrote to memory of 4672 4504 2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe 86 PID 4504 wrote to memory of 4672 4504 2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe 86 PID 4672 wrote to memory of 3232 4672 BAC4.tmp 87 PID 4672 wrote to memory of 3232 4672 BAC4.tmp 87 PID 4672 wrote to memory of 3232 4672 BAC4.tmp 87 PID 3232 wrote to memory of 412 3232 BC3B.tmp 89 PID 3232 wrote to memory of 412 3232 BC3B.tmp 89 PID 3232 wrote to memory of 412 3232 BC3B.tmp 89 PID 412 wrote to memory of 2128 412 BD16.tmp 90 PID 412 wrote to memory of 2128 412 BD16.tmp 90 PID 412 wrote to memory of 2128 412 BD16.tmp 90 PID 2128 wrote to memory of 4040 2128 BE10.tmp 91 PID 2128 wrote to memory of 4040 2128 BE10.tmp 91 PID 2128 wrote to memory of 4040 2128 BE10.tmp 91 PID 4040 wrote to memory of 4020 4040 BF1A.tmp 92 PID 4040 wrote to memory of 4020 4040 BF1A.tmp 92 PID 4040 wrote to memory of 4020 4040 BF1A.tmp 92 PID 4020 wrote to memory of 1604 4020 BFF4.tmp 93 PID 4020 wrote to memory of 1604 4020 BFF4.tmp 93 PID 4020 wrote to memory of 1604 4020 BFF4.tmp 93 PID 1604 wrote to memory of 4852 1604 C19A.tmp 94 PID 1604 wrote to memory of 4852 1604 C19A.tmp 94 PID 1604 wrote to memory of 4852 1604 C19A.tmp 94 PID 4852 wrote to memory of 672 4852 C2B4.tmp 95 PID 4852 wrote to memory of 672 4852 C2B4.tmp 95 PID 4852 wrote to memory of 672 4852 C2B4.tmp 95 PID 672 wrote to memory of 1960 672 C38E.tmp 96 PID 672 wrote to memory of 1960 672 C38E.tmp 96 PID 672 wrote to memory of 1960 672 C38E.tmp 96 PID 1960 wrote to memory of 4216 1960 C498.tmp 97 PID 1960 wrote to memory of 4216 1960 C498.tmp 97 PID 1960 wrote to memory of 4216 1960 C498.tmp 97 PID 4216 wrote to memory of 1484 4216 C544.tmp 98 PID 4216 wrote to memory of 1484 4216 C544.tmp 98 PID 4216 wrote to memory of 1484 4216 C544.tmp 98 PID 1484 wrote to memory of 2264 1484 C64D.tmp 99 PID 1484 wrote to memory of 2264 1484 C64D.tmp 99 PID 1484 wrote to memory of 2264 1484 C64D.tmp 99 PID 2264 wrote to memory of 2352 2264 C709.tmp 100 PID 2264 wrote to memory of 2352 2264 C709.tmp 100 PID 2264 wrote to memory of 2352 2264 C709.tmp 100 PID 2352 wrote to memory of 1032 2352 C796.tmp 101 PID 2352 wrote to memory of 1032 2352 C796.tmp 101 PID 2352 wrote to memory of 1032 2352 C796.tmp 101 PID 1032 wrote to memory of 3328 1032 C851.tmp 102 PID 1032 wrote to memory of 3328 1032 C851.tmp 102 PID 1032 wrote to memory of 3328 1032 C851.tmp 102 PID 3328 wrote to memory of 492 3328 C91C.tmp 103 PID 3328 wrote to memory of 492 3328 C91C.tmp 103 PID 3328 wrote to memory of 492 3328 C91C.tmp 103 PID 492 wrote to memory of 1776 492 C9E7.tmp 104 PID 492 wrote to memory of 1776 492 C9E7.tmp 104 PID 492 wrote to memory of 1776 492 C9E7.tmp 104 PID 1776 wrote to memory of 4648 1776 CAB2.tmp 105 PID 1776 wrote to memory of 4648 1776 CAB2.tmp 105 PID 1776 wrote to memory of 4648 1776 CAB2.tmp 105 PID 4648 wrote to memory of 2568 4648 CB6E.tmp 106 PID 4648 wrote to memory of 2568 4648 CB6E.tmp 106 PID 4648 wrote to memory of 2568 4648 CB6E.tmp 106 PID 2568 wrote to memory of 4556 2568 CC58.tmp 107 PID 2568 wrote to memory of 4556 2568 CC58.tmp 107 PID 2568 wrote to memory of 4556 2568 CC58.tmp 107 PID 4556 wrote to memory of 1452 4556 CD04.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-22_1ee749cbb705c590a16227540469804f_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\BAC4.tmp"C:\Users\Admin\AppData\Local\Temp\BAC4.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\BC3B.tmp"C:\Users\Admin\AppData\Local\Temp\BC3B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\BD16.tmp"C:\Users\Admin\AppData\Local\Temp\BD16.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\BE10.tmp"C:\Users\Admin\AppData\Local\Temp\BE10.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\BF1A.tmp"C:\Users\Admin\AppData\Local\Temp\BF1A.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"C:\Users\Admin\AppData\Local\Temp\BFF4.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\C19A.tmp"C:\Users\Admin\AppData\Local\Temp\C19A.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"C:\Users\Admin\AppData\Local\Temp\C2B4.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\C38E.tmp"C:\Users\Admin\AppData\Local\Temp\C38E.