Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2023 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe
Resource
win7-20230831-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe
-
Size
488KB
-
MD5
f5b824e19ea61498dbba0779260fb0eb
-
SHA1
df9816501d41d52ee8f2df7a7e34327422d374e3
-
SHA256
31c0534720caca107cf7ffc5207ca670050e89a5fcd31d828bcff222859cd07f
-
SHA512
9ac14cd228a068826e0bef392c5b8cd38f9d0580928ae45e136a38d523030ebe81d3845df0ef5bda3384b548fcbb13270ceaee5483cea5ec36eb05abfa300866
-
SSDEEP
12288:/U5rCOTeiDpGdoJW7IJwIzN/oHZkxANZ:/UQOJDIiXzNgHGKN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2824 707D.tmp 4472 7109.tmp 532 71C5.tmp 3796 7280.tmp 5044 72FD.tmp 2640 73B9.tmp 4248 7445.tmp 1372 7511.tmp 4648 759D.tmp 396 762A.tmp 5028 76C6.tmp 2504 7743.tmp 708 77DF.tmp 1488 786C.tmp 4408 7908.tmp 3104 79B4.tmp 1280 7A7F.tmp 3928 7C35.tmp 2132 7CA2.tmp 4808 7D1F.tmp 5040 7DFA.tmp 1476 7EA6.tmp 2064 7F42.tmp 2112 804C.tmp 4232 80D8.tmp 3512 8184.tmp 4868 827E.tmp 1864 831A.tmp 1956 83C6.tmp 3796 8462.tmp 1032 84EF.tmp 2944 85AB.tmp 4872 86B4.tmp 2328 8722.tmp 4424 878F.tmp 1924 880C.tmp 1628 88A8.tmp 4568 8944.tmp 4972 89C1.tmp 2692 8A5E.tmp 860 8ADB.tmp 1264 8B67.tmp 4500 8C04.tmp 4716 8C81.tmp 1044 8D5B.tmp 848 8DC9.tmp 4996 8E55.tmp 4408 8ED2.tmp 2108 8F5F.tmp 2092 8FEC.tmp 4864 9097.tmp 4928 9124.tmp 3772 91C0.tmp 1096 922E.tmp 2760 92BA.tmp 464 9337.tmp 3448 93E3.tmp 2368 9460.tmp 4324 94CE.tmp 3920 954B.tmp 2176 95C8.tmp 3628 9654.tmp 4844 96E1.tmp 3408 976D.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 2824 3356 2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe 86 PID 3356 wrote to memory of 2824 3356 2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe 86 PID 3356 wrote to memory of 2824 3356 2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe 86 PID 2824 wrote to memory of 4472 2824 707D.tmp 87 PID 2824 wrote to memory of 4472 2824 707D.tmp 87 PID 2824 wrote to memory of 4472 2824 707D.tmp 87 PID 4472 wrote to memory of 532 4472 7109.tmp 88 PID 4472 wrote to memory of 532 4472 7109.tmp 88 PID 4472 wrote to memory of 532 4472 7109.tmp 88 PID 532 wrote to memory of 3796 532 71C5.tmp 89 PID 532 wrote to memory of 3796 532 71C5.tmp 89 PID 532 wrote to memory of 3796 532 71C5.tmp 89 PID 3796 wrote to memory of 5044 3796 7280.tmp 90 PID 3796 wrote to memory of 5044 3796 7280.tmp 90 PID 3796 wrote to memory of 5044 3796 7280.tmp 90 PID 5044 wrote to memory of 2640 5044 72FD.tmp 91 PID 5044 wrote to memory of 2640 5044 72FD.tmp 91 PID 5044 wrote to memory of 2640 5044 72FD.tmp 91 PID 2640 wrote to memory of 4248 2640 73B9.tmp 92 PID 2640 wrote to memory of 4248 2640 73B9.tmp 92 PID 2640 wrote to memory of 4248 2640 73B9.tmp 92 PID 4248 wrote to memory of 1372 4248 7445.tmp 94 PID 4248 wrote to memory of 1372 4248 7445.tmp 94 PID 4248 wrote to memory of 1372 4248 7445.tmp 94 PID 1372 wrote to memory of 4648 1372 7511.tmp 95 PID 1372 wrote to memory of 4648 1372 7511.tmp 95 PID 1372 wrote to memory of 4648 1372 7511.tmp 95 PID 4648 wrote to memory of 396 4648 759D.tmp 96 PID 4648 wrote to memory of 396 4648 759D.tmp 96 PID 4648 wrote to memory of 396 4648 759D.tmp 96 PID 396 wrote to memory of 5028 396 762A.tmp 97 PID 396 wrote to memory of 5028 396 762A.tmp 97 PID 396 wrote to memory of 5028 396 762A.tmp 97 PID 5028 wrote to memory of 2504 5028 76C6.tmp 98 PID 5028 wrote to memory of 2504 5028 76C6.tmp 98 PID 5028 wrote to memory of 2504 5028 76C6.tmp 98 PID 2504 wrote to memory of 708 2504 7743.tmp 99 PID 2504 wrote to memory of 708 2504 7743.tmp 99 PID 2504 wrote to memory of 708 2504 7743.tmp 99 PID 708 wrote to memory of 1488 708 77DF.tmp 100 PID 708 wrote to memory of 