Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 12:57
Behavioral task
behavioral1
Sample
2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe
Resource
win7-20240215-en
General
-
Target
2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe
-
Size
712KB
-
MD5
0384f9b41d5792aa3eb7ff8a6494ef30
-
SHA1
ab4e1ed4dbc5a9f1cacf389ac4a61cf3ae35bf6c
-
SHA256
2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d
-
SHA512
5736b077b0f12eb358eb6eead681d666dcc4ef886ad23b71905edeca0280d3baf9316d28f1b1ddaed96ce4dd5bdfbfa0afa353e773cc140e4c15a3ab12ac0de2
-
SSDEEP
12288:FU5rCOTeiD7FqQE+9js0NNZsNZdCvq5TJLCvY90D8/LVBlVk736Y79GWzNbA:FUQOJDRqQdXiNnCvq5TJLCvY90D8/LVH
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002344d-3.dat family_berbew behavioral2/files/0x0007000000023451-7.dat family_berbew behavioral2/files/0x0007000000023452-8.dat family_berbew behavioral2/files/0x0007000000023453-14.dat family_berbew behavioral2/files/0x0007000000023454-18.dat family_berbew behavioral2/files/0x0007000000023456-22.dat family_berbew behavioral2/files/0x0007000000023457-26.dat family_berbew behavioral2/files/0x0007000000023458-31.dat family_berbew behavioral2/files/0x0007000000023459-34.dat family_berbew behavioral2/files/0x000800000002344e-38.dat family_berbew behavioral2/files/0x000700000002345a-42.dat family_berbew behavioral2/files/0x000700000002345b-47.dat family_berbew behavioral2/files/0x0003000000021ebc-51.dat family_berbew behavioral2/files/0x0003000000021e1b-54.dat family_berbew behavioral2/files/0x000b0000000232f0-58.dat family_berbew behavioral2/files/0x0009000000023385-62.dat family_berbew behavioral2/files/0x000b00000002338c-66.dat family_berbew behavioral2/files/0x000a00000002338a-70.dat family_berbew behavioral2/files/0x000700000002345c-74.dat family_berbew behavioral2/files/0x000700000002345d-78.dat family_berbew behavioral2/files/0x0007000000023460-82.dat family_berbew behavioral2/files/0x000a000000023384-87.dat family_berbew behavioral2/files/0x0009000000023389-90.dat family_berbew behavioral2/files/0x0007000000023461-94.dat family_berbew behavioral2/files/0x0007000000023462-98.dat family_berbew behavioral2/files/0x0007000000023463-102.dat family_berbew behavioral2/files/0x0007000000023464-106.dat family_berbew behavioral2/files/0x0007000000023465-110.dat family_berbew behavioral2/files/0x0007000000023466-114.dat family_berbew behavioral2/files/0x0007000000023468-118.dat family_berbew behavioral2/files/0x0007000000023469-122.dat family_berbew behavioral2/files/0x000700000002346a-126.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3692 72EE.tmp 3852 736B.tmp 1152 73C8.tmp 4992 7445.tmp 4808 74C2.tmp 1508 7530.tmp 3436 758E.tmp 5008 75DC.tmp 2892 7639.tmp 2956 76B6.tmp 2760 7724.tmp 1620 7791.tmp 412 77DF.tmp 2824 785C.tmp 2856 78CA.tmp 4920 7918.tmp 4504 7976.tmp 4088 79D3.tmp 856 7A41.tmp 2180 7A8F.tmp 4472 7AED.tmp 3316 7B79.tmp 4108 7BE7.tmp 1088 7C54.tmp 436 7CD1.tmp 848 7D3E.tmp 3256 7DAC.tmp 944 7DFA.tmp 3476 7E48.tmp 4748 7EB5.tmp 1436 7F32.tmp 1376 7FAF.tmp 2384 801D.tmp 5096 806B.tmp 3500 80C9.tmp 4044 8136.tmp 1684 8194.tmp 3644 81F1.tmp 3136 824F.tmp 644 829D.tmp 4916 82EB.tmp 956 833A.tmp 912 8388.tmp 5076 83E5.tmp 5052 8443.tmp 4132 8491.tmp 3992 84DF.tmp 4692 852E.tmp 4504 857C.tmp 5036 85D9.tmp 4088 8628.tmp 1456 8685.tmp 1520 86E3.tmp 4608 8731.tmp 916 877F.tmp 2788 87DD.tmp 4012 883B.tmp 4108 8899.tmp 5012 88F6.tmp 5104 8954.tmp 5072 89B2.tmp 3052 8A00.tmp 1084 8A4E.tmp 3808 8AAC.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3692 2412 2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe 85 PID 2412 wrote to memory of 3692 2412 2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe 85 PID 2412 wrote to memory of 3692 2412 2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe 85 PID 3692 wrote to memory of 3852 3692 72EE.tmp 86 PID 3692 wrote to memory of 3852 3692 72EE.tmp 86 PID 3692 wrote to memory of 3852 3692 72EE.tmp 86 PID 3852 wrote to memory of 1152 3852 736B.tmp 87 PID 3852 wrote to memory of 1152 3852 736B.tmp 87 PID 3852 wrote to memory of 1152 3852 736B.tmp 87 PID 1152 wrote to memory of 