a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568

Analysis

max time kernel
3s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Size

16KB
MD5

3f927640d76646070a7b06e132614775
SHA1

190d60d255111a5af4e1d79146f08d3c1b779a7c
SHA256

a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568
SHA512

d0b951b3b47c171f5d4b0ffaba527420ec18aa1b888cc6e0b4b7fc1330665810e6a6157c38b1c398294566d21eacb75b962aed95d851e87b3a263b4fb2c1de54
SSDEEP

384:IP76ysUerVAVw7otWU0De6GnIu9wzcceOeKDMIcjARx:fbrrCw8M3DKn+AcsKQjC

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
6204	lpsgajba.exe
6836	lpsgajba.exe
6832	lpsgajba.exe
2908	lpsgajba.exe
7532	lpsgajba.exe
6116	lpsgajba.exe
6712	lpsgajba.exe
2160	lpsgajba.exe
2456	lpsgajba.exe
6072	lpsgajba.exe

Installs/modifies Browser Helper Object 2 TTPs 20 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}\ = "apsgfjba.dll"	lpsgajba.exe

Drops file in System32 directory 55 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\lpsgajba.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	lpsgajba.exe
File opened for modification	C:\Windows\SysWOW64\gpsgajba.sys	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpsgajba.exe	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe
File created	C:\Windows\SysWOW64\apsgfjba.dll	lpsgajba.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ = "C:\\Windows\\SysWow64\\apsgfjba.dll"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32	lpsgajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD45A54-9875-698F-E56E-65102358FDF6}\InprocServer32\ThreadingModel = "Apartment"	lpsgajba.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
6204	lpsgajba.exe
6204	lpsgajba.exe
6836	lpsgajba.exe
6836	lpsgajba.exe
6832	lpsgajba.exe
6832	lpsgajba.exe
2908	lpsgajba.exe
2908	lpsgajba.exe
7532	lpsgajba.exe
7532	lpsgajba.exe
6116	lpsgajba.exe
6116	lpsgajba.exe
6712	lpsgajba.exe
6712	lpsgajba.exe
2160	lpsgajba.exe
2160	lpsgajba.exe
2456	lpsgajba.exe
2456	lpsgajba.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe
Token: SeDebugPrivilege	6204	lpsgajba.exe
Token: SeDebugPrivilege	6836	lpsgajba.exe
Token: SeDebugPrivilege	6832	lpsgajba.exe
Token: SeDebugPrivilege	2908	lpsgajba.exe
Token: SeDebugPrivilege	7532	lpsgajba.exe
Token: SeDebugPrivilege	6116	lpsgajba.exe
Token: SeDebugPrivilege	6712	lpsgajba.exe
Token: SeDebugPrivilege	2160	lpsgajba.exe
Token: SeDebugPrivilege	2456	lpsgajba.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2888	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	83
PID 4412 wrote to memory of 2888	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	83
PID 4412 wrote to memory of 2888	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	83
PID 4412 wrote to memory of 6204	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	85
PID 4412 wrote to memory of 6204	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	85
PID 4412 wrote to memory of 6204	4412	3f927640d76646070a7b06e132614775_JaffaCakes118.exe	85
PID 6204 wrote to memory of 6252	6204	lpsgajba.exe	86