1488 708 77DF.tmp 100 PID 708 wrote to memory of 1488 708 77DF.tmp 100 PID 1488 wrote to memory of 4408 1488 786C.tmp 101 PID 1488 wrote to memory of 4408 1488 786C.tmp 101 PID 1488 wrote to memory of 4408 1488 786C.tmp 101 PID 4408 wrote to memory of 3104 4408 7908.tmp 103 PID 4408 wrote to memory of 3104 4408 7908.tmp 103 PID 4408 wrote to memory of 3104 4408 7908.tmp 103 PID 3104 wrote to memory of 1280 3104 79B4.tmp 104 PID 3104 wrote to memory of 1280 3104 79B4.tmp 104 PID 3104 wrote to memory of 1280 3104 79B4.tmp 104 PID 1280 wrote to memory of 3928 1280 7A7F.tmp 105 PID 1280 wrote to memory of 3928 1280 7A7F.tmp 105 PID 1280 wrote to memory of 3928 1280 7A7F.tmp 105 PID 3928 wrote to memory of 2132 3928 7C35.tmp 107 PID 3928 wrote to memory of 2132 3928 7C35.tmp 107 PID 3928 wrote to memory of 2132 3928 7C35.tmp 107 PID 2132 wrote to memory of 4808 2132 7CA2.tmp 109 PID 2132 wrote to memory of 4808 2132 7CA2.tmp 109 PID 2132 wrote to memory of 4808 2132 7CA2.tmp 109 PID 4808 wrote to memory of 5040 4808 7D1F.tmp 111 PID 4808 wrote to memory of 5040 4808 7D1F.tmp 111 PID 4808 wrote to memory of 5040 4808 7D1F.tmp 111 PID 5040 wrote to memory of 1476 5040 7DFA.tmp 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-26_f5b824e19ea61498dbba0779260fb0eb_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\707D.tmp"C:\Users\Admin\AppData\Local\Temp\707D.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\7109.tmp"C:\Users\Admin\AppData\Local\Temp\7109.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\71C5.tmp"C:\Users\Admin\AppData\Local\Temp\71C5.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\7280.tmp"C:\Users\Admin\AppData\Local\Temp\7280.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\72FD.tmp"C:\Users\Admin\AppData\Local\Temp\72FD.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\73B9.tmp"C:\Users\Admin\AppData\Local\Temp\73B9.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\7445.tmp"C:\Users\Admin\AppData\Local\Temp\7445.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\7511.tmp"C:\Users\Admin\AppData\Local\Temp\7511.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\759D.tmp"C:\Users\Admin\AppData\Local\Temp\759D.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\762A.tmp"C:\Users\Admin\AppData\Local\Temp\762A.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\76C6.tmp"C:\Users\Admin\AppData\Local\Temp\76C6.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\7743.tmp"C:\Users\Admin\AppData\Local\Temp\7743.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\77DF.tmp"C:\Users\Admin\AppData\Local\Temp\77DF.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\786C.tmp"C:\Users\Admin\AppData\Local\Temp\786C.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7908.tmp"C:\Users\Admin\AppData\Local\Temp\7908.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\79B4.tmp"C:\Users\Admin\AppData\Local\Temp\79B4.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\7A7F.tmp"C:\Users\Admin\AppData\Local\Temp\7A7F.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\7C35.tmp"C:\Users\Admin\AppData\Local\Temp\7C35.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"C:\Users\Admin\AppData\Local\Temp\7CA2.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"C:\Users\Admin\AppData\Local\Temp\7D1F.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"C:\Users\Admin\AppData\Local\Temp\7EA6.tmp"23⤵
- Executes dropped EXE
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7F42.tmp"C:\Users\Admin\AppData\Local\Temp\7F42.tmp"24⤵
- Executes dropped EXE
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\804C.tmp"C:\Users\Admin\AppData\Local\Temp\804C.tmp"25⤵
- Executes dropped EXE