4992 1152 73C8.tmp 88 PID 1152 wrote to memory of 4992 1152 73C8.tmp 88 PID 1152 wrote to memory of 4992 1152 73C8.tmp 88 PID 4992 wrote to memory of 4808 4992 7445.tmp 90 PID 4992 wrote to memory of 4808 4992 7445.tmp 90 PID 4992 wrote to memory of 4808 4992 7445.tmp 90 PID 4808 wrote to memory of 1508 4808 74C2.tmp 92 PID 4808 wrote to memory of 1508 4808 74C2.tmp 92 PID 4808 wrote to memory of 1508 4808 74C2.tmp 92 PID 1508 wrote to memory of 3436 1508 7530.tmp 93 PID 1508 wrote to memory of 3436 1508 7530.tmp 93 PID 1508 wrote to memory of 3436 1508 7530.tmp 93 PID 3436 wrote to memory of 5008 3436 758E.tmp 95 PID 3436 wrote to memory of 5008 3436 758E.tmp 95 PID 3436 wrote to memory of 5008 3436 758E.tmp 95 PID 5008 wrote to memory of 2892 5008 75DC.tmp 96 PID 5008 wrote to memory of 2892 5008 75DC.tmp 96 PID 5008 wrote to memory of 2892 5008 75DC.tmp 96 PID 2892 wrote to memory of 2956 2892 7639.tmp 97 PID 2892 wrote to memory of 2956 2892 7639.tmp 97 PID 2892 wrote to memory of 2956 2892 7639.tmp 97 PID 2956 wrote to memory of 2760 2956 76B6.tmp 98 PID 2956 wrote to memory of 2760 2956 76B6.tmp 98 PID 2956 wrote to memory of 2760 2956 76B6.tmp 98 PID 2760 wrote to memory of 1620 2760 7724.tmp 99 PID 2760 wrote to memory of 1620 2760 7724.tmp 99 PID 2760 wrote to memory of 1620 2760 7724.tmp 99 PID 1620 wrote to memory of 412 1620 7791.tmp 100 PID 1620 wrote to memory of 412 1620 7791.tmp 100 PID 1620 wrote to memory of 412 1620 7791.tmp 100 PID 412 wrote to memory of 2824 412 77DF.tmp 101 PID 412 wrote to memory of 2824 412 77DF.tmp 101 PID 412 wrote to memory of 2824 412 77DF.tmp 101 PID 2824 wrote to memory of 2856 2824 785C.tmp 102 PID 2824 wrote to memory of 2856 2824 785C.tmp 102 PID 2824 wrote to memory of 2856 2824 785C.tmp 102 PID 2856 wrote to memory of 4920 2856 78CA.tmp 103 PID 2856 wrote to memory of 4920 2856 78CA.tmp 103 PID 2856 wrote to memory of 4920 2856 78CA.tmp 103 PID 4920 wrote to memory of 4504 4920 7918.tmp 104 PID 4920 wrote to memory of 4504 4920 7918.tmp 104 PID 4920 wrote to memory of 4504 4920 7918.tmp 104 PID 4504 wrote to memory of 4088 4504 7976.tmp 105 PID 4504 wrote to memory of 4088 4504 7976.tmp 105 PID 4504 wrote to memory of 4088 4504 7976.tmp 105 PID 4088 wrote to memory of 856 4088 79D3.tmp 108 PID 4088 wrote to memory of 856 4088 79D3.tmp 108 PID 4088 wrote to memory of 856 4088 79D3.tmp 108 PID 856 wrote to memory of 2180 856 7A41.tmp 109 PID 856 wrote to memory of 2180 856 7A41.tmp 109 PID 856 wrote to memory of 2180 856 7A41.tmp 109 PID 2180 wrote to memory of 4472 2180 7A8F.tmp 110 PID 2180 wrote to memory of 4472 2180 7A8F.tmp 110 PID 2180 wrote to memory of 4472 2180 7A8F.tmp 110 PID 4472 wrote to memory of 3316 4472 7AED.tmp 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe"C:\Users\Admin\AppData\Local\Temp\2bc44d2851c993a5ce3ca7359a5557a887ca6f061c291ed82063d2485b0ece3d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\72EE.tmp"C:\Users\Admin\AppData\Local\Temp\72EE.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\736B.tmp"C:\Users\Admin\AppData\Local\Temp\736B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\73C8.tmp"C:\Users\Admin\AppData\Local\Temp\73C8.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\7445.tmp"C:\Users\Admin\AppData\Local\Temp\7445.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\74C2.tmp"C:\Users\Admin\AppData\Local\Temp\74C2.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\7530.tmp"C:\Users\Admin\AppData\Local\Temp\7530.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\758E.tmp"C:\Users\Admin\AppData\Local\Temp\758E.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\75DC.tmp"C:\Users\Admin\AppData\Local\Temp\75DC.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\7639.tmp"C:\Users\Admin\AppData\Local\Temp\7639.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\76B6.tmp"C:\Users\Admin\AppData\Local\Temp\76B6.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\7724.tmp"C:\Users\Admin\AppData\Local\Temp\7724.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\7791.tmp"C:\Users\Admin\AppData\Local\Temp\7791.