PID 6204 wrote to memory of 6252	6204	lpsgajba.exe	86
PID 6204 wrote to memory of 6252	6204	lpsgajba.exe	86
PID 6204 wrote to memory of 6836	6204	lpsgajba.exe	88
PID 6204 wrote to memory of 6836	6204	lpsgajba.exe	88
PID 6204 wrote to memory of 6836	6204	lpsgajba.exe	88
PID 6836 wrote to memory of 6308	6836	lpsgajba.exe	89
PID 6836 wrote to memory of 6308	6836	lpsgajba.exe	89
PID 6836 wrote to memory of 6308	6836	lpsgajba.exe	89
PID 6836 wrote to memory of 6832	6836	lpsgajba.exe	91
PID 6836 wrote to memory of 6832	6836	lpsgajba.exe	91
PID 6836 wrote to memory of 6832	6836	lpsgajba.exe	91
PID 6832 wrote to memory of 6760	6832	lpsgajba.exe	92
PID 6832 wrote to memory of 6760	6832	lpsgajba.exe	92
PID 6832 wrote to memory of 6760	6832	lpsgajba.exe	92
PID 6832 wrote to memory of 2908	6832	lpsgajba.exe	94
PID 6832 wrote to memory of 2908	6832	lpsgajba.exe	94
PID 6832 wrote to memory of 2908	6832	lpsgajba.exe	94
PID 2908 wrote to memory of 6268	2908	lpsgajba.exe	95
PID 2908 wrote to memory of 6268	2908	lpsgajba.exe	95
PID 2908 wrote to memory of 6268	2908	lpsgajba.exe	95
PID 2908 wrote to memory of 7532	2908	lpsgajba.exe	97
PID 2908 wrote to memory of 7532	2908	lpsgajba.exe	97
PID 2908 wrote to memory of 7532	2908	lpsgajba.exe	97
PID 7532 wrote to memory of 7608	7532	lpsgajba.exe	99
PID 7532 wrote to memory of 7608	7532	lpsgajba.exe	99
PID 7532 wrote to memory of 7608	7532	lpsgajba.exe	99
PID 7532 wrote to memory of 6116	7532	lpsgajba.exe	101
PID 7532 wrote to memory of 6116	7532	lpsgajba.exe	101
PID 7532 wrote to memory of 6116	7532	lpsgajba.exe	101
PID 6116 wrote to memory of 4688	6116	lpsgajba.exe	102
PID 6116 wrote to memory of 4688	6116	lpsgajba.exe	102
PID 6116 wrote to memory of 4688	6116	lpsgajba.exe	102
PID 6116 wrote to memory of 6712	6116	lpsgajba.exe	104
PID 6116 wrote to memory of 6712	6116	lpsgajba.exe	104
PID 6116 wrote to memory of 6712	6116	lpsgajba.exe	104
PID 6712 wrote to memory of 6736	6712	lpsgajba.exe	105
PID 6712 wrote to memory of 6736	6712	lpsgajba.exe	105
PID 6712 wrote to memory of 6736	6712	lpsgajba.exe	105
PID 6712 wrote to memory of 2160	6712	lpsgajba.exe	765
PID 6712 wrote to memory of 2160	6712	lpsgajba.exe	765
PID 6712 wrote to memory of 2160	6712	lpsgajba.exe	765
PID 2160 wrote to memory of 4032	2160	lpsgajba.exe	108
PID 2160 wrote to memory of 4032	2160	lpsgajba.exe	108
PID 2160 wrote to memory of 4032	2160	lpsgajba.exe	108
PID 2160 wrote to memory of 2456	2160	lpsgajba.exe	109
PID 2160 wrote to memory of 2456	2160	lpsgajba.exe	109
PID 2160 wrote to memory of 2456	2160	lpsgajba.exe	109
PID 2456 wrote to memory of 2616	2456	lpsgajba.exe	111
PID 2456 wrote to memory of 2616	2456	lpsgajba.exe	111
PID 2456 wrote to memory of 2616	2456	lpsgajba.exe	111
PID 2456 wrote to memory of 6072	2456	lpsgajba.exe	113
PID 2456 wrote to memory of 6072	2456	lpsgajba.exe	113
PID 2456 wrote to memory of 6072	2456	lpsgajba.exe	113
PID 6072 wrote to memory of 5980	6072	lpsgajba.exe	114
PID 6072 wrote to memory of 5980	6072	lpsgajba.exe	114
PID 6072 wrote to memory of 5980	6072	lpsgajba.exe	114

