14261a8b4435b260a22d3f3dba34bc4eeeda7b024d50797e76c952d1d3687a10

Analysis

max time kernel
100s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe
Size

56KB
MD5

67d9cf75307699133cd115c27cddd7ba
SHA1

4a0fec707fb414cf95b43be6d4f4c7ab340d40ed
SHA256

14261a8b4435b260a22d3f3dba34bc4eeeda7b024d50797e76c952d1d3687a10
SHA512

94399018ca57542235522033eaa14973cade769784a06461c3fff6702eaf13aeb9b6d156a28e295b1415796b0293c3e547c3a918cec04f53bd0b0b7f6a8352ae
SSDEEP

768:dqJ508ZIAA/gNqh+iC1sgUfOW+7Sj6Zz6ZjkfZa8g0y:2IZ/gNqhJbOWIu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	agetlksyiel.exe

Executes dropped EXE 64 IoCs

pid	Process
1140	agetlksyiel.exe
2696	agetlksyiel.exe
4792	agetlksyiel.exe
3052	agetlksyiel.exe
3424	agetlksyiel.exe
2976	agetlksyiel.exe
4436	agetlksyiel.exe
4876	agetlksyiel.exe
2244	agetlksyiel.exe
3488	agetlksyiel.exe
1628	agetlksyiel.exe
3064	agetlksyiel.exe
1760	agetlksyiel.exe
4444	agetlksyiel.exe
224	agetlksyiel.exe
1988	agetlksyiel.exe
1768	agetlksyiel.exe
1220	agetlksyiel.exe
1636	agetlksyiel.exe
5088	agetlksyiel.exe
2516	agetlksyiel.exe
2556	agetlksyiel.exe
5064	agetlksyiel.exe
2680	agetlksyiel.exe
4608	agetlksyiel.exe
4924	agetlksyiel.exe
4372	agetlksyiel.exe
4412	agetlksyiel.exe
2436	agetlksyiel.exe
3164	agetlksyiel.exe
3448	agetlksyiel.exe
3912	agetlksyiel.exe
976	agetlksyiel.exe
4816	agetlksyiel.exe
3880	agetlksyiel.exe
3272	agetlksyiel.exe
1948	agetlksyiel.exe
4196	agetlksyiel.exe
1988	agetlksyiel.exe
1232	agetlksyiel.exe
3332	agetlksyiel.exe
1580	agetlksyiel.exe
2532	agetlksyiel.exe
992	agetlksyiel.exe
3052	agetlksyiel.exe
4744	agetlksyiel.exe
1724	agetlksyiel.exe
3428	agetlksyiel.exe
3948	agetlksyiel.exe
4952	agetlksyiel.exe
436	agetlksyiel.exe
2108	agetlksyiel.exe
736	agetlksyiel.exe
3584	agetlksyiel.exe
4832	agetlksyiel.exe
2688	agetlksyiel.exe
3252	agetlksyiel.exe
2176	agetlksyiel.exe
1164	agetlksyiel.exe
2720	agetlksyiel.exe
916	agetlksyiel.exe
1636	agetlksyiel.exe
2332	agetlksyiel.exe
2180	agetlksyiel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlksyiel.exe
File created	C:\Windows\SysWOW64\agetlksyiel.exe	agetlksyiel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	agetlksyiel.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3560	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe
3560	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe
1140	agetlksyiel.exe
1140	agetlksyiel.exe
2696	agetlksyiel.exe
2696	agetlksyiel.exe
4792	agetlksyiel.exe
4792	agetlksyiel.exe
3052	agetlksyiel.exe
3052	agetlksyiel.exe
3424	agetlksyiel.exe
3424	agetlksyiel.exe
2976	agetlksyiel.exe
2976	agetlksyiel.exe
4436	agetlksyiel.exe
4436	agetlksyiel.exe
4876	agetlksyiel.exe
4876	agetlksyiel.exe
2244	agetlksyiel.exe
2244	agetlksyiel.exe
3488	agetlksyiel.exe
3488	agetlksyiel.exe
1628	agetlksyiel.exe
1628	agetlksyiel.exe
3064	agetlksyiel.exe
3064	agetlksyiel.exe
1760	agetlksyiel.exe
1760	agetlksyiel.exe
4444	agetlksyiel.exe
4444	agetlksyiel.exe
224	agetlksyiel.exe
224	agetlksyiel.exe
1988	agetlksyiel.exe
1988	agetlksyiel.exe
1768	agetlksyiel.exe
1768	agetlksyiel.exe
1220	agetlksyiel.exe
1220	agetlksyiel.exe
1636	agetlksyiel.exe
1636	agetlksyiel.exe
5088	agetlksyiel.exe
5088	agetlksyiel.exe
2516	agetlksyiel.exe
2516	agetlksyiel.exe
2556	agetlksyiel.exe
2556	agetlksyiel.exe
5064	agetlksyiel.exe
5064	agetlksyiel.exe
2680	agetlksyiel.exe
2680	agetlksyiel.exe
4608	agetlksyiel.exe
4608	agetlksyiel.exe
4924	agetlksyiel.exe
4924	agetlksyiel.exe
4372	agetlksyiel.exe
4372	agetlksyiel.exe
4412	agetlksyiel.exe
4412	agetlksyiel.exe
2436	agetlksyiel.exe
2436	agetlksyiel.exe
3164	agetlksyiel.exe
3164	agetlksyiel.exe
3448	agetlksyiel.exe
3448	agetlksyiel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 1140	3560	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe	87