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\77DF.tmp"C:\Users\Admin\AppData\Local\Temp\77DF.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\785C.tmp"C:\Users\Admin\AppData\Local\Temp\785C.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\78CA.tmp"C:\Users\Admin\AppData\Local\Temp\78CA.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\7918.tmp"C:\Users\Admin\AppData\Local\Temp\7918.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\7976.tmp"C:\Users\Admin\AppData\Local\Temp\7976.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\79D3.tmp"C:\Users\Admin\AppData\Local\Temp\79D3.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\7A41.tmp"C:\Users\Admin\AppData\Local\Temp\7A41.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\7A8F.tmp"C:\Users\Admin\AppData\Local\Temp\7A8F.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\7AED.tmp"C:\Users\Admin\AppData\Local\Temp\7AED.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\7B79.tmp"C:\Users\Admin\AppData\Local\Temp\7B79.tmp"23⤵
- Executes dropped EXE
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"C:\Users\Admin\AppData\Local\Temp\7BE7.tmp"24⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\7C54.tmp"C:\Users\Admin\AppData\Local\Temp\7C54.tmp"25⤵
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"C:\Users\Admin\AppData\Local\Temp\7CD1.tmp"26⤵
- Executes dropped EXE
PID:436 -
C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"C:\Users\Admin\AppData\Local\Temp\7D3E.tmp"27⤵
- Executes dropped EXE
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7DAC.tmp"C:\Users\Admin\AppData\Local\Temp\7DAC.tmp"28⤵
- Executes dropped EXE
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"C:\Users\Admin\AppData\Local\Temp\7DFA.tmp"29⤵
- Executes dropped EXE
PID:944 -
C:\Users\Admin\AppData\Local\Temp\7E48.tmp"C:\Users\Admin\AppData\Local\Temp\7E48.tmp"30⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"C:\Users\Admin\AppData\Local\Temp\7EB5.tmp"31⤵
- Executes dropped EXE
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\7F32.tmp"C:\Users\Admin\AppData\Local\Temp\7F32.tmp"32⤵
- Executes dropped EXE
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"C:\Users\Admin\AppData\Local\Temp\7FAF.tmp"33⤵
- Executes dropped EXE
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\801D.tmp"C:\Users\Admin\AppData\Local\Temp\801D.tmp"34⤵
- Executes dropped EXE
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\806B.tmp"C:\Users\Admin\AppData\Local\Temp\806B.tmp"35⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\80C9.tmp"C:\Users\Admin\AppData\Local\Temp\80C9.tmp"36⤵
- Executes dropped EXE
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\8136.tmp"C:\Users\Admin\AppData\Local\Temp\8136.tmp"37⤵
- Executes dropped EXE
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\8194.tmp"C:\Users\Admin\AppData\Local\Temp\8194.tmp"38⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\81F1.tmp"C:\Users\Admin\AppData\Local\Temp\81F1.tmp"39⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\824F.tmp"C:\Users\Admin\AppData\Local\Temp\824F.tmp"40⤵
- Executes dropped EXE
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\829D.tmp"C:\Users\Admin\AppData\Local\Temp\829D.tmp"41⤵
- Executes dropped EXE
PID:644 -
C:\Users\Admin\AppData\Local\Temp\82EB.tmp"C:\Users\Admin\AppData\Local\Temp\82EB.tmp"42⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\833A.tmp"C:\Users\Admin\AppData\Local\Temp\833A.tmp"43⤵
- Executes dropped EXE
PID:956 -
C:\Users\Admin\AppData\Local\Temp\8388.tmp"C:\Users\Admin\AppData\Local\Temp\8388.tmp"44⤵
- Executes dropped EXE
PID:912 -
C:\Users\Admin\AppData\Local\Temp\83E5.tmp"C:\Users\Admin\AppData\Local\Temp\83E5.tmp"45⤵
- Executes dropped EXE
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\8443.tmp"C:\Users\Admin\AppData\Local\Temp\8443.tmp"46⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\8491.tmp"C:\Users\Admin\AppData\Local\Temp\8491.tmp"47⤵
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\84DF.tmp"C:\Users\Admin\AppData\Local\Temp\84DF.tmp"48⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\852E.tmp"C:\Users\Admin\AppData\Local\Temp\852E.tmp"49⤵
