a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568

Analysis

max time kernel
2s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Size

16KB
MD5

3f927640d76646070a7b06e132614775
SHA1

190d60d255111a5af4e1d79146f08d3c1b779a7c
SHA256

a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568
SHA512

d0b951b3b47c171f5d4b0ffaba527420ec18aa1b888cc6e0b4b7fc1330665810e6a6157c38b1c398294566d21eacb75b962aed95d851e87b3a263b4fb2c1de54
SSDEEP

384:IP76ysUerVAVw7otWU0De6GnIu9wzcceOeKDMIcjARx:fbrrCw8M3DKn+AcsKQjC

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
5400	lpsgajba.exe
5512	lpsgajba.exe
5600	lpsgajba.exe
2560	lpsgajba.exe
2540	lpsgajba.exe
1368	lpsgajba.exe

Loads dropped DLL 12 IoCs

pid	Process
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
5400	lpsgajba.exe
5400	lpsgajba.exe
5512	lpsgajba.exe
5512	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2540	lpsgajba.exe
2540	lpsgajba.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lpsgajba.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
5400	lpsgajba.exe
5400	lpsgajba.exe
5400	lpsgajba.exe
5400	lpsgajba.exe
5512	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
5600	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2560	lpsgajba.exe
2540	lpsgajba.exe
2540	lpsgajba.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Token: SeDebugPrivilege	5400	lpsgajba.exe
Token: SeDebugPrivilege	5512	lpsgajba.exe
Token: SeDebugPrivilege	5600	lpsgajba.exe
Token: SeDebugPrivilege	2560	lpsgajba.exe
Token: SeDebugPrivilege	2540	lpsgajba.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 772	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	30
PID 3016 wrote to memory of 772	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	30
PID 3016 wrote to memory of 772	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	30
PID 3016 wrote to memory of 772	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	30
PID 3016 wrote to memory of 5400	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	32
PID 3016 wrote to memory of 5400	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	32
PID 3016 wrote to memory of 5400	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	32
PID 3016 wrote to memory of 5400	3016	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	32
PID 5400 wrote to memory of 5464	5400	lpsgajba.exe	33
PID 5400 wrote to memory of 5464	5400	lpsgajba.exe	33
PID 5400 wrote to memory of 5464	5400	lpsgajba.exe	33
PID 5400 wrote to memory of 5464	5400	lpsgajba.exe	33
PID 5400 wrote to memory of 5512	5400	lpsgajba.exe	35
PID 5400 wrote to memory of 5512	5400	lpsgajba.exe	35
PID 5400 wrote to memory of 5512	5400	lpsgajba.exe	35
PID 5400 wrote to memory of 5512	5400	lpsgajba.exe	35
PID 5512 wrote to memory of 5560	5512	lpsgajba.exe	36
PID 5512 wrote to memory of 5560	5512	lpsgajba.exe	36
PID 5512 wrote to memory of 5560	5512	lpsgajba.exe	36
PID 5512 wrote to memory of 5560	5512	lpsgajba.exe	36
PID 5512 wrote to memory of 5600	5512	lpsgajba.exe	38
PID 5512 wrote to memory of 5600	5512	lpsgajba.exe	38
PID 5512 wrote to memory of 5600	5512	lpsgajba.exe	38
PID 5512 wrote to memory of 5600	5512	lpsgajba.exe	38
PID 5600 wrote to memory of 5688	5600	lpsgajba.exe	39
PID 5600 wrote to memory of 5688	5600	lpsgajba.exe	39
PID 5600 wrote to memory of 5688	5600	lpsgajba.exe	39
PID 5600 wrote to memory of 5688	5600	lpsgajba.exe	39
PID 5600 wrote to memory of 2560	5600	lpsgajba.exe	41
PID 5600 wrote to memory of 2560	5600	lpsgajba.exe	41
PID 5600 wrote to memory of 2560	5600	lpsgajba.exe	41
PID 5600 wrote to memory of 2560	5600	lpsgajba.exe	41
PID 2560 wrote to memory of 2760	2560	lpsgajba.exe	42
PID 2560 wrote to memory of 2760	2560	lpsgajba.exe	42
PID 2560 wrote to memory of 2760	2560	lpsgajba.exe	42
PID 2560 wrote to memory of 2760	2560	lpsgajba.exe	42
PID 2560 wrote to memory of 2540	2560	lpsgajba.exe	43
PID 2560 wrote to memory of 2540	2560	lpsgajba.exe	43
PID 2560 wrote to memory of 2540	2560	lpsgajba.exe	43
PID 2560 wrote to memory of 2540	2560	lpsgajba.exe	43
PID 2540 wrote to memory of 2168	2540	lpsgajba.exe	45
PID 2540 wrote to memory of 2168	2540	lpsgajba.exe	45
PID 2540 wrote to memory of 2168	2540	lpsgajba.exe	45
PID 2540 wrote to memory of 2168	2540	lpsgajba.exe	45
PID 2540 wrote to memory of 1368	2540	lpsgajba.exe	47
PID 2540 wrote to memory of 1368	2540	lpsgajba.exe	47
PID 2540 wrote to memory of 1368	2540	lpsgajba.exe	47
PID 2540 wrote to memory of 1368	2540	lpsgajba.exe	47