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\C498.tmp"C:\Users\Admin\AppData\Local\Temp\C498.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\C544.tmp"C:\Users\Admin\AppData\Local\Temp\C544.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\C64D.tmp"C:\Users\Admin\AppData\Local\Temp\C64D.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\C709.tmp"C:\Users\Admin\AppData\Local\Temp\C709.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\C796.tmp"C:\Users\Admin\AppData\Local\Temp\C796.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\C851.tmp"C:\Users\Admin\AppData\Local\Temp\C851.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\C91C.tmp"C:\Users\Admin\AppData\Local\Temp\C91C.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\C9E7.tmp"C:\Users\Admin\AppData\Local\Temp\C9E7.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\CAB2.tmp"C:\Users\Admin\AppData\Local\Temp\CAB2.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\CB6E.tmp"C:\Users\Admin\AppData\Local\Temp\CB6E.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\CC58.tmp"C:\Users\Admin\AppData\Local\Temp\CC58.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\CD04.tmp"C:\Users\Admin\AppData\Local\Temp\CD04.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\CDEF.tmp"C:\Users\Admin\AppData\Local\Temp\CDEF.tmp"23⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\CEC9.tmp"C:\Users\Admin\AppData\Local\Temp\CEC9.tmp"24⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\CFC3.tmp"C:\Users\Admin\AppData\Local\Temp\CFC3.tmp"25⤵
- Executes dropped EXE
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\D07F.tmp"C:\Users\Admin\AppData\Local\Temp\D07F.tmp"26⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\D15A.tmp"C:\Users\Admin\AppData\Local\Temp\D15A.tmp"27⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\D225.tmp"C:\Users\Admin\AppData\Local\Temp\D225.tmp"28⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\D2D1.tmp"C:\Users\Admin\AppData\Local\Temp\D2D1.tmp"29⤵
- Executes dropped EXE
PID:396 -
C:\Users\Admin\AppData\Local\Temp\D3BB.tmp"C:\Users\Admin\AppData\Local\Temp\D3BB.tmp"30⤵
- Executes dropped EXE
PID:232 -
C:\Users\Admin\AppData\Local\Temp\D496.tmp"C:\Users\Admin\AppData\Local\Temp\D496.tmp"31⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\D580.tmp"C:\Users\Admin\AppData\Local\Temp\D580.tmp"32⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\D64B.tmp"C:\Users\Admin\AppData\Local\Temp\D64B.tmp"33⤵
- Executes dropped EXE
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\D745.tmp"C:\Users\Admin\AppData\Local\Temp\D745.tmp"34⤵
- Executes dropped EXE
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\D83F.tmp"C:\Users\Admin\AppData\Local\Temp\D83F.tmp"35⤵
- Executes dropped EXE
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\D8DB.tmp"C:\Users\Admin\AppData\Local\Temp\D8DB.tmp"36⤵
- Executes dropped EXE
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\D958.tmp"C:\Users\Admin\AppData\Local\Temp\D958.tmp"37⤵
- Executes dropped EXE
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\DA04.tmp"C:\Users\Admin\AppData\Local\Temp\DA04.tmp"38⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\DA81.tmp"C:\Users\Admin\AppData\Local\Temp\DA81.tmp"39⤵
- Executes dropped EXE
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\DAEF.tmp"C:\Users\Admin\AppData\Local\Temp\DAEF.tmp"40⤵
- Executes dropped EXE
PID:820 -
C:\Users\Admin\AppData\Local\Temp\DBD9.tmp"C:\Users\Admin\AppData\Local\Temp\DBD9.tmp"41⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\DC95.tmp"C:\Users\Admin\AppData\Local\Temp\DC95.tmp"42⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\DD31.tmp"C:\Users\Admin\AppData\Local\Temp\DD31.tmp"43⤵
- Executes dropped EXE
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"C:\Users\Admin\AppData\Local\Temp\DD9E.tmp"44⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\DE2B.tmp"C:\Users\Admin\AppData\Local\Temp\DE2B.tmp"45⤵
- Executes dropped EXE
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\DEA8.tmp"C:\Users\Admin\AppData\Local\Temp\DEA8.tmp"46⤵
- Executes dropped EXE
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\DF25.tmp"C:\Users\Admin\AppData\Local\Temp\DF25.tmp"47⤵