C:\Users\Admin\AppData\Local\Temp\3f927640d76646070a7b06e132614775_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f927640d76646070a7b06e132614775_JaffaCakes118.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240622187.bat
  2⤵
  PID:2888
- C:\Windows\SysWOW64\lpsgajba.exe
  C:\Windows\system32\lpsgajba.exe
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240622609.bat
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\lpsgajba.exe
    C:\Windows\system32\lpsgajba.exe
    3⤵
    - Executes dropped EXE
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240622953.bat
      4⤵
      PID:6308
  - - C:\Windows\SysWOW64\lpsgajba.exe
      C:\Windows\system32\lpsgajba.exe
      4⤵
      Executes dropped EXE
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:6832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240623281.bat
        5⤵
        
        PID:6760
    - - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        5⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240623578.bat
        6⤵
        
        PID:6268
      - C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        6⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:7532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240623890.bat
        7⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        7⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240624218.bat
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        8⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240624562.bat
        9⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        9⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240624906.bat
        10⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        10⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240625187.bat
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240625578.bat
        12⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        12⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240625875.bat
        13⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        13⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240626234.bat
        14⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        14⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240626562.bat
        15⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        15⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240626937.bat
        16⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        16⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240627640.bat
        17⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        17⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240628640.bat
        18⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        18⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240628968.bat
        19⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        19⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240629187.bat
        20⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        20⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240629546.bat
        21⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        21⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240629890.bat
        22⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        22⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240630171.bat
        23⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        23⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240630437.bat
        24⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        24⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240630796.bat
        25⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        25⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240631078.bat
        26⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        26⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240631578.bat
        27⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        27⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240631906.bat
        28⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        28⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240632218.bat
        29⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        29⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240632562.bat
        30⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        30⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240632875.bat
        31⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        31⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240633250.bat
        32⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        32⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240633593.bat
        33⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        33⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240633906.bat
        34⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        34⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240634234.bat
        35⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        35⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240634562.bat
        36⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        36⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240634859.bat
        37⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        37⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240635125.bat
        38⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        38⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240635562.bat
        39⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        39⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240635906.bat
        40⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        40⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240636875.bat
        41⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        41⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240637265.bat
        42⤵
        
        PID:396
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        42⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240637609.bat
        43⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        43⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240637968.bat
        44⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        44⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240638203.bat
        45⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        45⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240638656.bat
        46⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        46⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240639078.bat
        47⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        47⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240639375.bat
        48⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        48⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240639703.bat
        49⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        49⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240640046.bat
        50⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        50⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240640515.bat
        51⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        51⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240640828.bat
        52⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        52⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240641140.bat
        53⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        53⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240641468.bat
        54⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        54⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240641765.bat
        55⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        55⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240642125.bat
        56⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        56⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240642406.bat
        57⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        57⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240642656.bat
        58⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        58⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240642968.bat
        59⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        59⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240643312.bat
        60⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        60⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240643640.bat
        61⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        61⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240643937.bat
        62⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        62⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240644250.bat
        63⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        63⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240644687.bat
        64⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        64⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240644953.bat
        65⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        65⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240645281.bat
        66⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        66⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240645625.bat
        67⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        67⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240645937.bat
        68⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        68⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240646171.bat
        69⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        69⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240646500.bat
        70⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        70⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240646812.bat
        71⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        71⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240647140.bat
        72⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        72⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240647515.bat
        73⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        73⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240647812.bat
        74⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        74⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240648156.bat
        75⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        75⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240648421.bat
        76⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        76⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240648750.bat
        77⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        77⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240649078.bat
        78⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        78⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240649484.bat
        79⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        79⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240649765.bat
        80⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        80⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240650062.bat
        81⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        81⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240650468.bat
        82⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        82⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240650734.bat
        83⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        83⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240651062.bat
        84⤵
        
        PID:14328
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        84⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240651375.bat
        85⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        85⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240651687.bat
        86⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        86⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240652031.bat
        87⤵
        
