Analysis
-
max time kernel
42s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22-09-2024 02:21
General
-
Target
f117d1405dc44218e7c22f108a5d8b2e_JaffaCakes118.exe
-
Size
341KB
-
MD5
f117d1405dc44218e7c22f108a5d8b2e
-
SHA1
337625f7878c3867366d969c652ce47b05470a49
-
SHA256
b7398f2e2567e70dc8649595f30b93697c9d2561c247b3f648193fbb31c22e93
-
SHA512
9003c8ff1d9d852b13959e805a8b487570ec3b1cee83412a5a4474586499cdd6cb54eb79232bf29a4bd1b7c0a930036ebf65be918299238f367c36d52d2999b9
-
SSDEEP
6144:zwROOloJ7dZGPGVNN6dEf0/wogNUHlyDUOp5uRxeytb:MR3loBFV2IS7gNT/MJt
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f117d1405dc44218e7c22f108a5d8b2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f117d1405dc44218e7c22f108a5d8b2e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scr"C:\Users\Admin\AppData\Local\Temp\mm.scr" /S2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr66⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr67⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr68⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr69⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr70⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr71⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr72⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr73⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr74⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr75⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr76⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr77⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr78⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr79⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr80⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr81⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr82⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr83⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr84⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr85⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr86⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr87⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr88⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr89⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr90⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr91⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr92⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr93⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr94⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr95⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr96⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr97⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr98⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr99⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr100⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr101⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr102⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr103⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr104⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr105⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr106⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr107⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr108⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr109⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr110⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr111⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr112⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr113⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr114⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr115⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr116⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr117⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr118⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr119⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr120⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.scrC:\Users\Admin\AppData\Local\Temp\mm.scr121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-