59e0d867b86061445e269a2099ed3b09dd9b8f471ba5a77bacafc230e126ab4a

Analysis

max time kernel
3s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Size

15KB
MD5

6786f6f4461107902a9d6ebb8d672755
SHA1

b02b24e92eac765edd77208ca414648024439b37
SHA256

59e0d867b86061445e269a2099ed3b09dd9b8f471ba5a77bacafc230e126ab4a
SHA512

19c76f8bb090bfff7922bc5c1eb9224a3d17762325a606ab12aa07ab63a6a6efeee9312f80ea65f8faa0cbd06299c8aa20fcbe6365667ab195c5fbf6760ec6ac
SSDEEP

384:ISV76FphKbSjIUznK4lFuhA9en0zQgkOeVnDny:rAPS/f4vZHQDM

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
5516	lkssaplo.exe
5644	lkssaplo.exe
5756	lkssaplo.exe
5856	lkssaplo.exe
5964	lkssaplo.exe
6060	lkssaplo.exe

Loads dropped DLL 12 IoCs

pid	Process
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
5516	lkssaplo.exe
5516	lkssaplo.exe
5644	lkssaplo.exe
5644	lkssaplo.exe
5756	lkssaplo.exe
5756	lkssaplo.exe
5856	lkssaplo.exe
5856	lkssaplo.exe
5964	lkssaplo.exe
5964	lkssaplo.exe

Installs/modifies Browser Helper Object 2 TTPs 14 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}\ = "lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File created	C:\Windows\SysWOW64\lkssaplo.exe	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File created	C:\Windows\SysWOW64\lassaplo.dll	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lkssaplo.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\lassaplo.dll	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lkssaplo.exe
File opened for modification	C:\Windows\SysWOW64\fassaplo.sys	lkssaplo.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32	lkssaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\lassaplo.dll"	lkssaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B69874A-C58C-458D-69F0-698F874E41B2}\InprocServer32\ThreadingModel = "Apartment"	lkssaplo.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
5516	lkssaplo.exe
5644	lkssaplo.exe
5756	lkssaplo.exe
5856	lkssaplo.exe
5964	lkssaplo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
Token: SeDebugPrivilege	5516	lkssaplo.exe
Token: SeDebugPrivilege	5644	lkssaplo.exe
Token: SeDebugPrivilege	5756	lkssaplo.exe
Token: SeDebugPrivilege	5856	lkssaplo.exe
Token: SeDebugPrivilege	5964	lkssaplo.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1968	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1968	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1968	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1968	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	30
PID 2396 wrote to memory of 5516	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	32
PID 2396 wrote to memory of 5516	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	32
PID 2396 wrote to memory of 5516	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	32
PID 2396 wrote to memory of 5516	2396	6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe	32
PID 5516 wrote to memory of 5592	5516	lkssaplo.exe	33
PID 5516 wrote to memory of 5592	5516	lkssaplo.exe	33
PID 5516 wrote to memory of 5592	5516	lkssaplo.exe	33
PID 5516 wrote to memory of 5592	5516	lkssaplo.exe	33
PID 5516 wrote to memory of 5644	5516	lkssaplo.exe	35
PID 5516 wrote to memory of 5644	5516	lkssaplo.exe	35
PID 5516 wrote to memory of 5644	5516	lkssaplo.exe	35
PID 5516 wrote to memory of 5644	5516	lkssaplo.exe	35
PID 5644 wrote to memory of 5700	5644	lkssaplo.exe	36
PID 5644 wrote to memory of 5700	5644	lkssaplo.exe	36
PID 5644 wrote to memory of 5700	5644	lkssaplo.exe	36
PID 5644 wrote to memory of 5700	5644	lkssaplo.exe	36
PID 5644 wrote to memory of 5756	5644	lkssaplo.exe	38
PID 5644 wrote to memory of 5756	5644	lkssaplo.exe	38
PID 5644 wrote to memory of 5756	5644	lkssaplo.exe	38
PID 5644 wrote to memory of 5756	5644	lkssaplo.exe	38
PID 5756 wrote to memory of 5816	5756	lkssaplo.exe	39
PID 5756 wrote to memory of 5816	5756	lkssaplo.exe	39
PID 5756 wrote to memory of 5816	5756	lkssaplo.exe	39
PID 5756 wrote to memory of 5816	5756	lkssaplo.exe	39
PID 5756 wrote to memory of 5856	5756	lkssaplo.exe	41
PID 5756 wrote to memory of 5856	5756	lkssaplo.exe	41
PID 5756 wrote to memory of 5856	5756	lkssaplo.exe	41
PID 5756 wrote to memory of 5856	5756	lkssaplo.exe	41
PID 5856 wrote to memory of 5904	5856	lkssaplo.exe	42
PID 5856 wrote to memory of 5904	5856	lkssaplo.exe	42
PID 5856 wrote to memory of 5904	5856	lkssaplo.exe	42
PID 5856 wrote to memory of 5904	5856	lkssaplo.exe	42
PID 5856 wrote to memory of 5964	5856	lkssaplo.exe	44
PID 5856 wrote to memory of 5964	5856	lkssaplo.exe	44
PID 5856 wrote to memory of 5964	5856	lkssaplo.exe	44
PID 5856 wrote to memory of 5964	5856	lkssaplo.exe	44
PID 5964 wrote to memory of 6016	5964	lkssaplo.exe	45
PID 5964 wrote to memory of 6016	5964	lkssaplo.exe	45
PID 5964 wrote to memory of 6016	5964	lkssaplo.exe	45
PID 5964 wrote to memory of 6016	5964	lkssaplo.exe	45
PID 5964 wrote to memory of 6060	5964	lkssaplo.exe	47
PID 5964 wrote to memory of 6060	5964	lkssaplo.exe	47
PID 5964 wrote to memory of 6060	5964	lkssaplo.exe	47
PID 5964 wrote to memory of 6060	5964	lkssaplo.exe	47
PID 6060 wrote to memory of 6116	6060	lkssaplo.exe	48
PID 6060 wrote to memory of 6116	6060	lkssaplo.exe	48
PID 6060 wrote to memory of 6116	6060	lkssaplo.exe	48
PID 6060 wrote to memory of 6116	6060	lkssaplo.exe	48