- Executes dropped EXE
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\DFD1.tmp"C:\Users\Admin\AppData\Local\Temp\DFD1.tmp"48⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\E05D.tmp"C:\Users\Admin\AppData\Local\Temp\E05D.tmp"49⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\E0EA.tmp"C:\Users\Admin\AppData\Local\Temp\E0EA.tmp"50⤵
- Executes dropped EXE
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\E167.tmp"C:\Users\Admin\AppData\Local\Temp\E167.tmp"51⤵
- Executes dropped EXE
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\E213.tmp"C:\Users\Admin\AppData\Local\Temp\E213.tmp"52⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\E2AF.tmp"C:\Users\Admin\AppData\Local\Temp\E2AF.tmp"53⤵
- Executes dropped EXE
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\E34B.tmp"C:\Users\Admin\AppData\Local\Temp\E34B.tmp"54⤵
- Executes dropped EXE
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp"C:\Users\Admin\AppData\Local\Temp\E3E8.tmp"55⤵
- Executes dropped EXE
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\E493.tmp"C:\Users\Admin\AppData\Local\Temp\E493.tmp"56⤵
- Executes dropped EXE
PID:412 -
C:\Users\Admin\AppData\Local\Temp\E53F.tmp"C:\Users\Admin\AppData\Local\Temp\E53F.tmp"57⤵
- Executes dropped EXE
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\E5EB.tmp"C:\Users\Admin\AppData\Local\Temp\E5EB.tmp"58⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\E678.tmp"C:\Users\Admin\AppData\Local\Temp\E678.tmp"59⤵
- Executes dropped EXE
PID:436 -
C:\Users\Admin\AppData\Local\Temp\E6E5.tmp"C:\Users\Admin\AppData\Local\Temp\E6E5.tmp"60⤵
- Executes dropped EXE
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\E7B0.tmp"C:\Users\Admin\AppData\Local\Temp\E7B0.tmp"61⤵
- Executes dropped EXE
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\E83D.tmp"C:\Users\Admin\AppData\Local\Temp\E83D.tmp"62⤵
- Executes dropped EXE
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\E8E9.tmp"C:\Users\Admin\AppData\Local\Temp\E8E9.tmp"63⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\E966.tmp"C:\Users\Admin\AppData\Local\Temp\E966.tmp"64⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\EA12.tmp"C:\Users\Admin\AppData\Local\Temp\EA12.tmp"65⤵
- Executes dropped EXE
PID:860 -
C:\Users\Admin\AppData\Local\Temp\EA7F.tmp"C:\Users\Admin\AppData\Local\Temp\EA7F.tmp"66⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\EAEC.tmp"C:\Users\Admin\AppData\Local\Temp\EAEC.tmp"67⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\EB89.tmp"C:\Users\Admin\AppData\Local\Temp\EB89.tmp"68⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\EC06.tmp"C:\Users\Admin\AppData\Local\Temp\EC06.tmp"69⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\EC83.tmp"C:\Users\Admin\AppData\Local\Temp\EC83.tmp"70⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\ED00.tmp"C:\Users\Admin\AppData\Local\Temp\ED00.tmp"71⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"C:\Users\Admin\AppData\Local\Temp\ED8C.tmp"72⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\EE09.tmp"C:\Users\Admin\AppData\Local\Temp\EE09.tmp"73⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\EE86.tmp"C:\Users\Admin\AppData\Local\Temp\EE86.tmp"74⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\EF71.tmp"C:\Users\Admin\AppData\Local\Temp\EF71.tmp"75⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\EFEE.tmp"C:\Users\Admin\AppData\Local\Temp\EFEE.tmp"76⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\F04B.tmp"C:\Users\Admin\AppData\Local\Temp\F04B.tmp"77⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"C:\Users\Admin\AppData\Local\Temp\F0E8.tmp"78⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\F155.tmp"C:\Users\Admin\AppData\Local\Temp\F155.tmp"79⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"C:\Users\Admin\AppData\Local\Temp\F1D2.tmp"80⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\F25F.tmp"C:\Users\Admin\AppData\Local\Temp\F25F.tmp"81⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\F2EB.tmp"C:\Users\Admin\AppData\Local\Temp\F2EB.tmp"82⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\F359.tmp"C:\Users\Admin\AppData\Local\Temp\F359.tmp"83⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\F