9576a5aa8508db39e2d61740ef46ff21b62bbe4897da9334da3eac23710e9074

Analysis

max time kernel
6s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Size

15KB
MD5

8ce60396e9e958e90be9df02244e5245
SHA1

7b827400b2aa5b2f9fd870dd1f6d39a2cc26c828
SHA256

9576a5aa8508db39e2d61740ef46ff21b62bbe4897da9334da3eac23710e9074
SHA512

1bd870a0593d61a71d8b2bf680177f640a1157fb6e924c98aee1dd249ca48ddabf74f12fe5d463f577b58f83bdffbf7ab71ec9c10a3905c4ef86968c30189796
SSDEEP

384:I/76ysUerVvpQMXUMLv0hgTAJyer9CSBBW/1pps2zzg:DbrrBxRLshgMJPIz/1p+/

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4812	onjzalit.exe
4924	onjzalit.exe
5004	onjzalit.exe
1788	onjzalit.exe
396	onjzalit.exe
2508	onjzalit.exe
5888	onjzalit.exe
5984	onjzalit.exe

Loads dropped DLL 16 IoCs

pid	Process
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
4812	onjzalit.exe
4812	onjzalit.exe
4924	onjzalit.exe
4924	onjzalit.exe
5004	onjzalit.exe
5004	onjzalit.exe
1788	onjzalit.exe
1788	onjzalit.exe
396	onjzalit.exe
396	onjzalit.exe
2508	onjzalit.exe
2508	onjzalit.exe
5888	onjzalit.exe
5888	onjzalit.exe

Installs/modifies Browser Helper Object 2 TTPs 16 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}\ = "lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C954872-1230-6541-9548-6541025884C4}	onjzalit.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File created	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File created	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	onjzalit.exe
File created	C:\Windows\SysWOW64\onjzalit.exe	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lijzdlit.dll	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\lijzdlit.dll	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\onjzalit.exe	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\gajzalit.sys	onjzalit.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onjzalit.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ThreadingModel = "Apartment"	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32	onjzalit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C954872-1230-6541-9548-6541025884C4}\InprocServer32\ = "C:\\Windows\\SysWow64\\lijzdlit.dll"	onjzalit.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
4812	onjzalit.exe
4812	onjzalit.exe
4924	onjzalit.exe
4924	onjzalit.exe
5004	onjzalit.exe
5004	onjzalit.exe
1788	onjzalit.exe
1788	onjzalit.exe
396	onjzalit.exe
396	onjzalit.exe
2508	onjzalit.exe
2508	onjzalit.exe
5888	onjzalit.exe
5888	onjzalit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
Token: SeDebugPrivilege	4812	onjzalit.exe
Token: SeDebugPrivilege	4924	onjzalit.exe
Token: SeDebugPrivilege	5004	onjzalit.exe
Token: SeDebugPrivilege	1788	onjzalit.exe
Token: SeDebugPrivilege	396	onjzalit.exe
Token: SeDebugPrivilege	2508	onjzalit.exe
Token: SeDebugPrivilege	5888	onjzalit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2616	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2616	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2616	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2616	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	30
PID 3028 wrote to memory of 4812	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	32
PID 3028 wrote to memory of 4812	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	32
PID 3028 wrote to memory of 4812	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	32
PID 3028 wrote to memory of 4812	3028	8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe	32
PID 4812 wrote to memory of 4888	4812	onjzalit.exe	33
PID 4812 wrote to memory of 4888	4812	onjzalit.exe	33
PID 4812 wrote to memory of 4888	4812	onjzalit.exe	33
PID 4812 wrote to memory of 4888	4812	onjzalit.exe	33
PID 4812 wrote to memory of 4924	4812	onjzalit.exe	35
PID 4812 wrote to memory of 4924	4812	onjzalit.exe	35
PID 4812 wrote to memory of 4924	4812	onjzalit.exe	35
PID 4812 wrote to memory of 4924	4812	onjzalit.exe	35
PID 4924 wrote to memory of 4984	4924	onjzalit.exe	36
PID 4924 wrote to memory of 4984	4924	onjzalit.exe	36
PID 4924 wrote to memory of 4984	4924	onjzalit.exe	36
PID 4924 wrote to memory of 4984	4924	onjzalit.exe	36
PID 4924 wrote to memory of 5004	4924	onjzalit.exe	38
PID 4924 wrote to memory of 5004	4924	onjzalit.exe	38
PID 4924 wrote to memory of 5004	4924	onjzalit.exe	38
PID 4924 wrote to memory of 5004	4924	onjzalit.exe	38
PID 5004 wrote to memory of 5056	5004	onjzalit.exe	39
PID 5004 wrote to memory of 5056	5004	onjzalit.exe	39
PID 5004 wrote to memory of 5056	5004	onjzalit.exe	39
PID 5004 wrote to memory of 5056	5004	onjzalit.exe	39
PID 5004 wrote to memory of 1788	5004	onjzalit.exe	41
PID 5004 wrote to memory of 1788	5004	onjzalit.exe	41
PID 5004 wrote to memory of 1788	5004	onjzalit.exe	41
PID 5004 wrote to memory of 1788	5004	onjzalit.exe	41
PID 1788 wrote to memory of 972	1788	onjzalit.exe	42
PID 1788 wrote to memory of 972	1788	onjzalit.exe	42
PID 1788 wrote to memory of 972	1788	onjzalit.exe	42
PID 1788 wrote to memory of 972	1788	onjzalit.exe	42
PID 1788 wrote to memory of 396	1788	onjzalit.exe	44
PID 1788 wrote to memory of 396	1788	onjzalit.exe	44
PID 1788 wrote to memory of 396	1788	onjzalit.exe	44
PID 1788 wrote to memory of 396	1788	onjzalit.exe	44
PID 396 wrote to memory of 324	396	onjzalit.exe	45
PID 396 wrote to memory of 324	396	onjzalit.exe	45
PID 396 wrote to memory of 324	396	onjzalit.exe	45
PID 396 wrote to memory of 324	396	onjzalit.exe	45
PID 396 wrote to memory of 2508	396	onjzalit.exe	47
PID 396 wrote to memory of 2508	396	onjzalit.exe	47
PID 396 wrote to memory of 2508	396	onjzalit.exe	47
PID 396 wrote to memory of 2508	396	onjzalit.exe	47
PID 2508 wrote to memory of 2000	2508	onjzalit.exe	48
PID 2508 wrote to memory of 2000	2508	onjzalit.exe	48
PID 2508 wrote to memory of 2000	2508	onjzalit.exe	48
PID 2508 wrote to memory of 2000	2508	onjzalit.exe	48
PID 2508 wrote to memory of 5888	2508	onjzalit.exe	50
PID 2508 wrote to memory of 5888	2508	onjzalit.exe	50
PID 2508 wrote to memory of 5888	2508	onjzalit.exe	50
PID 2508 wrote to memory of 5888	2508	onjzalit.exe	50
PID 5888 wrote to memory of 5948	5888	onjzalit.exe	51
PID 5888 wrote to memory of 5948	5888	onjzalit.exe	51
PID 5888 wrote to memory of 5948	5888	onjzalit.exe	51
PID 5888 wrote to memory of 5948	5888	onjzalit.exe	51
PID 5888 wrote to memory of 5984	5888	onjzalit.exe	53
PID 5888 wrote to memory of 5984	5888	onjzalit.exe	53
PID 5888 wrote to memory of 5984	5888	onjzalit.exe	53
PID 5888 wrote to memory of 5984	5888	onjzalit.exe	53