C:\Users\Admin\AppData\Local\Temp\6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6786f6f4461107902a9d6ebb8d672755_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259440691.bat
  2⤵
  PID:1968
- C:\Windows\SysWOW64\lkssaplo.exe
  C:\Windows\system32\lkssaplo.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441144.bat
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\lkssaplo.exe
    C:\Windows\system32\lkssaplo.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441175.bat
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\lkssaplo.exe
      C:\Windows\system32\lkssaplo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441269.bat
        5⤵
        
        PID:5816
    - - C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5856
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441331.bat
        6⤵
        
        PID:5904
      - C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441425.bat
        7⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        7⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441518.bat
        8⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        8⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259446666.bat
        9⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460394.bat
        10⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        10⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259495807.bat
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        11⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259500736.bat
        12⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        12⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501797.bat
        13⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        13⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259503997.bat
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        14⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524417.bat
        15⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        15⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259525962.bat
        16⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        16⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259528005.bat
        17⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        17⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259538442.bat
        18⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        18⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259538956.bat
        19⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        19⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259540501.bat
        20⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        20⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259541562.bat
        21⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        21⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259542888.bat
        22⤵
        
        PID:924
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        22⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259543309.bat
        23⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        23⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259543621.bat
        24⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        24⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259544448.bat
        25⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        25⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259544885.bat
        26⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        26⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259550407.bat
        27⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        27⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259552544.bat
        28⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        28⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554354.bat
        29⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        29⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259562357.bat
        30⤵
        
        PID:960
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        30⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259564088.bat
        31⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        31⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259564697.bat
        32⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\lkssaplo.exe
        
        C:\Windows\system32\lkssaplo.exe
        32⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259590343.bat
        33⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259586272.bat
        27⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259584384.bat
        26⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578035.bat
        25⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578940.bat
        24⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259576163.bat
        23⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259575118.bat
        22⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259574821.bat
        21⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259573339.bat
        20⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259571966.bat
        19⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259569782.bat
        18⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259568628.bat
        17⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560781.bat
        16⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259556959.bat
        15⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554401.bat
        14⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259537958.bat
        13⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531219.bat
        11⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259527428.bat
        10⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259491236.bat
        9⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477133.bat
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477398.bat
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476322.bat
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471829.bat
        5⤵
        
        PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471736.bat
      4⤵
      PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471704.bat
    3⤵
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471845.bat
  2⤵
  PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259440691.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259471736.bat

Filesize
121B

MD5
fc4087a4c92c2259f567dfb94acef8f0

SHA1
6ec967393aa9b473e42bbade82fef92beec32210

SHA256
7e7f532c19fb1a4c377f245ad6ab781c961d9a75c755e3b632c0ed1f91c2ffa5

SHA512
fda573b5fbd11dee11b4ea889901868194ebcba7ab008f15d8dcebad3c9dd40296b91582ecbf92ad3a5991f4b77cfd7779b0875194ec3791e8bbde26261efb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259471845.bat