PID 3560 wrote to memory of 1140	3560	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe	87
PID 3560 wrote to memory of 1140	3560	67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe	87
PID 1140 wrote to memory of 2696	1140	agetlksyiel.exe	88
PID 1140 wrote to memory of 2696	1140	agetlksyiel.exe	88
PID 1140 wrote to memory of 2696	1140	agetlksyiel.exe	88
PID 2696 wrote to memory of 4792	2696	agetlksyiel.exe	89
PID 2696 wrote to memory of 4792	2696	agetlksyiel.exe	89
PID 2696 wrote to memory of 4792	2696	agetlksyiel.exe	89
PID 4792 wrote to memory of 3052	4792	agetlksyiel.exe	90
PID 4792 wrote to memory of 3052	4792	agetlksyiel.exe	90
PID 4792 wrote to memory of 3052	4792	agetlksyiel.exe	90
PID 3052 wrote to memory of 3424	3052	agetlksyiel.exe	91
PID 3052 wrote to memory of 3424	3052	agetlksyiel.exe	91
PID 3052 wrote to memory of 3424	3052	agetlksyiel.exe	91
PID 3424 wrote to memory of 2976	3424	agetlksyiel.exe	92
PID 3424 wrote to memory of 2976	3424	agetlksyiel.exe	92
PID 3424 wrote to memory of 2976	3424	agetlksyiel.exe	92
PID 2976 wrote to memory of 4436	2976	agetlksyiel.exe	93
PID 2976 wrote to memory of 4436	2976	agetlksyiel.exe	93
PID 2976 wrote to memory of 4436	2976	agetlksyiel.exe	93
PID 4436 wrote to memory of 4876	4436	agetlksyiel.exe	94
PID 4436 wrote to memory of 4876	4436	agetlksyiel.exe	94
PID 4436 wrote to memory of 4876	4436	agetlksyiel.exe	94
PID 4876 wrote to memory of 2244	4876	agetlksyiel.exe	95
PID 4876 wrote to memory of 2244	4876	agetlksyiel.exe	95
PID 4876 wrote to memory of 2244	4876	agetlksyiel.exe	95
PID 2244 wrote to memory of 3488	2244	agetlksyiel.exe	98
PID 2244 wrote to memory of 3488	2244	agetlksyiel.exe	98
PID 2244 wrote to memory of 3488	2244	agetlksyiel.exe	98
PID 3488 wrote to memory of 1628	3488	agetlksyiel.exe	100
PID 3488 wrote to memory of 1628	3488	agetlksyiel.exe	100
PID 3488 wrote to memory of 1628	3488	agetlksyiel.exe	100
PID 1628 wrote to memory of 3064	1628	agetlksyiel.exe	102
PID 1628 wrote to memory of 3064	1628	agetlksyiel.exe	102
PID 1628 wrote to memory of 3064	1628	agetlksyiel.exe	102
PID 3064 wrote to memory of 1760	3064	agetlksyiel.exe	103
PID 3064 wrote to memory of 1760	3064	agetlksyiel.exe	103
PID 3064 wrote to memory of 1760	3064	agetlksyiel.exe	103
PID 1760 wrote to memory of 4444	1760	agetlksyiel.exe	104
PID 1760 wrote to memory of 4444	1760	agetlksyiel.exe	104
PID 1760 wrote to memory of 4444	1760	agetlksyiel.exe	104
PID 4444 wrote to memory of 224	4444	agetlksyiel.exe	105
PID 4444 wrote to memory of 224	4444	agetlksyiel.exe	105
PID 4444 wrote to memory of 224	4444	agetlksyiel.exe	105
PID 224 wrote to memory of 1988	224	agetlksyiel.exe	107
PID 224 wrote to memory of 1988	224	agetlksyiel.exe	107
PID 224 wrote to memory of 1988	224	agetlksyiel.exe	107
PID 1988 wrote to memory of 1768	1988	agetlksyiel.exe	108
PID 1988 wrote to memory of 1768	1988	agetlksyiel.exe	108
PID 1988 wrote to memory of 1768	1988	agetlksyiel.exe	108
PID 1768 wrote to memory of 1220	1768	agetlksyiel.exe	109
PID 1768 wrote to memory of 1220	1768	agetlksyiel.exe	109
PID 1768 wrote to memory of 1220	1768	agetlksyiel.exe	109
PID 1220 wrote to memory of 1636	1220	agetlksyiel.exe	110
PID 1220 wrote to memory of 1636	1220	agetlksyiel.exe	110
PID 1220 wrote to memory of 1636	1220	agetlksyiel.exe	110
PID 1636 wrote to memory of 5088	1636	agetlksyiel.exe	111
PID 1636 wrote to memory of 5088	1636	agetlksyiel.exe	111
PID 1636 wrote to memory of 5088	1636	agetlksyiel.exe	111
PID 5088 wrote to memory of 2516	5088	agetlksyiel.exe	113
PID 5088 wrote to memory of 2516	5088	agetlksyiel.exe	113
PID 5088 wrote to memory of 2516	5088	agetlksyiel.exe	113
PID 2516 wrote to memory of 2556	2516	agetlksyiel.exe	114

