49472d5be5997279db82328a72c0391141ae401b7b72af3160655d69838cdb26

Analysis

max time kernel
3s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6872760a20588e95b44c9d573a6b643.exe
Size

15KB
MD5

b6872760a20588e95b44c9d573a6b643
SHA1

1a0e14049c79b09500cd61095d9470c599c9c6f5
SHA256

49472d5be5997279db82328a72c0391141ae401b7b72af3160655d69838cdb26
SHA512

8690435c6f01c75c5df9cccf39aa9604fe60712b9cae01b7be61573d8290b368f23ed7c1b016c27d9ae5e7a1fe06bb9f0812d26cde648dd0d820f251af4afeed
SSDEEP

384:II761Bek+IUVu2besUSfCJqcjTEm1sMtEZ2M4UVE:w+xHasU1JqcjTE5yEZ2MPi

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2912	lpsgajba.exe
944	lpsgajba.exe
3984	lpsgajba.exe
3872	lpsgajba.exe

Loads dropped DLL 8 IoCs

pid	Process
2212	b6872760a20588e95b44c9d573a6b643.exe
2212	b6872760a20588e95b44c9d573a6b643.exe
2912	lpsgajba.exe
2912	lpsgajba.exe
944	lpsgajba.exe
944	lpsgajba.exe
3984	lpsgajba.exe
3984	lpsgajba.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}\ = "apsgajba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}\ = "apsgajba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}\ = "apsgajba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}	b6872760a20588e95b44c9d573a6b643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1FD45A54-9875-698F-E56E-65102358FDF1}\ = "apsgajba.dll"	b6872760a20588e95b44c9d573a6b643.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lpsgajba.exe	b6872760a20588e95b44c9d573a6b643.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	b6872760a20588e95b44c9d573a6b643.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgajba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgajba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgajba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgajba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	b6872760a20588e95b44c9d573a6b643.exe
File opened for modification	C:\Windows\SysWOW64\apsgajba.dll	b6872760a20588e95b44c9d573a6b643.exe
File created	C:\Windows\SysWOW64\apsgajba.dll	b6872760a20588e95b44c9d573a6b643.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	b6872760a20588e95b44c9d573a6b643.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b6872760a20588e95b44c9d573a6b643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ThreadingModel = "Apartment"	b6872760a20588e95b44c9d573a6b643.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgajba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgajba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b6872760a20588e95b44c9d573a6b643.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}	b6872760a20588e95b44c9d573a6b643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgajba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32	b6872760a20588e95b44c9d573a6b643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgajba.dll"	b6872760a20588e95b44c9d573a6b643.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD45A54-9875-698F-E56E-65102358FDF1}\InprocServer32	lpsgajba.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2212	b6872760a20588e95b44c9d573a6b643.exe
2212	b6872760a20588e95b44c9d573a6b643.exe
2212	b6872760a20588e95b44c9d573a6b643.exe
2912	lpsgajba.exe
944	lpsgajba.exe
3984	lpsgajba.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	b6872760a20588e95b44c9d573a6b643.exe
Token: SeDebugPrivilege	2912	lpsgajba.exe
Token: SeDebugPrivilege	944	lpsgajba.exe
Token: SeDebugPrivilege	3984	lpsgajba.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2532	2212	b6872760a20588e95b44c9d573a6b643.exe	28
PID 2212 wrote to memory of 2532	2212	b6872760a20588e95b44c9d573a6b643.exe	28
PID 2212 wrote to memory of 2532	2212	b6872760a20588e95b44c9d573a6b643.exe	28
PID 2212 wrote to memory of 2532	2212	b6872760a20588e95b44c9d573a6b643.exe	28
PID 2212 wrote to memory of 2912	2212	b6872760a20588e95b44c9d573a6b643.exe	30
PID 2212 wrote to memory of 2912	2212	b6872760a20588e95b44c9d573a6b643.exe	30
PID 2212 wrote to memory of 2912	2212	b6872760a20588e95b44c9d573a6b643.exe	30
PID 2212 wrote to memory of 2912	2212	b6872760a20588e95b44c9d573a6b643.exe	30
PID 2912 wrote to memory of 744	2912	lpsgajba.exe	31
PID 2912 wrote to memory of 744	2912	lpsgajba.exe	31
PID 2912 wrote to memory of 744	2912	lpsgajba.exe	31
PID 2912 wrote to memory of 744	2912	lpsgajba.exe	31
PID 2912 wrote to memory of 944	2912	lpsgajba.exe	33
PID 2912 wrote to memory of 944	2912	lpsgajba.exe	33
PID 2912 wrote to memory of 944	2912	lpsgajba.exe	33
PID 2912 wrote to memory of 944	2912	lpsgajba.exe	33
PID 944 wrote to memory of 1828	944	lpsgajba.exe	34
PID 944 wrote to memory of 1828	944	lpsgajba.exe	34
PID 944 wrote to memory of 1828	944	lpsgajba.exe	34
PID 944 wrote to memory of 1828	944	lpsgajba.exe	34
PID 944 wrote to memory of 3984	944	lpsgajba.exe	36
PID 944 wrote to memory of 3984	944	lpsgajba.exe	36
PID 944 wrote to memory of 3984	944	lpsgajba.exe	36
PID 944 wrote to memory of 3984	944	lpsgajba.exe	36
PID 3984 wrote to memory of 3936	3984	lpsgajba.exe	37
PID 3984 wrote to memory of 3936	3984	lpsgajba.exe	37
PID 3984 wrote to memory of 3936	3984	lpsgajba.exe	37
PID 3984 wrote to memory of 3936	3984	lpsgajba.exe	37
PID 3984 wrote to memory of 3872	3984	lpsgajba.exe	39
PID 3984 wrote to memory of 3872	3984	lpsgajba.exe	39
PID 3984 wrote to memory of 3872	3984	lpsgajba.exe	39
PID 3984 wrote to memory of 3872	3984	lpsgajba.exe	39