Filesize
225B

MD5
60d5c37b64b4cf9ad74674dba459e139

SHA1
b88553766b21eda3a30cc108480b5488d6acc6d0

SHA256
95735183260e1aa1552b4569464a266f7b8b834aab71f19d3d360015bca92caa

SHA512
2c16b578fa5c2baf62947bed418c8ff26601990cbc88fb9637f36313aad163b78356d40fa87d06ef4e94c3595865446595bfdca44d1817b718370ecf9bf6624f

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
1KB

MD5
a1b08127613ecad800ae8cc939a37769

SHA1
71ffa34a59de3ac65c46c15ecb713bb7a20194cf

SHA256
a4358877a2df3fa7989799a2255d2707658e1368ad9b625f955806e72371cfff

SHA512
c60bd01017b0ba0eb0e5cf10f0b01a6b14a40c19c2e4f48d444dd99fd4d73737458351f8e3a02becc782ed5769738a2b1171f3d746e44c1ac898e7b078377a81

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
1KB

MD5
fb55d5e1379d8d96c4477121db7519e4

SHA1
706a981b45cbc13a0dee26b30bb54bc7ee1d7b62

SHA256
3598aa3a751b2f12492ef3e27c9fcb8a598bef27edb41ffd50a64ef0985e090a

SHA512
b82dba1191b5375ed465792246e0199f53cb0fc0d8898e6737edb015e3630c3f7509f0173f45e0d3440f517da15a8c20a3330f95d67b35b72b828ed9d2f3300f

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
2KB

MD5
7340df01e3fa891ed74ecff3464b35cf

SHA1
3197d6b64d8983a83ce1e28315da1e5dc700ae45

SHA256
58be9f21795b41e04f75ea35d0f8ed3cdb2c8ce910297646d0573b3b9f293fa2

SHA512
4a0360a6a99d4982cddd851b6d9f00ba8d19c70602dd1667e02f694e45286f1cc3535ba82102797e7a70b7baf747a392aafbe6453e7ec70250804f136c970742

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
2KB

MD5
2dcd55876f6b92ddfa910ed8b258c556

SHA1
11622f7955082538a9590685ecb0bb024ebddcca

SHA256
206b7ba15260115f8fb9ff4329480c1f4b4a233e57c0f7913c93430335091dec

SHA512
104297e997c62e21bc1b64020a0384f7aa3c56dde88cb16cc5f306592bd34fe27c42147a361ffcb9bfa04f730bb27131a0c6a0d07ac9a214c32979179f4d856e

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
3KB

MD5
e331c167685941e6a5d16408a238976e

SHA1
6d9bd66c274bf8380fcb1e488ca09196299e072b

SHA256
2ebce58b5c0e6a7c2ee39f79d38adf8c7a979c52f01aacb7c9636c20881d5720

SHA512
7d492119d62a90a9715cc1f3e885e0a313ec61acf5a7c9aca1e806f96983862a66ae27ef6ffae6e6bd4e17fc6e03a8abc624e1fc87e66d1ff218244561003a43

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
3KB

MD5
298c7d1774c24969659cec6ca51f29f3

SHA1
bbb6e4a600d91c2b710b0256addd77e39c43912d

SHA256
f32d6c4685982d6c0673f4d7750d640012420b30a838b4bc1f31a32902c9addd

SHA512
fb1743edfca9f06c26e00f2f61cc41b519a7b4284585990b51180e05336605d8ff1c32871ea596192dbd42b940e3d994b1664a136ff4e498cecea5f102638231

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
4KB

MD5
ab5e6ca4e454a134817b629f719954b9

SHA1
02a08bc0bb1d39812b02af3fe0cba8f8a64e0ebb

SHA256
9bf41cbbda8953ac885551b3104154ac0959c2083f8ada0c91eb1503f3023fd1

SHA512
66322c5be7bad9de270241476225d69f0c9c2b15c2e910c19ab26256c0bd38a7c77075598490a70869478291cece936075e16ad6c415b0bf851df5313b251e2d

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
4KB

MD5
261f6462f7011a0774f36601dd4495d8

SHA1
c22dc53f71d7253df3e7a63c06556e618137af28

SHA256
9a581a37153ceb5892fd04b83bbc44ba6a44522882ddb383bfb47ea8a7a3cb8d

SHA512
86c20547e2b23fdb68577d0db4fd5e3fbfd30414adacf5ce57831d80f4022461580941afaae4cedc52e6abf6c7a3a105c2e11b8d1246d86f8d73099eeeb04106