C:\Users\Admin\AppData\Local\Temp\3f927640d76646070a7b06e132614775_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f927640d76646070a7b06e132614775_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455215.bat
  2⤵
  PID:772
- C:\Windows\SysWOW64\lpsgajba.exe
  C:\Windows\system32\lpsgajba.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455465.bat
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\lpsgajba.exe
    C:\Windows\system32\lpsgajba.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455496.bat
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\lpsgajba.exe
      C:\Windows\system32\lpsgajba.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455636.bat
        5⤵
        
        PID:5688
    - - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455761.bat
        6⤵
        
        PID:2760
      - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455917.bat
        7⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        7⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259458944.bat
        8⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        8⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460722.bat
        9⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531281.bat
        10⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        10⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531890.bat
        11⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        11⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259539128.bat
        12⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        12⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259539939.bat
        13⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        13⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259540891.bat
        14⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        14⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259551171.bat
        15⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        15⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259553543.bat
        16⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        16⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554588.bat
        17⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        17⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554744.bat
        18⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        18⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259555368.bat
        19⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        19⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259555633.bat
        20⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        20⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259556772.bat
        21⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        21⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259557302.bat
        22⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        22⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558004.bat
        23⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        23⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558098.bat
        24⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        24⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558379.bat
        25⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        25⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259559876.bat
        26⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        26⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560937.bat
        27⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        27⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259562357.bat
        28⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        28⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259563371.bat
        29⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        29⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259563885.bat
        30⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        30⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259564697.bat
        31⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        31⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259564977.bat
        32⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        32⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259565445.bat
        33⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        33⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259567629.bat
        34⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        34⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259568690.bat
        35⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        35⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259570765.bat
        36⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        36⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259571701.bat
        37⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        37⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572122.bat
        38⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        38⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259573136.bat
        39⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        39⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578440.bat
        40⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        40⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259579454.bat
        41⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        41⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259580422.bat
        42⤵
        
        PID:184
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        42⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259580671.bat
        43⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        43⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259581748.bat
        44⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        44⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259582871.bat
        45⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        45⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259583838.bat
        46⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        46⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259589002.bat
        47⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        47⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595881.bat
        48⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259601045.bat
        34⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259599688.bat
        33⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595990.bat
        32⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595663.bat
        31⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595663.bat
        30⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595460.bat
        29⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595460.bat
        28⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259595460.bat
        27⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259594009.bat
        26⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259591076.bat
        25⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259589938.bat
        24⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259590265.bat
        23⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259590094.bat
        22⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259590156.bat
        21⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259589282.bat
        20⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259588580.bat
        19⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259586708.bat
        18⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259586708.bat
        17⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259586365.bat
        16⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259584197.bat
        15⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259581451.bat
        14⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259570593.bat
        12⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259570391.bat
        11⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259561265.bat
        9⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493529.bat
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493420.bat
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493576.bat
        6⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259491673.bat
        5⤵
        
        PID:5432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259486135.bat
      4⤵
      PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259503685.bat
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259489317.bat
  2⤵
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259455215.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259486135.bat

Filesize
121B

MD5
f7475671906b2e843cbc88d6e47f6f78

SHA1
1a0a7c8de2a967b995ae700900eb1126f81815c1

SHA256
9bfef03ba36d0d6c25c42163ebabbd465757011b18b66be1fcf4c5576b1248e4

SHA512
30a261e5c3cb74a5f7ea84ddefa97bd65e6d9d6b9af01e9fc4c25cbef92597c8a1f39d55f51d3f0a054cbe18511029c6f8b07098665fb87ec677fc7f4a2843eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259489317.bat

