5d02a6ea1442f7ff05ccb7ec9f3861eba70ccf904579b4f0bbe611b2b9f887e8

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe
Size

19KB
MD5

4456f0494e71973e04c9f1f112a1a163
SHA1

b95b4e188b08050ada53adca43fd25e0e30f9826
SHA256

5d02a6ea1442f7ff05ccb7ec9f3861eba70ccf904579b4f0bbe611b2b9f887e8
SHA512

550c0653eb727bdf02e4c4a6fac493380e15ae49364a9104aa32d79003462bb045df83d9c3bda01c504e6446903f67c6c2a0f4d882395e45acbf594355f5e5d1
SSDEEP

384:ZkyUZvppfbDWNKDL4YV+g3/TITcUs6VUpopnSS6vZuwfEB/fN:3UN/34bYV+qIBWormZvonN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlke.exe

Executes dropped EXE 64 IoCs

pid	Process
1960	agetlke.exe
3712	agetlke.exe
3568	agetlke.exe
448	agetlke.exe
872	agetlke.exe
2820	agetlke.exe
3704	agetlke.exe
3872	agetlke.exe
1300	agetlke.exe
2088	agetlke.exe
636	agetlke.exe
1548	agetlke.exe
3772	agetlke.exe
4408	agetlke.exe
1380	agetlke.exe
1456	agetlke.exe
2400	agetlke.exe
3516	agetlke.exe
3124	agetlke.exe
1868	agetlke.exe
4492	agetlke.exe
4784	agetlke.exe
4180	agetlke.exe
1564	agetlke.exe
2488	agetlke.exe
996	agetlke.exe
2320	agetlke.exe
1376	agetlke.exe
3376	agetlke.exe
4068	agetlke.exe
1300	agetlke.exe
3700	agetlke.exe
4904	agetlke.exe
1292	agetlke.exe
2916	agetlke.exe
1380	agetlke.exe
4968	agetlke.exe
2580	agetlke.exe
2420	agetlke.exe
4072	agetlke.exe
3712	agetlke.exe
3736	agetlke.exe
2016	agetlke.exe
3848	agetlke.exe
208	agetlke.exe
628	agetlke.exe
3784	agetlke.exe
2932	agetlke.exe
1840	agetlke.exe
3796	agetlke.exe
2012	agetlke.exe
2444	agetlke.exe
5044	agetlke.exe
1292	agetlke.exe
4224	agetlke.exe
4292	agetlke.exe
3908	agetlke.exe
2008	agetlke.exe
5100	agetlke.exe
4152	agetlke.exe
4972	agetlke.exe
4404	agetlke.exe
872	agetlke.exe
5024	agetlke.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe
File created	C:\Windows\SysWOW64\agetlke.exe	agetlke.exe
File opened for modification	C:\Windows\SysWOW64\temp1.jpg	agetlke.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlke.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3352	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe
3352	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe
1960	agetlke.exe
1960	agetlke.exe
3712	agetlke.exe
3712	agetlke.exe
3568	agetlke.exe
3568	agetlke.exe
448	agetlke.exe
448	agetlke.exe
872	agetlke.exe
872	agetlke.exe
2820	agetlke.exe
2820	agetlke.exe
3704	agetlke.exe
3704	agetlke.exe
3872	agetlke.exe
3872	agetlke.exe
1300	agetlke.exe
1300	agetlke.exe
2088	agetlke.exe
2088	agetlke.exe
636	agetlke.exe
636	agetlke.exe
1548	agetlke.exe
1548	agetlke.exe
3772	agetlke.exe
3772	agetlke.exe
4408	agetlke.exe
4408	agetlke.exe
1380	agetlke.exe
1380	agetlke.exe
1456	agetlke.exe
1456	agetlke.exe
2400	agetlke.exe
2400	agetlke.exe
3516	agetlke.exe
3516	agetlke.exe
3124	agetlke.exe
3124	agetlke.exe
1868	agetlke.exe
1868	agetlke.exe
4492	agetlke.exe
4492	agetlke.exe
4784	agetlke.exe
4784	agetlke.exe
4180	agetlke.exe
4180	agetlke.exe
1564	agetlke.exe
1564	agetlke.exe
2488	agetlke.exe
2488	agetlke.exe
996	agetlke.exe
996	agetlke.exe
2320	agetlke.exe
2320	agetlke.exe
1376	agetlke.exe
1376	agetlke.exe
3376	agetlke.exe
3376	agetlke.exe
4068	agetlke.exe
4068	agetlke.exe
1300	agetlke.exe
1300	agetlke.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1960	3352	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe	86
PID 3352 wrote to memory of 1960	3352	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe	86