C:\Users\Admin\AppData\Local\Temp\b6872760a20588e95b44c9d573a6b643.exe
"C:\Users\Admin\AppData\Local\Temp\b6872760a20588e95b44c9d573a6b643.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259426308.bat
  2⤵
  PID:2532
- C:\Windows\SysWOW64\lpsgajba.exe
  C:\Windows\system32\lpsgajba.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259426854.bat
    3⤵
    PID:744
- - C:\Windows\SysWOW64\lpsgajba.exe
    C:\Windows\system32\lpsgajba.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259427166.bat
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\lpsgajba.exe
      C:\Windows\system32\lpsgajba.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259428679.bat
        5⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        5⤵
        Executes dropped EXE
        
        PID:3872
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429491.bat
        6⤵
        
        PID:3816
      - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        6⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259432470.bat
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        7⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433094.bat
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259434202.bat
        9⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        9⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259436854.bat
        10⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        10⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441331.bat
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        11⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259449318.bat
        12⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450348.bat
        13⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        13⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259451518.bat
        14⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        14⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259453109.bat
        15⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        15⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259532841.bat
        16⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        16⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259539580.bat
        17⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        17⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259540314.bat
        18⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        18⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259562091.bat
        19⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259571389.bat
        17⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259569969.bat
        16⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259563464.bat
        15⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259484372.bat
        14⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481533.bat
        13⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480191.bat
        12⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482016.bat
        11⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472999.bat
        10⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259468179.bat
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259465449.bat
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259463561.bat
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259465527.bat
        6⤵
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460550.bat
        5⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259459802.bat
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259459068.bat
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259457711.bat
  2⤵
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259426308.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259457711.bat

Filesize
197B

MD5
9ae9d8c9e548134bf5c9303db1bc4079

SHA1
df8d83aa6d7bd9fa87eeb59de8de270e359e97e0

SHA256
523cfa33a1a7753a2f9a30c9bdd4c586935f8cc88d89ab0d7db5764e077d6d8f

SHA512
01e9a57c43ab36cbcc05909e647e8c0c4be52dd3ad49135a89f8c75dd351dc57981268c898158d211efcc47dd02bd424da7fcefe0138b5ce01adae88df5389f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259459068.bat

Filesize
121B

MD5
f7475671906b2e843cbc88d6e47f6f78

SHA1
1a0a7c8de2a967b995ae700900eb1126f81815c1

SHA256
9bfef03ba36d0d6c25c42163ebabbd465757011b18b66be1fcf4c5576b1248e4

SHA512
30a261e5c3cb74a5f7ea84ddefa97bd65e6d9d6b9af01e9fc4c25cbef92597c8a1f39d55f51d3f0a054cbe18511029c6f8b07098665fb87ec677fc7f4a2843eb