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\80D8.tmp"C:\Users\Admin\AppData\Local\Temp\80D8.tmp"26⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\8184.tmp"C:\Users\Admin\AppData\Local\Temp\8184.tmp"27⤵
- Executes dropped EXE
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\8201.tmp"C:\Users\Admin\AppData\Local\Temp\8201.tmp"28⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\827E.tmp"C:\Users\Admin\AppData\Local\Temp\827E.tmp"29⤵
- Executes dropped EXE
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\831A.tmp"C:\Users\Admin\AppData\Local\Temp\831A.tmp"30⤵
- Executes dropped EXE
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\83C6.tmp"C:\Users\Admin\AppData\Local\Temp\83C6.tmp"31⤵
- Executes dropped EXE
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\8462.tmp"C:\Users\Admin\AppData\Local\Temp\8462.tmp"32⤵
- Executes dropped EXE
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\84EF.tmp"C:\Users\Admin\AppData\Local\Temp\84EF.tmp"33⤵
- Executes dropped EXE
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\85AB.tmp"C:\Users\Admin\AppData\Local\Temp\85AB.tmp"34⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\86B4.tmp"C:\Users\Admin\AppData\Local\Temp\86B4.tmp"35⤵
- Executes dropped EXE
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\8722.tmp"C:\Users\Admin\AppData\Local\Temp\8722.tmp"36⤵
- Executes dropped EXE
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\878F.tmp"C:\Users\Admin\AppData\Local\Temp\878F.tmp"37⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\880C.tmp"C:\Users\Admin\AppData\Local\Temp\880C.tmp"38⤵
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\88A8.tmp"C:\Users\Admin\AppData\Local\Temp\88A8.tmp"39⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\8944.tmp"C:\Users\Admin\AppData\Local\Temp\8944.tmp"40⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\89C1.tmp"C:\Users\Admin\AppData\Local\Temp\89C1.tmp"41⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"C:\Users\Admin\AppData\Local\Temp\8A5E.tmp"42⤵
- Executes dropped EXE
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\8ADB.tmp"C:\Users\Admin\AppData\Local\Temp\8ADB.tmp"43⤵
- Executes dropped EXE
PID:860 -
C:\Users\Admin\AppData\Local\Temp\8B67.tmp"C:\Users\Admin\AppData\Local\Temp\8B67.tmp"44⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\8C04.tmp"C:\Users\Admin\AppData\Local\Temp\8C04.tmp"45⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\8C81.tmp"C:\Users\Admin\AppData\Local\Temp\8C81.tmp"46⤵
- Executes dropped EXE
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"47⤵
- Executes dropped EXE
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\8DC9.tmp"C:\Users\Admin\AppData\Local\Temp\8DC9.tmp"48⤵
- Executes dropped EXE
PID:848 -
C:\Users\Admin\AppData\Local\Temp\8E55.tmp"C:\Users\Admin\AppData\Local\Temp\8E55.tmp"49⤵
- Executes dropped EXE
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"50⤵
- Executes dropped EXE
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\8F5F.tmp"C:\Users\Admin\AppData\Local\Temp\8F5F.tmp"51⤵
- Executes dropped EXE
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\8FEC.tmp"C:\Users\Admin\AppData\Local\Temp\8FEC.tmp"52⤵
- Executes dropped EXE
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\9097.tmp"C:\Users\Admin\AppData\Local\Temp\9097.tmp"53⤵
- Executes dropped EXE
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\9124.tmp"C:\Users\Admin\AppData\Local\Temp\9124.tmp"54⤵
- Executes dropped EXE
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\91C0.tmp"C:\Users\Admin\AppData\Local\Temp\91C0.tmp"55⤵
- Executes dropped EXE