        PID:13924
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        87⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240652218.bat
        88⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        88⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240652546.bat
        89⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        89⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240652796.bat
        90⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        90⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653140.bat
        91⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        91⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653578.bat
        92⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        92⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653921.bat
        93⤵
        
        PID:13452
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        93⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240654234.bat
        94⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        94⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240654687.bat
        95⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        95⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655125.bat
        96⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        96⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655578.bat
        97⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        97⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656031.bat
        98⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        98⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656468.bat
        99⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        99⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656781.bat
        100⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        100⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657125.bat
        101⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        101⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657546.bat
        102⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        102⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657906.bat
        103⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        103⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240658250.bat
        104⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        104⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240658703.bat
        105⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        105⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659218.bat
        106⤵
        
        PID:776
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        106⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659578.bat
        107⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        107⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659875.bat
        108⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        108⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240660437.bat
        109⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        109⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240660796.bat
        110⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        110⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661234.bat
        111⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        111⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661484.bat
        112⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        112⤵
        
        PID:15096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661875.bat
        113⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        113⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662218.bat
        114⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        114⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662562.bat
        115⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        115⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662921.bat
        116⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        116⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240663375.bat
        117⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        117⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240663703.bat
        118⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        118⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664093.bat
        119⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        119⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664515.bat
        120⤵
        
        PID:14428
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        120⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664875.bat
        121⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        121⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240665437.bat
        122⤵
        
        PID:14888
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        122⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240665828.bat
        123⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        123⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666125.bat
        124⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        124⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666468.bat
        125⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        125⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666906.bat
        126⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        126⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240667296.bat
        127⤵
        
        PID:13732
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        127⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240667671.bat
        128⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        128⤵
        
        PID:15384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240668015.bat
        129⤵
        
        PID:15444
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        129⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240668312.bat
        130⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        130⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240668906.bat
        131⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        131⤵
        
        PID:13956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669281.bat
        132⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        132⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669578.bat
        133⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        133⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669890.bat
        134⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        134⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240670203.bat
        135⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        135⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240670609.bat
        136⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        136⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671046.bat
        137⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        137⤵
        
        PID:16292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671343.bat
        138⤵
        
        PID:15544
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        138⤵
        
        PID:16220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671734.bat
        139⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        139⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672093.bat
        140⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        140⤵
        
        PID:16420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672484.bat
        141⤵
        
        PID:16484
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        141⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672812.bat
        142⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        142⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240673062.bat
        143⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        143⤵
        
        PID:13764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240673562.bat
        144⤵
        
        PID:13364
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        144⤵
        
        PID:14988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674015.bat
        145⤵
        
        PID:16496
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        145⤵
        
        PID:17112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674593.bat
        146⤵
        
        PID:16984
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        146⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674921.bat
        147⤵
        
        PID:16992
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        147⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240675312.bat
        148⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        148⤵
        
        PID:15852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240675703.bat
        149⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        149⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676093.bat
        150⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        150⤵
        
        PID:17136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676390.bat
        151⤵
        
        PID:17300
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        151⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676781.bat
        152⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        152⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677093.bat
        153⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        153⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677593.bat
        154⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        154⤵
        
        PID:17540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678078.bat
        155⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        155⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678437.bat
        156⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        156⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678781.bat
        157⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        157⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679187.bat
        158⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\lpsgajba.exe
        
        C:\Windows\system32\lpsgajba.exe
        158⤵
        
        PID:16912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679531.bat
        159⤵
        
        PID:14764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679734.bat
        158⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679812.bat
        157⤵
        
        PID:16232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679875.bat
        156⤵
        
        PID:17796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679921.bat
        155⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679953.bat
        154⤵
        
        PID:17692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240680140.bat
        151⤵
        
        PID:15396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240680187.bat
        149⤵
        
        PID:17812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682343.bat
        148⤵
        