3C6.tmp"C:\Users\Admin\AppData\Local\Temp\F3C6.tmp"84⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\F453.tmp"C:\Users\Admin\AppData\Local\Temp\F453.tmp"85⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\F4C0.tmp"C:\Users\Admin\AppData\Local\Temp\F4C0.tmp"86⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\F54D.tmp"C:\Users\Admin\AppData\Local\Temp\F54D.tmp"87⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\F5CA.tmp"C:\Users\Admin\AppData\Local\Temp\F5CA.tmp"88⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\F627.tmp"C:\Users\Admin\AppData\Local\Temp\F627.tmp"89⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\F6A4.tmp"C:\Users\Admin\AppData\Local\Temp\F6A4.tmp"90⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\F721.tmp"C:\Users\Admin\AppData\Local\Temp\F721.tmp"91⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\F78F.tmp"C:\Users\Admin\AppData\Local\Temp\F78F.tmp"92⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\F7ED.tmp"C:\Users\Admin\AppData\Local\Temp\F7ED.tmp"93⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\F925.tmp"C:\Users\Admin\AppData\Local\Temp\F925.tmp"94⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\F9A2.tmp"C:\Users\Admin\AppData\Local\Temp\F9A2.tmp"95⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\FA0F.tmp"C:\Users\Admin\AppData\Local\Temp\FA0F.tmp"96⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"C:\Users\Admin\AppData\Local\Temp\FA8C.tmp"97⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\FB09.tmp"C:\Users\Admin\AppData\Local\Temp\FB09.tmp"98⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\FB86.tmp"C:\Users\Admin\AppData\Local\Temp\FB86.tmp"99⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\FC13.tmp"C:\Users\Admin\AppData\Local\Temp\FC13.tmp"100⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\FC90.tmp"C:\Users\Admin\AppData\Local\Temp\FC90.tmp"101⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"C:\Users\Admin\AppData\Local\Temp\FD5B.tmp"102⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\FDC9.tmp"C:\Users\Admin\AppData\Local\Temp\FDC9.tmp"103⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\FE55.tmp"C:\Users\Admin\AppData\Local\Temp\FE55.tmp"104⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\FEC3.tmp"C:\Users\Admin\AppData\Local\Temp\FEC3.tmp"105⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"C:\Users\Admin\AppData\Local\Temp\FF4F.tmp"106⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\FFBD.tmp"C:\Users\Admin\AppData\Local\Temp\FFBD.tmp"107⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\3A.tmp"C:\Users\Admin\AppData\Local\Temp\3A.tmp"108⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\B7.tmp"C:\Users\Admin\AppData\Local\Temp\B7.tmp"109⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\134.tmp"C:\Users\Admin\AppData\Local\Temp\134.tmp"110⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\1A1.tmp"C:\Users\Admin\AppData\Local\Temp\1A1.tmp"111⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\21E.tmp"C:\Users\Admin\AppData\Local\Temp\21E.tmp"112⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\29B.tmp"C:\Users\Admin\AppData\Local\Temp\29B.tmp"113⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\2F9.tmp"C:\Users\Admin\AppData\Local\Temp\2F9.tmp"114⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\356.tmp"C:\Users\Admin\AppData\Local\Temp\356.tmp"115⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\3C4.tmp"C:\Users\Admin\AppData\Local\Temp\3C4.tmp"116⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\441.tmp"C:\Users\Admin\AppData\Local\Temp\441.tmp"117⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\4BE.tmp"C:\Users\Admin\AppData\Local\Temp\4BE.tmp"118⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\52B.tmp"C:\Users\Admin\AppData\Local\Temp\52B.tmp"119⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\599.tmp"C:\Users\Admin\AppData\Local\Temp\599.tmp"120⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\606.tmp"C:\Users\Admin\AppData\Local\Temp\606.tmp"121⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\664.tmp"C:\Users\Admin\AppData\Local\Temp\664.tmp"122⤵PID:4552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-