Analysis
-
max time kernel
124s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 14:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe
-
Size
15KB
-
MD5
d4974a781ecbc5e976d707eb62332c03
-
SHA1
913a8c25c2dd31d3ba5c45c2818dab7fa189a902
-
SHA256
4342ad06cc9b14e0c2c6de0edcd9d3af7ccdccc4b11552ba7152be45c80d549c
-
SHA512
59bb229acf3574b5ae797d5ec7cde8268af62cfbadbf41318a01a77249cd9f885da624092bf452f4408328877d8ff32bf9d214e807c71bb4bbc824cc7368ca72
-
SSDEEP
192:ycAwpYUPtg7XiOoAHfipMQPZ9lZdJrU+3dwQQkHbvghsw/3CXHGyU2s7S6bL:yzE4i0fYPZ/tUFQQkHblw/3iHGypqSy
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation agetlktz.exe -
Executes dropped EXE 64 IoCs
pid Process 2084 agetlktz.exe 3392 agetlktz.exe 1036 agetlktz.exe 4944 agetlktz.exe 2368 agetlktz.exe 4488 agetlktz.exe 3080 agetlktz.exe 3272 agetlktz.exe 3476 agetlktz.exe 768 agetlktz.exe 3704 agetlktz.exe 4328 agetlktz.exe 4864 agetlktz.exe 4556 agetlktz.exe 2908 agetlktz.exe 3132 agetlktz.exe 660 agetlktz.exe 868 agetlktz.exe 3432 agetlktz.exe 1484 agetlktz.exe 4708 agetlktz.exe 4892 agetlktz.exe 2084 agetlktz.exe 1296 agetlktz.exe 2732 agetlktz.exe 1016 agetlktz.exe 2348 agetlktz.exe 3048 agetlktz.exe 3788 agetlktz.exe 4288 agetlktz.exe 2448 agetlktz.exe 2472 agetlktz.exe 2116 agetlktz.exe 3656 agetlktz.exe 1448 agetlktz.exe 3360 agetlktz.exe 752 agetlktz.exe 4760 agetlktz.exe 4392 agetlktz.exe 728 agetlktz.exe 1548 agetlktz.exe 5104 agetlktz.exe 4812 agetlktz.exe 4084 agetlktz.exe 464 agetlktz.exe 4912 agetlktz.exe 3572 agetlktz.exe 64 agetlktz.exe 1592 agetlktz.exe 3972 agetlktz.exe 2764 agetlktz.exe 996 agetlktz.exe 4288 agetlktz.exe 2472 agetlktz.exe 4008 agetlktz.exe 3024 agetlktz.exe 3656 agetlktz.exe 2292 agetlktz.exe 2456 agetlktz.exe 2052 agetlktz.exe 5084 agetlktz.exe 2332 agetlktz.exe 3432 agetlktz.exe 1944 agetlktz.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File opened for modification C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe File created C:\Windows\SysWOW64\agetlktz.exe agetlktz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agetlktz.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ agetlktz.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3944 d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe 3944 d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe 2084 agetlktz.exe 2084 agetlktz.exe 3392 agetlktz.exe 3392 agetlktz.exe 1036 agetlktz.exe 1036 agetlktz.exe 4944 agetlktz.exe 4944 agetlktz.exe 2368 agetlktz.exe 2368 agetlktz.exe 4488 agetlktz.exe 4488 agetlktz.exe 3080 agetlktz.exe 3080 agetlktz.exe 3272 agetlktz.exe 3272 agetlktz.exe 3476 agetlktz.exe 3476 agetlktz.exe 768 agetlktz.exe 768 agetlktz.exe 3704 agetlktz.exe 3704 agetlktz.exe 4328 agetlktz.exe 4328 agetlktz.exe 4864 agetlktz.exe 4864 agetlktz.exe 4556 agetlktz.exe 4556 agetlktz.exe 2908 agetlktz.exe 2908 agetlktz.exe 3132 agetlktz.exe 3132 agetlktz.exe 660 agetlktz.exe 660 agetlktz.exe 868 agetlktz.exe 868 agetlktz.exe 3432 agetlktz.exe 3432 agetlktz.exe 1484 agetlktz.exe 1484 agetlktz.exe 4708 agetlktz.exe 4708 agetlktz.exe 4892 agetlktz.exe 4892 agetlktz.exe 2084 agetlktz.exe 2084 agetlktz.exe 1296 agetlktz.exe 1296 agetlktz.exe 2732 agetlktz.exe 2732 agetlktz.exe 1016 agetlktz.exe 1016 agetlktz.exe 2348 agetlktz.exe 2348 agetlktz.exe 3048 agetlktz.exe 3048 agetlktz.exe 3788 agetlktz.exe 3788 agetlktz.exe 4288 agetlktz.exe 4288 agetlktz.exe 2448 agetlktz.exe 2448 agetlktz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 2084 3944 d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe 86 PID 3944 wrote to memory of 2084 3944 d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe 86 PID 3944 wrote to memory of 2084 3944 d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe 86 PID 2084 wrote to memory of 3392 2084 agetlktz.exe 88 PID 2084 wrote to memory of 3392 2084 agetlktz.exe 88 PID 2084 wrote to memory of 3392 2084 agetlktz.exe 88 PID 3392 wrote to memory of 1036 3392 agetlktz.exe 89 PID 3392 wrote to memory of 1036 3392 agetlktz.exe 89 PID 3392 wrote to memory of 1036 3392 agetlktz.exe 89 PID 1036 wrote to memory of 4944 1036 agetlktz.exe 90 PID 1036 wrote to memory of 4944 1036 agetlktz.exe 90 PID 1036 wrote to memory of 4944 1036 agetlktz.exe 90 PID 4944 wrote to memory of 2368 4944 agetlktz.exe 91 PID 4944 wrote to memory of 2368 4944 agetlktz.exe 91 PID 4944 wrote to memory of 2368 4944 agetlktz.exe 91 PID 2368 wrote to memory of 4488 2368 agetlktz.exe 92 PID 2368 wrote to memory of 4488 2368 agetlktz.exe 92 PID 2368 wrote to memory of 4488 2368 agetlktz.exe 92 PID 4488 wrote to memory of 3080 4488 agetlktz.exe 93 PID 4488 wrote to memory of 3080 4488 agetlktz.exe 93 PID 4488 wrote to memory of 3080 4488 agetlktz.exe 93 PID 3080 wrote to memory of 3272 3080 agetlktz.exe 94 PID 3080 wrote to memory of 3272 3080 agetlktz.exe 94 PID 3080 wrote to memory of 3272 3080 agetlktz.exe 94 PID 3272 wrote to memory of 3476 3272 agetlktz.exe 95 PID 3272 wrote to memory of 3476 3272 agetlktz.exe 95 PID 3272 wrote to memory of 3476 3272 agetlktz.exe 95 PID 3476 wrote to memory of 768 3476 agetlktz.exe 96 PID 3476 wrote to memory of 768 3476 agetlktz.exe 96 PID 3476 wrote to memory of 768 3476 agetlktz.exe 96 PID 768 wrote to memory of 3704 768 agetlktz.exe 98 PID 768 wrote to memory of 3704 768 agetlktz.exe 98 PID 768 wrote to memory of 3704 768 agetlktz.exe 98 PID 3704 wrote to memory of 4328 3704 agetlktz.exe 100 PID 3704 wrote to memory of 4328 3704 agetlktz.exe 100 PID 3704 wrote to memory of 4328 3704 agetlktz.exe 100 PID 4328 wrote to memory of 4864 4328 agetlktz.exe 101 PID 4328 wrote to memory of 4864 4328 agetlktz.exe 101 PID 4328 wrote to memory of 4864 4328 agetlktz.exe 101 PID 4864 wrote to memory of 4556 4864 agetlktz.exe 102 PID 4864 wrote to memory of 4556 4864 agetlktz.exe 