Filesize
225B

MD5
3a0e08a554ee4b4f9259b95dcffdb150

SHA1
47cae890ba2170c391aad9df7db94a0186d7c980

SHA256
6fc38f0e9b3388cce14116238003e792f69cd84162715241c22e4810c5fe5117

SHA512
6682e75fb53a6cecb67d44e30d104a45fc491dbf9454ca55b4889e61b718f6a379434967c84d0e9e857a90329d6382a88edeb4abf897cca833cf956f10278a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259586708.bat

Filesize
242B

MD5
bf39e9a1816c9ffa85fd4306a4df1044

SHA1
9307051770e9f9d6803bd3faebf1ffbb8f48549e

SHA256
de61fa305661e12fb488646d7a1ee2ba8f1b37b062d98ab70b3f0a3b8272819c

SHA512
ac75481cf12cbe16bac344aba244c94fcf9d82820f6f81c75770ca06af4fef09dc65344a607be3299ab00f386bebd660b6c139a21b2d34a65a73dda8548ebf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259595460.bat

Filesize
363B

MD5
88e34286fd5f25ff85a4f4578f3324a3

SHA1
3cba509435737894c63cd9e63cba5486dd2cd1dd

SHA256
8e1bcc1b2f10010879f065b5f906d14b00d8f78084b5096634163a944d8ce13f

SHA512
f5d95f92273a6ae3d7f324141469bda748a3cc0906e02d12ff0e451625e7a7aeaf48a4431a9154bb6cd85b331aaeefc8f7bc2d2f5885b0804cedeaffd9c5a30d

Download Submit
C:\Windows\SysWOW64\apsgfjba.dll

Filesize
525KB

MD5
15ae13d4f551c4d827669a4dcef9f337

SHA1
515ca3e827cdbb9f4c7add71f8715852fb157397

SHA256
a8b6a866d4cd92bd2687351061d27e39ffa55ec586d9da9da4261454c214a53b

SHA512
496581224da129499ba1e9f9858597ae8ac8f0753cd842f98ff33161b11081a0c835fea7fdee3fec72846639068e3c81ab75d9fe6d6445f382b5a9f57a11e7b4

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
1KB

MD5
9277e35b9f928d0c5a090166aff4c15c

SHA1
e483754979050747e8c288d60f7a2129db5ef5d1

SHA256
13a5c11ff7cb2f0ff6677e6d9bca9ff5ba9d44e378b9ff5d1bf9fac1d6dbb749

SHA512
dec63021b72922ac4ef2e5899c1b939eb168da6c3c56f042112202ba3dc8b9948de00b58dcc0a39019b78cf2eec459f2439c857416258dd44d795a469096f379

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
ffbac150027e090c6259796d93afddfa

SHA1
5651178a4509d267765e5cb0883cb4d0a886071f

SHA256
84bd7f9e368fb833b662389f6558091f708887b0e126d6868f90819ad00ca0c2

SHA512
a55d37839c14c11206636e3879e75edc0e98aa251335803bddb53eb81df0ca9e5378576e519f9665776ceedc0e66170e451332bfc248baba6d0f72d8cce02883

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
300b26dd8ffb5f47dff2a5fe003c7f12

SHA1
7dd948894c3ef11b4d5897f173fd4e9aba4ecc04

SHA256
09d518664c66d9486a96aa2378fc459e2bc45a269b1db02d6929d2f44adc59e5

SHA512
b62f984626b1f2438691fc3d4e80b73bb5380079c99319224d555cf96d812ea08d1e4d4ece86f59ba50721cf9bf7585ae24d33adbb8efa3d68306c260c474cf5

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
3KB

MD5
8c153e7c0fe6b0f4cf5a4252e3415376

SHA1
3d911302be44282e060b54d085297273ca026ba3

SHA256
fed00c866f73afaf3df18f8c68726cb852f1af4bb768261f1ceb2f5413a31510

SHA512
c02bfb6ae8dde2927da017cbb7cefa4f554e60daea160702db9faf7c161b1ee24283bb8585487155ca691f8a3b09a417b5fe3c6c20fac89a8e0490c296eacd26

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
3KB

MD5
13a3517edf6e13fae80533b554f09373

SHA1
306bd2529e3c3f1f4b1446b150f7fad133bfd698

SHA256
c9deb90d85d692241d64ba86472db69a0419ae0324103f782f0610b380943a3c

SHA512
0173d7ccee005cc94e5164a8a50a0eda4743ca70a62a70246d8b22d7ea2390f45ce3ff15f16940ebf2e6b646827b7c165e9a11c51a9063bc607bfa60afd7ad33