C:\Users\Admin\AppData\Local\Temp\8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ce60396e9e958e90be9df02244e5245_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259419569.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\onjzalit.exe
  C:\Windows\system32\onjzalit.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259419865.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\onjzalit.exe
    C:\Windows\system32\onjzalit.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259419897.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
  - - C:\Windows\SysWOW64\onjzalit.exe
      C:\Windows\system32\onjzalit.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259419928.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
    - - C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259422642.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:972
      - C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259423001.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259423438.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259424467.bat
        9⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259425450.bat
        10⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        10⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259446105.bat
        11⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        11⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259447805.bat
        12⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        12⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448039.bat
        13⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        13⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448601.bat
        14⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        14⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259449162.bat
        15⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        15⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450223.bat
        16⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        16⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450395.bat
        17⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        17⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259452126.bat
        18⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        18⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455980.bat
        19⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        19⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259456557.bat
        20⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        20⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259458101.bat
        21⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        21⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259458694.bat
        22⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        22⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259462126.bat
        23⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        23⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259463078.bat
        24⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        24⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259463780.bat
        25⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        25⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464747.bat
        26⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        26⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471923.bat
        27⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        27⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477352.bat
        28⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        28⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259478865.bat
        29⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        29⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480643.bat
        30⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        30⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483015.bat
        31⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        31⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485511.bat
        32⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        32⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259491563.bat
        33⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        33⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259498864.bat
        34⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        34⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499083.bat
        35⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        35⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499223.bat
        36⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        36⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499504.bat
        37⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        37⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259500721.bat
        38⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        38⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501735.bat
        39⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        39⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501953.bat
        40⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        40⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259503887.bat
        41⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        41⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259506992.bat
        42⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        42⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259507897.bat
        43⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        43⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259520470.bat
        44⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        44⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524308.bat
        45⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        45⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259525852.bat
        46⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        46⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259526476.bat
        47⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        47⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259527194.bat
        48⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        48⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259528723.bat
        49⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        49⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529659.bat
        50⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        50⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259530018.bat
        51⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        51⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259541983.bat
        52⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        52⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259543543.bat
        53⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        53⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259544978.bat
        54⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        54⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259545618.bat
        55⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        55⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259546601.bat
        56⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        56⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259547537.bat
        57⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        57⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549019.bat
        58⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        58⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549565.bat
        59⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        59⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259551359.bat
        60⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        60⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259551858.bat
        61⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        61⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259553324.bat
        62⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        62⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554135.bat
        63⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        63⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558425.bat
        64⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\onjzalit.exe
        