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
5KB

MD5
69f8289f90c83d5b037509b3f0af42ae

SHA1
f9e957a46ca1ac5eee67b61b92951e5dcb1f7c6d

SHA256
5157016b988d9a17da0ec32748726308bf9b1c472430af5589cef46c6356f0eb

SHA512
3c5c082944c8969667ea04b5ae2f8be72847b8b0f6817494b3dea384c8ebcec1575f3e7d4edf8b979fda9d22ccafaa77e842383c4a0e87aa4eb75721efb4df20

Download Submit
C:\Windows\SysWOW64\fassaplo.sys

Filesize
5KB

MD5
138fd34077decf194fa79310219c4a74

SHA1
e7d867731718dbb840b49fb19f0107dcd4d16607

SHA256
9025a3025ca401c0756fc0b6bc0748f259c6e8251c33f51cb70a38ed6aa6d2d4

SHA512
42eca53983472bcb1fa9c0f0ed6a296330a8d1f29160244cea8f6002a371cfea8373269983d4131e24bad8f93f64c165e6ae30971ac25338eb08eb8d22e3c44a

Download Submit
C:\Windows\SysWOW64\lassaplo.dll

Filesize
522KB

MD5
aa8abe1ac807b0b0665a525dfebbe057

SHA1
e7f0f700e48f34361bb7ca3a27e3bd4374bcd5f6

SHA256
6831ce10f1f6d6269038dd78c05bc2e96c0bb90835bf7edbb2991141a7f227c3

SHA512
b94ae886d4a90233b6c84c581eb6e2eb3a379b236dafd1a4a21a23ccd2852f7ff4e7ff14572f4814f62b6b26bf6ebcaf37fbe4d99ba4df4e132f91f221392da1

Download Submit
C:\Windows\SysWOW64\lkssaplo.exe

Filesize
15KB

MD5
6786f6f4461107902a9d6ebb8d672755

SHA1
b02b24e92eac765edd77208ca414648024439b37

SHA256
59e0d867b86061445e269a2099ed3b09dd9b8f471ba5a77bacafc230e126ab4a

SHA512
19c76f8bb090bfff7922bc5c1eb9224a3d17762325a606ab12aa07ab63a6a6efeee9312f80ea65f8faa0cbd06299c8aa20fcbe6365667ab195c5fbf6760ec6ac

Download Submit
memory/1220-13595-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1220-17701-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2344-2274-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2344-2272-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2344-3339-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2396-1031-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2396-1032-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2396-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2396-2165-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2396-2164-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2424-3360-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2424-3359-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2424-9505-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2424-9504-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2920-11545-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/2920-16677-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/3020-2292-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3020-3361-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3020-2276-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3112-3312-0x0000000000420000-0x0000000000439000-memory.dmp

Filesize
100KB

Download
memory/3112-4393-0x0000000000420000-0x0000000000439000-memory.dmp

Filesize
100KB

Download
memory/3112-4392-0x0000000000420000-0x0000000000439000-memory.dmp

Filesize
100KB

Download
memory/3356-9502-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3356-9503-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3356-13594-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3356-13593-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3356-8482-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3560-2163-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4224-13592-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4224-8481-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4224-8480-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4224-13591-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4732-7850-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4732-12569-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4732-7849-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4732-12570-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4884-19746-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5040-11544-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5040-4394-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5504-8479-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/5504-3340-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/5516-2175-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/5516-2176-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/5516-1064-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/5516-1033-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5516-1065-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/5644-1066-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5756-1099-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5756-2181-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5756-2182-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5756-1100-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5856-1103-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/5964-1135-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5964-1134-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6060-2159-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6060-2160-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6088-3334-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/6088-3335-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/6088-2266-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/6088-2265-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/6184-11547-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6184-11546-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6184-5417-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6184-5416-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6448-17697-0x0000000000310000-0x0000000000329000-memory.dmp

Filesize
100KB

Download
memory/6448-19808-0x0000000000310000-0x0000000000329000-memory.dmp

Filesize
100KB

Download
memory/6448-19825-0x0000000000310000-0x0000000000329000-memory.dmp

Filesize
100KB

Download
memory/6448-17699-0x0000000000310000-0x0000000000329000-memory.dmp

Filesize
100KB

Download
memory/6676-14615-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/6676-18721-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/6768-6438-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6768-12567-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6768-6437-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6768-12568-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6852-19842-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/6852-17700-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6852-18722-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/7136-17698-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/7136-12571-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/7140-5415-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/7140-3332-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/7140-3333-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/7140-5414-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download