- Executes dropped EXE
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\857C.tmp"C:\Users\Admin\AppData\Local\Temp\857C.tmp"50⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\85D9.tmp"C:\Users\Admin\AppData\Local\Temp\85D9.tmp"51⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\8628.tmp"C:\Users\Admin\AppData\Local\Temp\8628.tmp"52⤵
- Executes dropped EXE
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\8685.tmp"C:\Users\Admin\AppData\Local\Temp\8685.tmp"53⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\86E3.tmp"C:\Users\Admin\AppData\Local\Temp\86E3.tmp"54⤵
- Executes dropped EXE
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\8731.tmp"C:\Users\Admin\AppData\Local\Temp\8731.tmp"55⤵
- Executes dropped EXE
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\877F.tmp"C:\Users\Admin\AppData\Local\Temp\877F.tmp"56⤵
- Executes dropped EXE
PID:916 -
C:\Users\Admin\AppData\Local\Temp\87DD.tmp"C:\Users\Admin\AppData\Local\Temp\87DD.tmp"57⤵
- Executes dropped EXE
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\883B.tmp"C:\Users\Admin\AppData\Local\Temp\883B.tmp"58⤵
- Executes dropped EXE
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\8899.tmp"C:\Users\Admin\AppData\Local\Temp\8899.tmp"59⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\88F6.tmp"C:\Users\Admin\AppData\Local\Temp\88F6.tmp"60⤵
- Executes dropped EXE
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\8954.tmp"C:\Users\Admin\AppData\Local\Temp\8954.tmp"61⤵
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\89B2.tmp"C:\Users\Admin\AppData\Local\Temp\89B2.tmp"62⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\8A00.tmp"C:\Users\Admin\AppData\Local\Temp\8A00.tmp"63⤵
- Executes dropped EXE
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\8A4E.tmp"C:\Users\Admin\AppData\Local\Temp\8A4E.tmp"64⤵
- Executes dropped EXE
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"C:\Users\Admin\AppData\Local\Temp\8AAC.tmp"65⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"C:\Users\Admin\AppData\Local\Temp\8B0A.tmp"66⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\8B67.tmp"C:\Users\Admin\AppData\Local\Temp\8B67.tmp"67⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\8BB5.tmp"C:\Users\Admin\AppData\Local\Temp\8BB5.tmp"68⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\8C13.tmp"C:\Users\Admin\AppData\Local\Temp\8C13.tmp"69⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\8C61.tmp"C:\Users\Admin\AppData\Local\Temp\8C61.tmp"70⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\8CAF.tmp"C:\Users\Admin\AppData\Local\Temp\8CAF.tmp"71⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\8CFE.tmp"C:\Users\Admin\AppData\Local\Temp\8CFE.tmp"72⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"C:\Users\Admin\AppData\Local\Temp\8D5B.tmp"73⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\8DA9.tmp"C:\Users\Admin\AppData\Local\Temp\8DA9.tmp"74⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\8DF8.tmp"C:\Users\Admin\AppData\Local\Temp\8DF8.tmp"75⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\8E46.tmp"C:\Users\Admin\AppData\Local\Temp\8E46.tmp"76⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\8E94.tmp"C:\Users\Admin\AppData\Local\Temp\8E94.tmp"77⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"C:\Users\Admin\AppData\Local\Temp\8EE2.tmp"78⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\8F30.tmp"C:\Users\Admin\AppData\Local\Temp\8F30.tmp"79⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\8F7E.tmp"C:\Users\Admin\AppData\Local\Temp\8F7E.tmp"80⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"C:\Users\Admin\AppData\Local\Temp\8FDC.tmp"81⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\902A.tmp"C:\Users\Admin\AppData\Local\Temp\902A.tmp"82⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\9078.tmp"C:\Users\Admin\AppData\Local\Temp\9078.tmp"83⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\90D6.tmp"C:\Users\Admin\AppData\Local\Temp\90D6.tmp"84⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\9134