Download Submit
C:\Windows\SysWOW64\apsgajba.dll

Filesize
128KB

MD5
00d0201494d390b07ea0f3ad415e17ed

SHA1
13f7da976a530da70b854d3c27820aa6032c9d3e

SHA256
18eba9f4ae2425c4ac83481f8cc8abe01f4e67f674ae52984b15c1d9bfed1c3b

SHA512
2a2e3bf6fbde895fb3140952ee7667bcb3e1647f6df59df45cfe44dd73ad28c4b04bba70151e11064f4a0e7e7706e1f3e5db362ddbc1ef8ef17f10a32adb5c9f

Download Submit
C:\Windows\SysWOW64\apsgajba.dll

Filesize
524KB

MD5
074908cb10089d3ac3f02ac1cc1132f0

SHA1
d3bdf38ca33f94de423450f77e76c4689036a52b

SHA256
7110f6d5ba6b879b519bd1e67b54f4d36ee7b53c4119033dce5cd54df24d3a3b

SHA512
1d2bd04ba9a6d88b4601a1f8ff07c4b198c2b19db4f591c9daac74149fa83b6273ac745420e7839a34286b86ed8863bcabc34771faec37b42116c615f601d740

Download Submit
C:\Windows\SysWOW64\apsgajba.dll

Filesize
136KB

MD5
433014c034cc97c8a57f9e9f2edca0fc

SHA1
5f28d8ba4cf3d437e6f2053ec1ecca14b2e5ee93

SHA256
e00ddf86f4334dd02f4562abc115d57b7869c65419888591783eaa55b816e121

SHA512
79b62de55d142881a6c2a312c38cd15c6edb9edc94f993611bcb7bfe348bd2b4129c61206d06042d025bfb9118e217083fcd5e30a08c77f3b8c04d063baf1b55

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
1KB

MD5
7a6a1a6aa4554fc93808e3f5ef3cccb7

SHA1
2a9b90eae9a70ae5248cbbffc13fce4b71ebff8d

SHA256
58979bef961a09bc90b3b8cea45c2091faddcac8e89d654f86baeab96a9e209d

SHA512
a0b5d0322923165051c9ca142589a84553242ea65393538130d1d4bfd2b54694c6240296d1dd8c2aac55bdcb0008ab2ce5800d7c09bee39c9b083fc5d72129f7

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
1KB

MD5
5117d63f06c933ef59ce7499658d9cb9

SHA1
58913eb371fd59f918c74a8e191e3b3e518a3319

SHA256
5871c22385ab4f998ea3bc9f3cfc0f944a32d6285d15c2699b34a617d92ee0fc

SHA512
4578cfcf20a4661cc9f333ceb46bfa05093a816d0fcfa5737529a5e9fbcea46bd2d37848f30d126167ad7ae0663b240f3372699b8c4ad3cfd860f6c702fef79e

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
4d44c97f6a9ff94a1d5ebaefabb2b672

SHA1
ea52d410f15f77de6f4eb18841be165e6f11230d

SHA256
180e130638a733bdb06525d98302fa5bf15d21ce76a209ffbb4a603592de9e16

SHA512
a426606ad7f832c1743d5d879005b875d4c2f26fe1ab2befc27941a7805a9272ea3bb499757160837a41eae63db6a49fae1cb42ad3812a5a7c4f51c003fbca0a

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
faf0079596234b77d0b6b43288a86aee

SHA1
0f0741436f4afd01f823aff0482e4fcfa4583ee5

SHA256
8e22a9d644c4ab9bbe7363dcf7ecb675c5cf9c35011541547fd73d19722662ab

SHA512
7d4ba0aec2c7c3d6756ca7ebb8c6cba9ce50bc95dac37b435796defac442b2db2c15b760afff5c83b78dc0a72202eab563f864f80fbb63114196c1e89d0d6339

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
3KB

MD5
e22c3f3fe6e280ffee69af1557e3e491

SHA1
ab9da15ac740bed569005711291fbcc5409910ae

SHA256
1a00361546767bedf15d702e7a09e128acd5489c7aa772f8cf8b87f7106ffda7

SHA512
f2896354a92e2790092797141df284d0bed7dbf09b3e51fd44f7515f80d0e4c1375aabb2cb9c17d89a7ad3eaddca7f579655ffd6118257635824831e0f801a6c