PID 3352 wrote to memory of 1960	3352	4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe	86
PID 1960 wrote to memory of 3712	1960	agetlke.exe	87
PID 1960 wrote to memory of 3712	1960	agetlke.exe	87
PID 1960 wrote to memory of 3712	1960	agetlke.exe	87
PID 3712 wrote to memory of 3568	3712	agetlke.exe	88
PID 3712 wrote to memory of 3568	3712	agetlke.exe	88
PID 3712 wrote to memory of 3568	3712	agetlke.exe	88
PID 3568 wrote to memory of 448	3568	agetlke.exe	89
PID 3568 wrote to memory of 448	3568	agetlke.exe	89
PID 3568 wrote to memory of 448	3568	agetlke.exe	89
PID 448 wrote to memory of 872	448	agetlke.exe	90
PID 448 wrote to memory of 872	448	agetlke.exe	90
PID 448 wrote to memory of 872	448	agetlke.exe	90
PID 872 wrote to memory of 2820	872	agetlke.exe	91
PID 872 wrote to memory of 2820	872	agetlke.exe	91
PID 872 wrote to memory of 2820	872	agetlke.exe	91
PID 2820 wrote to memory of 3704	2820	agetlke.exe	92
PID 2820 wrote to memory of 3704	2820	agetlke.exe	92
PID 2820 wrote to memory of 3704	2820	agetlke.exe	92
PID 3704 wrote to memory of 3872	3704	agetlke.exe	93
PID 3704 wrote to memory of 3872	3704	agetlke.exe	93
PID 3704 wrote to memory of 3872	3704	agetlke.exe	93
PID 3872 wrote to memory of 1300	3872	agetlke.exe	94
PID 3872 wrote to memory of 1300	3872	agetlke.exe	94
PID 3872 wrote to memory of 1300	3872	agetlke.exe	94
PID 1300 wrote to memory of 2088	1300	agetlke.exe	95
PID 1300 wrote to memory of 2088	1300	agetlke.exe	95
PID 1300 wrote to memory of 2088	1300	agetlke.exe	95
PID 2088 wrote to memory of 636	2088	agetlke.exe	96
PID 2088 wrote to memory of 636	2088	agetlke.exe	96
PID 2088 wrote to memory of 636	2088	agetlke.exe	96
PID 636 wrote to memory of 1548	636	agetlke.exe	97
PID 636 wrote to memory of 1548	636	agetlke.exe	97
PID 636 wrote to memory of 1548	636	agetlke.exe	97
PID 1548 wrote to memory of 3772	1548	agetlke.exe	98
PID 1548 wrote to memory of 3772	1548	agetlke.exe	98
PID 1548 wrote to memory of 3772	1548	agetlke.exe	98
PID 3772 wrote to memory of 4408	3772	agetlke.exe	99
PID 3772 wrote to memory of 4408	3772	agetlke.exe	99
PID 3772 wrote to memory of 4408	3772	agetlke.exe	99
PID 4408 wrote to memory of 1380	4408	agetlke.exe	100
PID 4408 wrote to memory of 1380	4408	agetlke.exe	100
PID 4408 wrote to memory of 1380	4408	agetlke.exe	100
PID 1380 wrote to memory of 1456	1380	agetlke.exe	101
PID 1380 wrote to memory of 1456	1380	agetlke.exe	101
PID 1380 wrote to memory of 1456	1380	agetlke.exe	101
PID 1456 wrote to memory of 2400	1456	agetlke.exe	102
PID 1456 wrote to memory of 2400	1456	agetlke.exe	102
PID 1456 wrote to memory of 2400	1456	agetlke.exe	102
PID 2400 wrote to memory of 3516	2400	agetlke.exe	103
PID 2400 wrote to memory of 3516	2400	agetlke.exe	103
PID 2400 wrote to memory of 3516	2400	agetlke.exe	103
PID 3516 wrote to memory of 3124	3516	agetlke.exe	104
PID 3516 wrote to memory of 3124	3516	agetlke.exe	104
PID 3516 wrote to memory of 3124	3516	agetlke.exe	104
PID 3124 wrote to memory of 1868	3124	agetlke.exe	105
PID 3124 wrote to memory of 1868	3124	agetlke.exe	105
PID 3124 wrote to memory of 1868	3124	agetlke.exe	105
PID 1868 wrote to memory of 4492	1868	agetlke.exe	106
PID 1868 wrote to memory of 4492	1868	agetlke.exe	106
PID 1868 wrote to memory of 4492	1868	agetlke.exe	106
PID 4492 wrote to memory of 4784	4492	agetlke.exe	107