        PID:17476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682421.bat
        147⤵
        
        PID:17892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682468.bat
        146⤵
        
        PID:17980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682500.bat
        145⤵
        
        PID:18032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682562.bat
        144⤵
        
        PID:18072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682671.bat
        141⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682703.bat
        140⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682859.bat
        139⤵
        
        PID:15460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682953.bat
        138⤵
        
        PID:15840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683000.bat
        137⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683031.bat
        136⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683078.bat
        135⤵
        
        PID:17124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683125.bat
        134⤵
        
        PID:15372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683265.bat
        132⤵
        
        PID:17096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683328.bat
        131⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683406.bat
        130⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683468.bat
        129⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683515.bat
        128⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683578.bat
        127⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683625.bat
        126⤵
        
        PID:14496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683703.bat
        125⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683796.bat
        124⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683843.bat
        123⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683984.bat
        122⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684093.bat
        120⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684171.bat
        119⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684234.bat
        118⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684281.bat
        117⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684343.bat
        116⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684437.bat
        115⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684734.bat
        111⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684796.bat
        110⤵
        
        PID:18300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685000.bat
        109⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685078.bat
        108⤵
        
        PID:16736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685171.bat
        107⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685312.bat
        105⤵
        
        PID:15060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685343.bat
        104⤵
        
        PID:16564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685421.bat
        103⤵
        
        PID:18148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685468.bat
        102⤵
        
        PID:18196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685515.bat
        101⤵
        
        PID:18224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685546.bat
        100⤵
        
        PID:18240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685781.bat
        99⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685828.bat
        98⤵
        
        PID:17204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685875.bat
        97⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685921.bat
        96⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240685656.bat
        95⤵
        
        PID:18284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240684765.bat
        93⤵
        
        PID:16176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240683718.bat
        90⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682984.bat
        88⤵
        
        PID:16956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682890.bat
        87⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682859.bat
        85⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682859.bat
        84⤵
        
        PID:16060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682890.bat
        83⤵
        
        PID:16676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682890.bat
        82⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682890.bat
        81⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240682343.bat
        79⤵
        
        PID:17460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240680015.bat
        78⤵
        
        PID:13516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679765.bat
        77⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240679125.bat
        75⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678781.bat
        74⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678468.bat
        73⤵
        
        PID:15800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240678062.bat
        72⤵
        
        PID:17624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677765.bat
        71⤵
        
        PID:17532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677578.bat
        70⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677265.bat
        69⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240677062.bat
        68⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676484.bat
        67⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676250.bat
        66⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240676046.bat
        65⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240675671.bat
        64⤵
        
        PID:17220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240675406.bat
        63⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674906.bat
        62⤵
        
        PID:16680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674578.bat
        61⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674187.bat
        60⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240674000.bat
        59⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240673593.bat
        58⤵
        
        PID:16300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240673296.bat
        57⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240673000.bat
        56⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672765.bat
        55⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672437.bat
        54⤵
        
        PID:16464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240672093.bat
        53⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671703.bat
        52⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671359.bat
        51⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240671265.bat
        50⤵
        
        PID:16356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240670687.bat
        49⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240670328.bat
        48⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240670046.bat
        47⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669765.bat
        46⤵
        
        PID:15960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669390.bat
        45⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240669031.bat
        44⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240668421.bat
        43⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240668390.bat
        42⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240667750.bat
        41⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666953.bat
        40⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666593.bat
        39⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240666218.bat
        38⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240665796.bat
        37⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240665390.bat
        36⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240665359.bat
        35⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664890.bat
        34⤵
        
        PID:13648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664406.bat
        33⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240664343.bat
        32⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240663734.bat
        31⤵
        
        PID:15240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240663656.bat
        30⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240663140.bat
        29⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662875.bat
        28⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662484.bat
        27⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240662265.bat
        26⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661812.bat
        25⤵
        