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
fab33ab68a1ee6321fcd97d57f0e8d66

SHA1
2bc8749425277be7a17dc6ee5cf6ce7c7bf455e7

SHA256
1966d0daba744a479eef2fd3b5b442c17eaf8cc31a2d2048317d573d26eba3dd

SHA512
8e5622892e680aead03fe99c1ff54981e5a72cf559027a830730b1d2f0cb6abb4606a7df627fe7f87c2a99e87daf8014919e613113330c80f86b7219bc0ad04a

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
1d03c1e3f53e4ea690fcd27637bbe4fc

SHA1
733a752905bc6face1fb4a55693a265839ade7da

SHA256
860da11b8bdf95ecfc887b5e32eb1b51bd1625ff36343ee99e961c1bf3a4e628

SHA512
2be7947e5f8bcb60b50df2b1f963325dc7574bff6e2bc43e830776daf505eba91c1f001e5e9cb1e98b888c3278b5807482d49caacb0bb0848318ad2004070f78

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
5KB

MD5
a937f3c8e47212cd8bf58bfeedbc472e

SHA1
3ae927fa7b07dc82e19c33d80ec65edb5e9e4fea

SHA256
09604690ae94a7cbb20b40a05b8daa68f604baa0ad5724e0de057dc9d977f9d4

SHA512
863b6b03dc12a6414cef51ca553f1499daec6fd23ae219393df8d0ee62ca9ec054e70adb28524087c7da5059e97cac4ea6a91464465663f35d95ed542bfaf18e

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
6KB

MD5
954fab473fad9b1ba2cc8bb0f15565ed

SHA1
8c7857ac46833a4fec3d6640f934f1f6e98792fb

SHA256
a9cdf623713f510bc7faafbe536dfa7738106d8a30a0dd848f9470886d9c58a4

SHA512
a29e2a07865aa1efa4f808475565d86d1200c553beb2d77e01c1615a59505bd85289aff833121bc6f9844857c28a79eda2a54946e9782413df4bd4a4936c3482

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
6KB

MD5
d70faafaaa422749ef404404b5b545a0

SHA1
85077e4d8227fa15699d8f0b8cbacb1574286784

SHA256
2787ed2fc7ace951bc2da3de1b30e086a02cd29624f694cdbaf8eaacf55ff194

SHA512
2cb437531713a2ef086bb68c45c0c127e4461d53cf983c5d15fbb0d96eda9f3b08c2d120fccfef231751ba21be522fb777b9048944e17ded6337c8a7f7d009f3

Download Submit
\Windows\SysWOW64\lpsgajba.exe

Filesize
15KB

MD5
b6872760a20588e95b44c9d573a6b643

SHA1
1a0e14049c79b09500cd61095d9470c599c9c6f5

SHA256
49472d5be5997279db82328a72c0391141ae401b7b72af3160655d69838cdb26

SHA512
8690435c6f01c75c5df9cccf39aa9604fe60712b9cae01b7be61573d8290b368f23ed7c1b016c27d9ae5e7a1fe06bb9f0812d26cde648dd0d820f251af4afeed

Download Submit
memory/944-2089-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/944-4007-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/944-3743-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/944-1527-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/944-2090-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/1972-4259-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2212-3174-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2212-3142-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2212-3140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2212-1033-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2212-1026-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2212-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2484-9253-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2484-7849-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2912-1172-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2912-3177-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2912-1050-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/3360-5868-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3360-4256-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3360-4258-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3872-3124-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3872-4225-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3872-4218-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3872-3122-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3984-2102-0x0000000000380000-0x000000000039A000-memory.dmp

Filesize
104KB

Download
memory/4536-5409-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4536-4239-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4536-4242-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4536-5744-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4564-9468-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/4564-9467-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/4564-8443-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4572-8442-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4572-9466-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4760-3155-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/4760-5284-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/4760-5283-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/4860-5285-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/4860-3160-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/4860-3158-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/4860-5286-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/5100-5387-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5100-4216-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6004-6401-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6004-8962-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6004-8963-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6004-6643-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download