C:\Users\Admin\AppData\Local\Temp\4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4456f0494e71973e04c9f1f112a1a163_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SysWOW64\agetlke.exe
  "C:\Windows\system32\agetlke.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\agetlke.exe
    "C:\Windows\system32\agetlke.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\agetlke.exe
      "C:\Windows\system32\agetlke.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        36⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        37⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        50⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        53⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        58⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        66⤵
        Checks computer location settings
        
        PID:4084
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        67⤵
        Checks computer location settings
        
        PID:4056
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        68⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        69⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        71⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        75⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        76⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        80⤵
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        82⤵
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        84⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        85⤵
        Checks computer location settings
        
        PID:4116
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        88⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        89⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        90⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        91⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        92⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        93⤵
        
        PID:620
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        94⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        97⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        98⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        101⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        102⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        103⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        104⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        105⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        106⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        107⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        108⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        109⤵
        Checks computer location settings
        
        PID:1164
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        110⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        112⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        113⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        115⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        116⤵
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        117⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        119⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        121⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        124⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        125⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        126⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        127⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        128⤵
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        129⤵
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        130⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        131⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        133⤵
        Checks computer location settings
        
        PID:4784
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        135⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        137⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        139⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        140⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        142⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        143⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        144⤵
        
        PID:376
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        145⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        146⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        147⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        148⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        149⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        150⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        151⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        152⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        153⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        154⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        155⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        156⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        157⤵
        
        PID:444
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        158⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        159⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        160⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        161⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        162⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        163⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\agetlke.exe
        
        "C:\Windows\system32\agetlke.exe"
        164⤵
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\agetlke.exe

Filesize
19KB

MD5
4456f0494e71973e04c9f1f112a1a163

SHA1
b95b4e188b08050ada53adca43fd25e0e30f9826

SHA256
5d02a6ea1442f7ff05ccb7ec9f3861eba70ccf904579b4f0bbe611b2b9f887e8

SHA512
550c0653eb727bdf02e4c4a6fac493380e15ae49364a9104aa32d79003462bb045df83d9c3bda01c504e6446903f67c6c2a0f4d882395e45acbf594355f5e5d1

Download Submit
C:\Windows\SysWOW64\temp1.jpg

Filesize
4KB

MD5
e5f792fe9b154a92a486f219db956c90

SHA1
51b67467ed6489dc98e147a58fe014a66026b166

SHA256
b5a640e9c35e084af10d941c184d54ae643dbd83009789ac3d58c435790bd974

SHA512
2a1427cea043301ea9ca4e1c99927cbfede6bb99ac8683ee0fc326dbd794e68be77629d363d1ebc92fb7c9c88e473b751812614669f12aa0f1d9b83d0feead2b

Download Submit
memory/208-292-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/448-91-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/628-296-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/636-141-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/872-364-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/872-98-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/996-216-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1292-328-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1292-248-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1300-236-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1300-127-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1376-224-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1380-256-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1380-169-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1456-176-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1548-148-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1564-208-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1840-308-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1868-192-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1960-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2008-344-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2012-316-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2016-284-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2088-134-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2320-220-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2400-180-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2420-268-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2444-320-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2488-212-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2580-264-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2820-105-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2916-252-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2932-304-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3124-188-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3352-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3376-228-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3516-184-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3568-84-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3700-240-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3704-112-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3712-77-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3712-276-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3736-280-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3772-155-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3784-300-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3796-312-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3848-288-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3872-119-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3908-340-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4068-232-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4072-272-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4152-352-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4180-204-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4224-332-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4292-336-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4404-360-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4408-162-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4492-196-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4784-200-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4904-244-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4968-260-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4972-356-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5044-324-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5100-348-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download