        C:\Windows\system32\onjzalit.exe
        64⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259565945.bat
        65⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259561062.bat
        50⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560890.bat
        49⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560063.bat
        48⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558535.bat
        47⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259557209.bat
        46⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259556397.bat
        45⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259555025.bat
        44⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259550766.bat
        43⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259538894.bat
        42⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259538208.bat
        41⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259535587.bat
        40⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259533980.bat
        39⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259533543.bat
        38⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259532248.bat
        37⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529908.bat
        36⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529924.bat
        35⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529565.bat
        34⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529362.bat
        33⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259521469.bat
        32⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259516539.bat
        31⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259514402.bat
        30⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259513279.bat
        29⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259509379.bat
        28⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259507429.bat
        27⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259502281.bat
        26⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496867.bat
        25⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496649.bat
        24⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496899.bat
        23⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496384.bat
        22⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259490815.bat
        21⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259490175.bat
        20⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259487492.bat
        19⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259486088.bat
        18⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483061.bat
        17⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480971.bat
        16⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480690.bat
        15⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480191.bat
        14⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480191.bat
        13⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479801.bat
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259478225.bat
        11⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476556.bat
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455777.bat
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455262.bat
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259454638.bat
        7⤵
        
        PID:3392
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259453874.bat
        6⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259453296.bat
        5⤵
        
        PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450660.bat
      4⤵
      PID:6664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450473.bat
    3⤵
    PID:6584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450629.bat
  2⤵
  PID:6620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259419569.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259450473.bat

Filesize
121B

MD5
7c7c61c185dbbb764871e7af2a0d755b

SHA1
b32b03dfba19f18985a5d05fa168fe8b66ce06c5

SHA256
b51a93ab96947ed2158285e40e3c1e14c3ae91adbf6e6185efe9f871183f345c

SHA512
86d43ea4eec88d53a96c9b24a6c60d94f12754501bbcafdbc6c6735ba0e32e90ac879bcb3f52e67dd5471244fd86e1441001eb8527031d49ce9d51d68b712cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259450629.bat

Filesize
225B

MD5
8cb5e6c2b6296a34f22e2c0102803fb5

SHA1
0bae7b84e381234a014af03664547eb2fbfb755a

SHA256
753625e2fe91cb55f9c247bcaede9abcde55d583bdd47c5dc941811415cb113a

SHA512
26e751f29ae9d71a13b64c8dff3fcd9a6a042f712738d12f6fd3750bd02fb8c67a83bfff2cd63d02ece22b02da73d770d013d157f143267dbbb987e0d8245612

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259480191.bat

Filesize
242B

MD5
50ca18fca845131800483ddda9a26674

SHA1
ea997a1280436d8382543863eecc87b101ae4fe3

SHA256
806b57c5f11a33dfe780b7018bb747f7825ebc5a4db07455cbebbabff1c8a21a

SHA512
a36ff12a8f92255ebb3c8e40a2d2fcaebd0f0048838250fa62b0c49bd09a52b324f4aadd9eb515be0e5081743a6f966d3bf593770ba38f375676a240e2321aa7

Download Submit
C:\Windows\SysWOW64\gajzalit.sys

Filesize
520B

MD5
4d4da8274ee83ce0389d85d6d49f1410

SHA1
084e2aafbed8296e70eb9002b33158ac339e15af

SHA256
056a1ad49830b0c8f614ebd9d71a31c6592e00a76c54a7a0087505f298fc37dd

SHA512
e39b1a606b2c57e77e02d47d6547832fba5f7cf3d0004c33e0f5fb37e8034b315a8ac1b7904e46ad55051dc4dcbde2140d2e9cd166e9e1f8eec5d22bbfc687a5