        PID:15140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661421.bat
        24⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240661078.bat
        23⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240660812.bat
        22⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240660718.bat
        21⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240660359.bat
        20⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659984.bat
        19⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659578.bat
        18⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240659156.bat
        17⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657921.bat
        16⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657593.bat
        15⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240657171.bat
        14⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656765.bat
        13⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656484.bat
        12⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240656000.bat
        11⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655687.bat
        10⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655578.bat
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655140.bat
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240655125.bat
        7⤵
        
        PID:11560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240654250.bat
        6⤵
        
        PID:12272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240654187.bat
        5⤵
        
        PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653890.bat
      4⤵
      PID:13436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653500.bat
    3⤵
    PID:10132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DFD240653171.bat
  2⤵
  PID:12992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD240622187.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD240654187.bat

Filesize
121B

MD5
f7475671906b2e843cbc88d6e47f6f78

SHA1
1a0a7c8de2a967b995ae700900eb1126f81815c1

SHA256
9bfef03ba36d0d6c25c42163ebabbd465757011b18b66be1fcf4c5576b1248e4

SHA512
30a261e5c3cb74a5f7ea84ddefa97bd65e6d9d6b9af01e9fc4c25cbef92597c8a1f39d55f51d3f0a054cbe18511029c6f8b07098665fb87ec677fc7f4a2843eb

Download Submit
C:\Windows\SysWOW64\apsgfjba.dll

Filesize
525KB

MD5
15ae13d4f551c4d827669a4dcef9f337

SHA1
515ca3e827cdbb9f4c7add71f8715852fb157397

SHA256
a8b6a866d4cd92bd2687351061d27e39ffa55ec586d9da9da4261454c214a53b

SHA512
496581224da129499ba1e9f9858597ae8ac8f0753cd842f98ff33161b11081a0c835fea7fdee3fec72846639068e3c81ab75d9fe6d6445f382b5a9f57a11e7b4

Download Submit
C:\Windows\SysWOW64\apsgfjba.dll

Filesize
154KB

MD5
090b254b2e1d2fcd4379374fe8aef3e6

SHA1
3ae9d4b489f47860ddad5883029ee3dbf186e73e

SHA256
2814e6ff315c78de948eccad0958bb09aa6ff8ed426f22b604acb949756b0e9c

SHA512
7f41f1d4cb926cf9f985a227d78d46ca9a4cbd8e06fd27b5a9d86b99ad1062d6215476b951cae8b22a15c321bb7af1faac302b996c6c43de30670066981b99a1

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
5KB

MD5
f36d6b48b9ca03a2bfbe1a9c5097b3ac

SHA1
11c21e1a4e194bff7965099272df3c9aa7954544

SHA256
2df7687ba642b1b67ef6d16be82d7305f06b41f7611acd3fe5fc7815c7470b7c

SHA512
ae420a5b208c3f8ce0bcb842902f2fd6ce8ad54e9ac8fc577dc07930cff46ab088943a5af84ce94c1f9bd97d8590eb48e4a3b8ee0adc9566d40f046ffdcc1fe9

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
1KB

MD5
cecd9fd3089cf8fad357fb93f14e8ce6

SHA1
6f864bfcd033210ed041fab3b1cba83802496489

SHA256
dbd8d306fab572d540c75644297ac838e0532e46242bd85b7fcf6cf241a6c57f

SHA512
0338a5a2297017815ef2a2a8b36a926301da8a181cb2a38e5836b966587baacb65bd8e038753a665d0ac03b153a7d858a07e79df458ac3c6fb516e665af7cd1a

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
6KB

MD5
0a39ea55aa15823b56d8cc289a1818fa

SHA1
4affeb44d18fca53e9a4c5003148321859ae4649

SHA256
f246bd114fef6dfaac57adad2ba2fb4bc0ec95417c205c3d46abcaa4f3dc9677

SHA512
21c0de477ffe7d9cb8974d374467054794cc3f25562487deff5d58b5f13e16d7f821b22b1bbc7df497e38b7200e4e9eb55fd5cfda877be1cea45d5c03558176a

