Analysis
-
max time kernel
34s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 19:56
General
-
Target
ee51a087d5dc2b078fe32651202d964e_JaffaCakes118.exe
-
Size
301KB
-
MD5
ee51a087d5dc2b078fe32651202d964e
-
SHA1
a1c81574a0eb4f3a066fcf593fee215733524a31
-
SHA256
28c0647e6589a27872eea7158b066d291b40767daef5642e8fe4b9a0479de3b3
-
SHA512
17448623c8f598d775b8848881459ab035f425ec134d5e25ed6ddd0c4ed1efd5f8aee4d741845cb4acf6d4578ff16825266dd83543591f4946788243058e11b6
-
SSDEEP
6144:hDKOloJ7dZGPGVNN6dEf0/wogNUHlyDUIzuCEUPE:h7loBFV2IS7gNTNuN
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee51a087d5dc2b078fe32651202d964e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee51a087d5dc2b078fe32651202d964e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scr"C:\Users\Admin\AppData\Local\Temp\asd.scr" /S2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr66⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr67⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr68⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr69⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr70⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr71⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr72⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr73⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr74⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr75⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr76⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr77⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr78⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr79⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr80⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr81⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr82⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr83⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr84⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr85⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr86⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr87⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr88⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr89⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr90⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr91⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr92⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr93⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr94⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr95⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr96⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr97⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr98⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr99⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr100⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr101⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr102⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr103⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr104⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr105⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr106⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr107⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr108⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr109⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr110⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr111⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr112⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr113⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr114⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr115⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr116⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr117⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr118⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr119⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr120⤵
-
C:\Users\Admin\AppData\Local\Temp\asd.scrC:\Users\Admin\AppData\Local\Temp\asd.scr121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-