Download Submit
C:\Windows\SysWOW64\gajzalit.sys

Filesize
4KB

MD5
03cebd329c045b770baf98fb8a725a83

SHA1
168436cfce5b5adf6f61d9d16bcee0513b559e17

SHA256
f7c9639ee69b243b4eabeb822e4b73a0b8360390c47040508c228ce5eee491e8

SHA512
42059d88d111654451224d93f1f9dc530277a163eb33478fb87e66a4f8ddaa4b15c37f69ea9be4e53a4c048d1dc3f1f5f8bf43d159e6d82e54933051ddb4251f

Download Submit
C:\Windows\SysWOW64\lijzdlit.dll

Filesize
523KB

MD5
2eb52120ab95b2d757188f12821c1dfc

SHA1
53407f83e9f74d130e54b2c95b77f2f070e5bf6a

SHA256
a47862b389fc5320d377ef7a4315e9214a27d40372cad7e0361279cb02e8732a

SHA512
79fd057d9858b20f4de39606fbac194eb78e65c4b6cb20d104aa316ca92d539b30871512857e29d21aa136e131342788260b0e05f6393ddb57c6277edd061b10

Download Submit
C:\Windows\SysWOW64\lijzdlit.dll

Filesize
124KB

MD5
9a9afb5ba7cc219ecbe53bee0a9640ed

SHA1
047b29cae3b850f9ed8eca69adf233ddf106dc7e

SHA256
9da1f73c47a60e5c7c8a737a299a36136e99a7618094e437064c6b8bde35fa49

SHA512
ed71e9840246de9e8d41a77ec30ef28ba12ee2623965c64130d64a0d80c12a28f381d6b6ca187f434d8ff1934b91f8e718fe0a0ac89c7a37551f08a63dacfb32

Download Submit
C:\Windows\SysWOW64\lijzdlit.dll

Filesize
523KB

MD5
b91bf339f585a61fc9b04de619fd3d54

SHA1
c85e7f8022b994e5ac793ce612eac9761ef5cd01

SHA256
fa7409f5de49f4366d08865ec28e3554b93d939301c9aa45a7d9a295de11b2aa

SHA512
877c1a03f90b5e3015346e834e8d33b08eb6af095daa462b4eae861bafc52396d638b3e62a2bb9d7ddc5ea475652e86f4099099b1184b522819baab625c54d17

Download Submit
\Windows\SysWOW64\onjzalit.exe

Filesize
15KB

MD5
8ce60396e9e958e90be9df02244e5245

SHA1
7b827400b2aa5b2f9fd870dd1f6d39a2cc26c828

SHA256
9576a5aa8508db39e2d61740ef46ff21b62bbe4897da9334da3eac23710e9074

SHA512
1bd870a0593d61a71d8b2bf680177f640a1157fb6e924c98aee1dd249ca48ddabf74f12fe5d463f577b58f83bdffbf7ab71ec9c10a3905c4ef86968c30189796

Download Submit
memory/396-2109-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/396-4183-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/396-4184-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/396-2108-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/396-2103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/588-14479-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/588-9392-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/588-10408-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/588-10409-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/588-14708-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/784-13463-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1788-2095-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1788-4181-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1788-2094-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2088-17551-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/2088-21686-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/2088-20665-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/2088-17554-0x0000000001F20000-0x0000000001F3A000-memory.dmp

Filesize
104KB

Download
memory/2468-24830-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2508-3129-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2508-3130-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2508-4186-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2508-4187-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2508-3125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2728-15499-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2728-11428-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2728-11427-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2728-15498-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2752-23804-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2752-23803-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2884-8370-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2884-12445-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2884-11429-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2984-12447-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2984-15502-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2984-15501-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2984-12446-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2988-16528-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/3028-3608-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3028-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3028-3151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3028-3607-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3028-1032-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3028-1033-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3108-21709-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/3108-18600-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/3804-23802-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/3804-19635-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/4652-7350-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/4652-4221-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/4652-4222-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/4652-7349-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/4748-5243-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4748-8371-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4812-1034-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4812-1048-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4812-3654-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4924-3743-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4924-1058-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4924-1319-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5004-4170-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5004-2081-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5380-7340-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/5380-11426-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/5380-11425-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/5380-7341-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/5492-23801-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5492-23800-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5724-24822-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/5888-3153-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/5888-3152-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/6024-4199-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6092-4210-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6092-7339-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6092-4209-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6092-7338-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6220-9391-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/6220-5256-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/6240-16526-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/6240-16527-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/6240-19637-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/6240-19636-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/6336-6294-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6336-5257-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/7540-25847-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/7540-25846-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/7908-18599-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/7908-15500-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/7952-21697-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/7952-24821-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/8272-20666-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/8272-23805-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/10148-17552-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/10148-14481-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/10148-14480-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/10148-17553-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download