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\922E.tmp"C:\Users\Admin\AppData\Local\Temp\922E.tmp"56⤵
- Executes dropped EXE
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\92BA.tmp"C:\Users\Admin\AppData\Local\Temp\92BA.tmp"57⤵
- Executes dropped EXE
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"58⤵
- Executes dropped EXE
PID:464 -
C:\Users\Admin\AppData\Local\Temp\93E3.tmp"C:\Users\Admin\AppData\Local\Temp\93E3.tmp"59⤵
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\9460.tmp"C:\Users\Admin\AppData\Local\Temp\9460.tmp"60⤵
- Executes dropped EXE
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\94CE.tmp"C:\Users\Admin\AppData\Local\Temp\94CE.tmp"61⤵
- Executes dropped EXE
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\954B.tmp"C:\Users\Admin\AppData\Local\Temp\954B.tmp"62⤵
- Executes dropped EXE
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\95C8.tmp"C:\Users\Admin\AppData\Local\Temp\95C8.tmp"63⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\9654.tmp"C:\Users\Admin\AppData\Local\Temp\9654.tmp"64⤵
- Executes dropped EXE
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\96E1.tmp"C:\Users\Admin\AppData\Local\Temp\96E1.tmp"65⤵
- Executes dropped EXE
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\976D.tmp"C:\Users\Admin\AppData\Local\Temp\976D.tmp"66⤵
- Executes dropped EXE
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\97FA.tmp"C:\Users\Admin\AppData\Local\Temp\97FA.tmp"67⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\9896.tmp"C:\Users\Admin\AppData\Local\Temp\9896.tmp"68⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\9923.tmp"C:\Users\Admin\AppData\Local\Temp\9923.tmp"69⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\99A0.tmp"C:\Users\Admin\AppData\Local\Temp\99A0.tmp"70⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\9A0D.tmp"C:\Users\Admin\AppData\Local\Temp\9A0D.tmp"71⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"72⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\9B17.tmp"C:\Users\Admin\AppData\Local\Temp\9B17.tmp"73⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\9B94.tmp"C:\Users\Admin\AppData\Local\Temp\9B94.tmp"74⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\9C01.tmp"C:\Users\Admin\AppData\Local\Temp\9C01.tmp"75⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"C:\Users\Admin\AppData\Local\Temp\9C7E.tmp"76⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"C:\Users\Admin\AppData\Local\Temp\9CFB.tmp"77⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\9D69.tmp"C:\Users\Admin\AppData\Local\Temp\9D69.tmp"78⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\9DF5.tmp"C:\Users\Admin\AppData\Local\Temp\9DF5.tmp"79⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\9E53.tmp"C:\Users\Admin\AppData\Local\Temp\9E53.tmp"80⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\9EC0.tmp"C:\Users\Admin\AppData\Local\Temp\9EC0.tmp"81⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\9F1E.tmp"C:\Users\Admin\AppData\Local\Temp\9F1E.tmp"82⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\9F6C.tmp"C:\Users\Admin\AppData\Local\Temp\9F6C.tmp"83⤵PID:500
-
C:\Users\Admin\AppData\Local\Temp\9FDA.tmp"C:\Users\Admin\AppData\Local\Temp\9FDA.tmp"84⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\A066.tmp"C:\Users\Admin\AppData\Local\Temp\A066.tmp"85⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\A0E3.tmp"C:\Users\Admin\AppData\Local\Temp\A0E3.tmp"86⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\A1AE.tmp"C:\Users\Admin\AppData\Local\Temp\A1AE.tmp"87⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\A23B.tmp"C:\Users\Admin\AppData\Local\Temp\A23B.tmp"88⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\A2A8