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
6KB

MD5
30692e3e93ca309886115cea358f78b0

SHA1
13bd86ee5c5f47305ef57c159da5dae12fd91be7

SHA256
a326efd9bedc6b2dd5de62a536bcead3fff9e4bdbacd1c7cdaf677527b1e2aba

SHA512
9ada45beeea5ef747f7c36b04de4bcb848a67f6bcae24d20003c41a7fea4297a4b83db0130ef5d242740f72b10725a6e843bd41f33aa334988626cdce9f509a6

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
7KB

MD5
da3c4ceec8ce81e1da6bd97ba9b14fc9

SHA1
1dcb8d102468f1be6627901734b61e75f3466420

SHA256
45b003c28774fe97d9dd185e9283c49bbe412543333f64481f562c9c1259bda4

SHA512
6c2fd20d6cf14da93409fd6917daaa4fb06869d3629b8492fe79a08667d4a185537a705d66ba740c7fca63e45a0a2678dbb30d7774a729d791c1b9d2c216b4bf

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
7KB

MD5
14064904b67a9b783b44754b2e66818b

SHA1
b52e1574f33d5912f59f4e0cbf613e04fc1dedec

SHA256
0317d1740f31af92df7032aa8bddd10e26bd72529b56962e8597b6c5adb200f9

SHA512
3a8aec36b875ce76cd9adc0fbd34f9ef3b70015730261f65db66b78d922ee139f5729a6b6a3cd3d2fc7df8a079a08cba6067f6969200cd13c0444bd5fa8e988b

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
8KB

MD5
b2c410801c2f07dab902d9ad1116f140

SHA1
a89b04a798b2d617d2d8ab2ef10614c8f00b20fe

SHA256
5bf641c380828fe241d8a8350dcbdeb3c2fc5b5432fd465ee0bccdf4d92c738f

SHA512
7cf69b6bd2529e93d7459e23f99f7042402464d2f9126723a0931d407594f21d1752bb71290fe58e5adcd885a7e4287876fb54811c568724f69d3710d3a2bfa8

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
8KB

MD5
2833bbad6688ae7b714980aa319e18bd

SHA1
8b69794bf744bd95439f2c5be03e54dc59ef3284

SHA256
6374d3f84a61748b54fba92ee62de51e64e2dece412919a9816c1d6300d46e6f

SHA512
d80e5275d1deed760c2d4cbb4b03312246886cdbe3239b89ce74a4f083726b115fed79a609365bc310429e5f25c8edcc9ca196a1b43f6ecd24ea5be4b4293f57

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
1KB

MD5
9277e35b9f928d0c5a090166aff4c15c

SHA1
e483754979050747e8c288d60f7a2129db5ef5d1

SHA256
13a5c11ff7cb2f0ff6677e6d9bca9ff5ba9d44e378b9ff5d1bf9fac1d6dbb749

SHA512
dec63021b72922ac4ef2e5899c1b939eb168da6c3c56f042112202ba3dc8b9948de00b58dcc0a39019b78cf2eec459f2439c857416258dd44d795a469096f379

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
300b26dd8ffb5f47dff2a5fe003c7f12

SHA1
7dd948894c3ef11b4d5897f173fd4e9aba4ecc04

SHA256
09d518664c66d9486a96aa2378fc459e2bc45a269b1db02d6929d2f44adc59e5

SHA512
b62f984626b1f2438691fc3d4e80b73bb5380079c99319224d555cf96d812ea08d1e4d4ece86f59ba50721cf9bf7585ae24d33adbb8efa3d68306c260c474cf5