C:\Users\Admin\AppData\Local\Temp\67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67d9cf75307699133cd115c27cddd7ba_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\agetlksyiel.exe
  "C:\Windows\system32\agetlksyiel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\agetlksyiel.exe
    "C:\Windows\system32\agetlksyiel.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\agetlksyiel.exe
      "C:\Windows\system32\agetlksyiel.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        41⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        45⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        51⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        58⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        62⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        63⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        66⤵
        
        PID:772
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        67⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        69⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        70⤵
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        71⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        73⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        74⤵
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        75⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        76⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        77⤵
        Checks computer location settings
        
        PID:4596
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        78⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        79⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        80⤵
        Checks computer location settings
        
        PID:4812
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        82⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        83⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        87⤵
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        89⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        90⤵
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        91⤵
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        92⤵
        Checks computer location settings
        
        PID:1384
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        93⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        94⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        95⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        96⤵
        Checks computer location settings
        
        PID:4924
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        99⤵
        Checks computer location settings
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        102⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        104⤵
        
        PID:456
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        108⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        109⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        110⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        111⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        112⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        113⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        115⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        117⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        118⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        119⤵
        Checks computer location settings
        
        PID:3428
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        120⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        121⤵
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        123⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        124⤵
        Checks computer location settings
        
        PID:1424
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        125⤵
        Checks computer location settings
        
        PID:3168
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        126⤵
        Checks computer location settings
        
        PID:828
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        127⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        131⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        133⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        134⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        135⤵
        Checks computer location settings
        
        PID:3556
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        136⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        137⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        138⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        139⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        140⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        141⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        142⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        143⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        144⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        145⤵
        
        PID:392
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        146⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        147⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        148⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        149⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        150⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        151⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        152⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        153⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        154⤵
        
        PID:468
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        155⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        156⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        157⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        158⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        159⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        160⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        161⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        162⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        163⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        164⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        165⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        166⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        167⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        168⤵
        
        PID:776
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        169⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        170⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        171⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        172⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        173⤵
        
        PID:884
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        174⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        175⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        176⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        177⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        178⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        179⤵
        
        PID:684
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        180⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        181⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        182⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        183⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        184⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        185⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        186⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        187⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        188⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        189⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        190⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        191⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        192⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        193⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        194⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        195⤵
        
        PID:776
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        196⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        197⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        198⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        199⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        200⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        201⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        202⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        203⤵
        
        PID:216
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        204⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        205⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        206⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        207⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        208⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\agetlksyiel.exe
        
        "C:\Windows\system32\agetlksyiel.exe"
        209⤵
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\agetlksyiel.exe

Filesize
56KB

MD5
67d9cf75307699133cd115c27cddd7ba

SHA1
4a0fec707fb414cf95b43be6d4f4c7ab340d40ed

SHA256
14261a8b4435b260a22d3f3dba34bc4eeeda7b024d50797e76c952d1d3687a10

SHA512
94399018ca57542235522033eaa14973cade769784a06461c3fff6702eaf13aeb9b6d156a28e295b1415796b0293c3e547c3a918cec04f53bd0b0b7f6a8352ae

Download Submit
C:\Windows\SysWOW64\psapi.lib

Filesize
19KB

MD5
a5b1b1f7c2c51ff400d93ae63f484d96

SHA1
5f038003bf8851254ba577db5d8dfd69c1085c33

SHA256
35b1d2d2bc5c531d49aa3550de5c19bd5f4ebe79c594c6f5000d6de28b2621bf

SHA512
90c2145b39611bd1406c513dff16366a51e86e8831c34ab15f650e6620a75533e800db056dda2e7e176fac8b20cd0be76bc1725b45930b31595d4aac00da4eec

Download Submit