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
a3bc76cbae15cb3a1134139c9adc2f37

SHA1
a7606007eab97a710370e3574a3f3b4e570a806f

SHA256
b1d480be04be3cc8cf6fdc09f6fac61672d68121d59308cd675e53e3bf442863

SHA512
4a1b9d617a5bed0ab7a3af95d0b4cd13a616c80b8655097e353b716f1ad7e0dd4d4baeb7f5fe4b0a198a81750eedce1a3233b3525a2b77551b15e635382a2831

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
98616fb7d908b82696caf46399842007

SHA1
0c696a7086528ea3718cfab30f07cd9f3795f1a6

SHA256
3aa17d97ef8008bded79dbfaf75147785f5e0b25f5db1f9a0f5e7bcd05e0f2a2

SHA512
4cd80d89449735998cbe83ac9bb4485afa9133b7c364efb98fb866285aa74b0fe2001731f9969391e277646e291b8ecaea09e3f09d9ce3be8b8235646f7dbea6

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
5KB

MD5
f1b646b10ba523bf9f3505466b4badd0

SHA1
d6d840ef469595c956d85ba47493dc3c61a6d7b1

SHA256
0b18a67de32b7b1ea825c76b648bd5922de9bb6920a97c91a0f62c0375c7f928

SHA512
c02d5e3e152c6aeade757e5ca54b534075a7b79e9a475af3e265e858c4d16fb994e867f92c301e06588cbfb1cf32d111ca3c91d659bcbca1de1de7401129b3de

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
5KB

MD5
f36d6b48b9ca03a2bfbe1a9c5097b3ac

SHA1
11c21e1a4e194bff7965099272df3c9aa7954544

SHA256
2df7687ba642b1b67ef6d16be82d7305f06b41f7611acd3fe5fc7815c7470b7c

SHA512
ae420a5b208c3f8ce0bcb842902f2fd6ce8ad54e9ac8fc577dc07930cff46ab088943a5af84ce94c1f9bd97d8590eb48e4a3b8ee0adc9566d40f046ffdcc1fe9

Download Submit
C:\Windows\SysWOW64\lpsgajba.exe

Filesize
16KB

MD5
3f927640d76646070a7b06e132614775

SHA1
190d60d255111a5af4e1d79146f08d3c1b779a7c

SHA256
a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568

SHA512
d0b951b3b47c171f5d4b0ffaba527420ec18aa1b888cc6e0b4b7fc1330665810e6a6157c38b1c398294566d21eacb75b962aed95d851e87b3a263b4fb2c1de54

Download Submit
memory/1368-2132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1368-2149-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1368-2150-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1368-2306-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1456-15547-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1456-15548-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1456-12475-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1456-12476-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1548-21713-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1548-16597-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1548-16598-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1548-21712-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/2540-2305-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2540-2304-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2540-2131-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2540-2130-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2560-2303-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2560-2126-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2560-2110-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2560-2301-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3016-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3016-2296-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3016-1063-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3016-1064-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3044-14523-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3044-10431-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3044-10432-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3044-14522-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3060-15562-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3060-15563-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3060-15550-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3060-18649-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3060-18648-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3428-22736-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3428-22737-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3480-15575-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3480-13497-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3480-13500-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3604-19671-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/3604-24778-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/3604-24779-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/3604-18650-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3604-19670-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/4200-10430-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4200-10429-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4600-5325-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4600-7368-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4600-4304-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-5324-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/4612-3259-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5136-15576-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/5136-20691-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/5144-4285-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5192-20692-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/5340-15549-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/5340-14525-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5400-2297-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5400-2298-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5400-1065-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5400-1066-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5400-1067-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5428-4301-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/5428-6346-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/5428-6347-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/5428-4302-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/5512-1068-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5580-7369-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5580-13496-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5600-2108-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5600-2300-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5764-21714-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/5764-21715-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/5764-17627-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/5764-17626-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/5768-5326-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5768-11453-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/5768-6348-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/5800-13499-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5800-13498-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5800-8390-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5800-8389-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5980-3241-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/5980-4303-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/6320-23758-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6416-23757-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6416-18647-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/7652-13501-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/7652-16596-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/7652-14521-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/7652-14524-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/8160-21716-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/8932-11454-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/8932-10433-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/8932-11455-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/8932-15546-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/8932-15545-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download