.tmp"C:\Users\Admin\AppData\Local\Temp\A2A8.tmp"89⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\A335.tmp"C:\Users\Admin\AppData\Local\Temp\A335.tmp"90⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"C:\Users\Admin\AppData\Local\Temp\A3C2.tmp"91⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\A42F.tmp"C:\Users\Admin\AppData\Local\Temp\A42F.tmp"92⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"C:\Users\Admin\AppData\Local\Temp\A4AC.tmp"93⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\A548.tmp"C:\Users\Admin\AppData\Local\Temp\A548.tmp"94⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\A5B6.tmp"C:\Users\Admin\AppData\Local\Temp\A5B6.tmp"95⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\A613.tmp"C:\Users\Admin\AppData\Local\Temp\A613.tmp"96⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\A681.tmp"C:\Users\Admin\AppData\Local\Temp\A681.tmp"97⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\A70D.tmp"C:\Users\Admin\AppData\Local\Temp\A70D.tmp"98⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"C:\Users\Admin\AppData\Local\Temp\A7C9.tmp"99⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\A875.tmp"C:\Users\Admin\AppData\Local\Temp\A875.tmp"100⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\A911.tmp"C:\Users\Admin\AppData\Local\Temp\A911.tmp"101⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"C:\Users\Admin\AppData\Local\Temp\A9AD.tmp"102⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\AA0B.tmp"C:\Users\Admin\AppData\Local\Temp\AA0B.tmp"103⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\AA88.tmp"C:\Users\Admin\AppData\Local\Temp\AA88.tmp"104⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\AB15.tmp"C:\Users\Admin\AppData\Local\Temp\AB15.tmp"105⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\AB92.tmp"C:\Users\Admin\AppData\Local\Temp\AB92.tmp"106⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\AC1E.tmp"C:\Users\Admin\AppData\Local\Temp\AC1E.tmp"107⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"C:\Users\Admin\AppData\Local\Temp\AC9B.tmp"108⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\AD38.tmp"C:\Users\Admin\AppData\Local\Temp\AD38.tmp"109⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\ADB5.tmp"C:\Users\Admin\AppData\Local\Temp\ADB5.tmp"110⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\AE22.tmp"C:\Users\Admin\AppData\Local\Temp\AE22.tmp"111⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\AE9F.tmp"C:\Users\Admin\AppData\Local\Temp\AE9F.tmp"112⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\AF1C.tmp"C:\Users\Admin\AppData\Local\Temp\AF1C.tmp"113⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\AFA9.tmp"C:\Users\Admin\AppData\Local\Temp\AFA9.tmp"114⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\B026.tmp"C:\Users\Admin\AppData\Local\Temp\B026.tmp"115⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"C:\Users\Admin\AppData\Local\Temp\B0B2.tmp"116⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\B13F.tmp"C:\Users\Admin\AppData\Local\Temp\B13F.tmp"117⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\B1BC.tmp"C:\Users\Admin\AppData\Local\Temp\B1BC.tmp"118⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\B248.tmp"C:\Users\Admin\AppData\Local\Temp\B248.tmp"119⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\B2D5.tmp"C:\Users\Admin\AppData\Local\Temp\B2D5.tmp"120⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\B362.tmp"C:\Users\Admin\AppData\Local\Temp\B362.tmp"121⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\B3DF.tmp"C:\Users\Admin\AppData\Local\Temp\B3DF.tmp"122⤵PID:1316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-