102 PID 4864 wrote to memory of 4556 4864 agetlktz.exe 102 PID 4556 wrote to memory of 2908 4556 agetlktz.exe 105 PID 4556 wrote to memory of 2908 4556 agetlktz.exe 105 PID 4556 wrote to memory of 2908 4556 agetlktz.exe 105 PID 2908 wrote to memory of 3132 2908 agetlktz.exe 106 PID 2908 wrote to memory of 3132 2908 agetlktz.exe 106 PID 2908 wrote to memory of 3132 2908 agetlktz.exe 106 PID 3132 wrote to memory of 660 3132 agetlktz.exe 108 PID 3132 wrote to memory of 660 3132 agetlktz.exe 108 PID 3132 wrote to memory of 660 3132 agetlktz.exe 108 PID 660 wrote to memory of 868 660 agetlktz.exe 110 PID 660 wrote to memory of 868 660 agetlktz.exe 110 PID 660 wrote to memory of 868 660 agetlktz.exe 110 PID 868 wrote to memory of 3432 868 agetlktz.exe 111 PID 868 wrote to memory of 3432 868 agetlktz.exe 111 PID 868 wrote to memory of 3432 868 agetlktz.exe 111 PID 3432 wrote to memory of 1484 3432 agetlktz.exe 112 PID 3432 wrote to memory of 1484 3432 agetlktz.exe 112 PID 3432 wrote to memory of 1484 3432 agetlktz.exe 112 PID 1484 wrote to memory of 4708 1484 agetlktz.exe 113 PID 1484 wrote to memory of 4708 1484 agetlktz.exe 113 PID 1484 wrote to memory of 4708 1484 agetlktz.exe 113 PID 4708 wrote to memory of 4892 4708 agetlktz.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4974a781ecbc5e976d707eb62332c03_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4892 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1296 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3788 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2448 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"33⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"38⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"40⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:728 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"44⤵
- Executes dropped EXE
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"46⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"53⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"54⤵
- Executes dropped EXE
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"57⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"58⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"60⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"64⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"66⤵
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"67⤵PID:3492
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"68⤵PID:464
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"69⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"70⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"71⤵
- Checks computer location settings
PID:1016 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"72⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"73⤵
- Checks computer location settings
PID:2484 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"75⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"76⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"77⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"78⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"79⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"80⤵PID:3872
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"81⤵PID:832
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"82⤵PID:264
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"83⤵PID:812
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"84⤵PID:2756
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"85⤵PID:3388
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"87⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"88⤵
- Checks computer location settings
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"89⤵PID:4480
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"90⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"91⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"92⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"93⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"94⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"95⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"96⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"97⤵PID:3080
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"98⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"99⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"100⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"101⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"102⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"103⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"104⤵
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"105⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"106⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"107⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"108⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"109⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"110⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"111⤵
- Checks computer location settings
PID:4392 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"112⤵
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"113⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"114⤵
- Checks computer location settings
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"117⤵PID:3492
-
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"118⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"119⤵
- Checks computer location settings
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"120⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\agetlktz.exe"C:\Windows\system32\agetlktz.exe"121⤵
- Checks computer location settings
PID:3844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-