.tmp"C:\Users\Admin\AppData\Local\Temp\9134.tmp"85⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\9191.tmp"C:\Users\Admin\AppData\Local\Temp\9191.tmp"86⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\91EF.tmp"C:\Users\Admin\AppData\Local\Temp\91EF.tmp"87⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\923D.tmp"C:\Users\Admin\AppData\Local\Temp\923D.tmp"88⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\929B.tmp"C:\Users\Admin\AppData\Local\Temp\929B.tmp"89⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\92E9.tmp"C:\Users\Admin\AppData\Local\Temp\92E9.tmp"90⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\9337.tmp"C:\Users\Admin\AppData\Local\Temp\9337.tmp"91⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\9385.tmp"C:\Users\Admin\AppData\Local\Temp\9385.tmp"92⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\93E3.tmp"C:\Users\Admin\AppData\Local\Temp\93E3.tmp"93⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\9441.tmp"C:\Users\Admin\AppData\Local\Temp\9441.tmp"94⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\949F.tmp"C:\Users\Admin\AppData\Local\Temp\949F.tmp"95⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\94FC.tmp"C:\Users\Admin\AppData\Local\Temp\94FC.tmp"96⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\954B.tmp"C:\Users\Admin\AppData\Local\Temp\954B.tmp"97⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\9599.tmp"C:\Users\Admin\AppData\Local\Temp\9599.tmp"98⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\95F6.tmp"C:\Users\Admin\AppData\Local\Temp\95F6.tmp"99⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\9654.tmp"C:\Users\Admin\AppData\Local\Temp\9654.tmp"100⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\96A2.tmp"C:\Users\Admin\AppData\Local\Temp\96A2.tmp"101⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\96F0.tmp"C:\Users\Admin\AppData\Local\Temp\96F0.tmp"102⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\974E.tmp"C:\Users\Admin\AppData\Local\Temp\974E.tmp"103⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\97AC.tmp"C:\Users\Admin\AppData\Local\Temp\97AC.tmp"104⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\980A.tmp"C:\Users\Admin\AppData\Local\Temp\980A.tmp"105⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\9877.tmp"C:\Users\Admin\AppData\Local\Temp\9877.tmp"106⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\98D5.tmp"C:\Users\Admin\AppData\Local\Temp\98D5.tmp"107⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\9933.tmp"C:\Users\Admin\AppData\Local\Temp\9933.tmp"108⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\9990.tmp"C:\Users\Admin\AppData\Local\Temp\9990.tmp"109⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\99DE.tmp"C:\Users\Admin\AppData\Local\Temp\99DE.tmp"110⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"C:\Users\Admin\AppData\Local\Temp\9A2D.tmp"111⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"C:\Users\Admin\AppData\Local\Temp\9A8A.tmp"112⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\9AE8.tmp"C:\Users\Admin\AppData\Local\Temp\9AE8.tmp"113⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\9B36.tmp"C:\Users\Admin\AppData\Local\Temp\9B36.tmp"114⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\9B84.tmp"C:\Users\Admin\AppData\Local\Temp\9B84.tmp"115⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\9BE2.tmp"C:\Users\Admin\AppData\Local\Temp\9BE2.tmp"116⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\9C40.tmp"C:\Users\Admin\AppData\Local\Temp\9C40.tmp"117⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"C:\Users\Admin\AppData\Local\Temp\9C8E.tmp"118⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"C:\Users\Admin\AppData\Local\Temp\9CEC.tmp"119⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"C:\Users\Admin\AppData\Local\Temp\9D3A.tmp"120⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\9D98.tmp"C:\Users\Admin\AppData\Local\Temp\9D98.tmp"121⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"C:\Users\Admin\AppData\Local\Temp\9DE6.tmp"122⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-