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
2KB

MD5
ffbac150027e090c6259796d93afddfa

SHA1
5651178a4509d267765e5cb0883cb4d0a886071f

SHA256
84bd7f9e368fb833b662389f6558091f708887b0e126d6868f90819ad00ca0c2

SHA512
a55d37839c14c11206636e3879e75edc0e98aa251335803bddb53eb81df0ca9e5378576e519f9665776ceedc0e66170e451332bfc248baba6d0f72d8cce02883

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
3KB

MD5
13a3517edf6e13fae80533b554f09373

SHA1
306bd2529e3c3f1f4b1446b150f7fad133bfd698

SHA256
c9deb90d85d692241d64ba86472db69a0419ae0324103f782f0610b380943a3c

SHA512
0173d7ccee005cc94e5164a8a50a0eda4743ca70a62a70246d8b22d7ea2390f45ce3ff15f16940ebf2e6b646827b7c165e9a11c51a9063bc607bfa60afd7ad33

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
3KB

MD5
8c153e7c0fe6b0f4cf5a4252e3415376

SHA1
3d911302be44282e060b54d085297273ca026ba3

SHA256
fed00c866f73afaf3df18f8c68726cb852f1af4bb768261f1ceb2f5413a31510

SHA512
c02bfb6ae8dde2927da017cbb7cefa4f554e60daea160702db9faf7c161b1ee24283bb8585487155ca691f8a3b09a417b5fe3c6c20fac89a8e0490c296eacd26

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
a3bc76cbae15cb3a1134139c9adc2f37

SHA1
a7606007eab97a710370e3574a3f3b4e570a806f

SHA256
b1d480be04be3cc8cf6fdc09f6fac61672d68121d59308cd675e53e3bf442863

SHA512
4a1b9d617a5bed0ab7a3af95d0b4cd13a616c80b8655097e353b716f1ad7e0dd4d4baeb7f5fe4b0a198a81750eedce1a3233b3525a2b77551b15e635382a2831

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
4KB

MD5
98616fb7d908b82696caf46399842007

SHA1
0c696a7086528ea3718cfab30f07cd9f3795f1a6

SHA256
3aa17d97ef8008bded79dbfaf75147785f5e0b25f5db1f9a0f5e7bcd05e0f2a2

SHA512
4cd80d89449735998cbe83ac9bb4485afa9133b7c364efb98fb866285aa74b0fe2001731f9969391e277646e291b8ecaea09e3f09d9ce3be8b8235646f7dbea6

Download Submit
C:\Windows\SysWOW64\gpsgajba.sys

Filesize
5KB

MD5
f1b646b10ba523bf9f3505466b4badd0

SHA1
d6d840ef469595c956d85ba47493dc3c61a6d7b1

SHA256
0b18a67de32b7b1ea825c76b648bd5922de9bb6920a97c91a0f62c0375c7f928

SHA512
c02d5e3e152c6aeade757e5ca54b534075a7b79e9a475af3e265e858c4d16fb994e867f92c301e06588cbfb1cf32d111ca3c91d659bcbca1de1de7401129b3de

Download Submit
C:\Windows\SysWOW64\lpsgajba.exe

Filesize
16KB

MD5
3f927640d76646070a7b06e132614775

SHA1
190d60d255111a5af4e1d79146f08d3c1b779a7c

SHA256
a00f57c4391474f6e3e611cb5b33bda52b89d39567b8033f9ae5df24e8a41568

SHA512
d0b951b3b47c171f5d4b0ffaba527420ec18aa1b888cc6e0b4b7fc1330665810e6a6157c38b1c398294566d21eacb75b962aed95d851e87b3a263b4fb2c1de54

Download Submit
memory/4412-10186-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4412-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5956-93371-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6204-1023-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6832-3060-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6836-2087-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/11568-70040-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/16676-160254-0x0000000000330000-0x000000000038A000-memory.dmp

Filesize
360KB

Download
memory/17692-160197-0x00007FF92C750000-0x00007FF92C7D3000-memory.dmp

Filesize
524KB

Download