Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
-
Size
406KB
-
MD5
ee97c2e552e4143f9936400df4e558d4
-
SHA1
9b124a43f12a9b5fb53a57edc6325f42e3de145d
-
SHA256
acade0ec0613259db602c15bc0e2c0f861319de70f8a9d30246d1094fee745d8
-
SHA512
9075a07b32f1d89687be51064933cc7e91ec03ced8f9d08c1c71d8ad0ef820c5803901c945575e2d90a218d150c417d5821416312962c0868c7b766b6209480b
-
SSDEEP
12288:gxTvDiv/wQTVKNFNvmuvJUxkG4A3FY+sPDKM:gVvD/QRyaccFgPP
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2348 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 3024 fservice.exe 3032 fservice.exe 2844 services.exe 2744 services.exe 2752 services.exe 2664 services.exe 1124 services.exe 2656 services.exe 3064 services.exe 2284 services.exe 868 services.exe 2624 services.exe 1548 services.exe 2160 services.exe 1728 services.exe 1552 services.exe 1608 services.exe 3056 services.exe 2960 services.exe 2520 services.exe 2212 services.exe 476 services.exe 276 services.exe 920 services.exe 3000 services.exe 1928 services.exe 1544 services.exe 1172 services.exe 2856 services.exe 2528 services.exe 2128 services.exe 1572 services.exe 3004 services.exe 1408 services.exe 1684 services.exe 1584 services.exe 2088 services.exe 884 services.exe 2248 services.exe 1524 services.exe 2132 services.exe 2556 services.exe 2084 services.exe 2972 services.exe 2860 services.exe 2764 services.exe 2848 services.exe 2076 services.exe 2980 services.exe 2644 services.exe 2772 services.exe 2868 services.exe 3068 services.exe 1416 services.exe 1672 services.exe 2680 services.exe 1948 services.exe 2180 services.exe 328 services.exe 1940 services.exe 1540 services.exe 1696 services.exe 2952 services.exe 2292 services.exe -
Loads dropped DLL 3 IoCs
pid Process 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 3024 fservice.exe -
resource yara_rule behavioral1/memory/2028-2-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-3-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-5-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-4-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-6-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-11-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3032-38-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3032-37-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2028-41-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2744-57-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3032-56-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2664-66-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2664-81-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2656-82-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2744-75-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2284-95-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2656-101-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2284-107-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2624-108-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2624-127-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2160-121-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2160-140-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1552-131-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3056-149-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1552-151-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3056-165-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2520-175-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/476-187-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/920-200-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1172-208-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1928-214-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1172-227-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2528-221-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2528-239-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1572-250-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1408-264-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1584-255-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1584-274-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/884-287-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2556-290-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1524-299-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2972-302-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2556-305-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2972-322-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2764-333-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2076-344-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2644-355-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2868-366-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1416-377-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2680-388-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2180-398-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1696-406-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1940-409-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1696-422-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2292-433-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2228-444-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3052-451-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1580-456-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1468-463-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3052-468-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/1468-479-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/568-486-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2068-491-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2992-498-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1900 set thread context of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 3024 set thread context of 3032 3024 fservice.exe 32 PID 2844 set thread context of 2744 2844 services.exe 36 PID 2752 set thread context of 2664 2752 services.exe 38 PID 1124 set thread context of 2656 1124 services.exe 40 PID 3064 set thread context of 2284 3064 services.exe 42 PID 868 set thread context of 2624 868 services.exe 44 PID 1548 set thread context of 2160 1548 services.exe 47 PID 1728 set thread context of 1552 1728 services.exe 49 PID 1608 set thread context of 3056 1608 services.exe 51 PID 2960 set thread context of 2520 2960 services.exe 53 PID 2212 set thread context of 476 2212 services.exe 55 PID 276 set thread context of 920 276 services.exe 57 PID 3000 set thread context of 1928 3000 services.exe 59 PID 1544 set thread context of 1172 1544 services.exe 61 PID 2856 set thread context of 2528 2856 services.exe 63 PID 2128 set thread context of 1572 2128 services.exe 65 PID 3004 set thread context of 1408 3004 services.exe 67 PID 1684 set thread context of 1584 1684 services.exe 69 PID 2088 set thread context of 884 2088 services.exe 71 PID 2132 set thread context of 2556 2132 services.exe 75 PID 2084 set thread context of 2972 2084 services.exe 77 PID 2860 set thread context of 2764 2860 services.exe 79 PID 2848 set thread context of 2076 2848 services.exe 81 PID 2980 set thread context of 2644 2980 services.exe 83 PID 2772 set thread context of 2868 2772 services.exe 85 PID 3068 set thread context of 1416 3068 services.exe 87 PID 1672 set thread context of 2680 1672 services.exe 89 PID 1948 set thread context of 2180 1948 services.exe 91 PID 328 set thread context of 1940 328 services.exe 93 PID 1540 set thread context of 1696 1540 services.exe 95 PID 2952 set thread context of 2292 2952 services.exe 97 PID 352 set thread context of 2228 352 services.exe 99 PID 2040 set thread context of 1580 2040 services.exe 101 PID 1132 set thread context of 3052 1132 services.exe 103 PID 904 set thread context of 1468 904 services.exe 105 PID 1904 set thread context of 2068 1904 services.exe 107 PID 1464 set thread context of 568 1464 services.exe 109 PID 876 set thread context of 2992 876 services.exe 111 PID 588 set thread context of 784 588 services.exe 113 PID 1592 set thread context of 988 1592 services.exe 115 PID 280 set thread context of 1528 280 services.exe 117 PID 1896 set thread context of 2368 1896 services.exe 119 PID 2120 set thread context of 2328 2120 services.exe 121 PID 2540 set thread context of 2888 2540 services.exe 123 PID 2348 set thread context of 2056 2348 services.exe 125 PID 1620 set thread context of 2872 1620 services.exe 127 PID 2640 set thread context of 2708 2640 services.exe 129 PID 2652 set thread context of 3068 2652 services.exe 131 PID 2376 set thread context of 1752 2376 services.exe 133 PID 1840 set thread context of 1948 1840 services.exe 135 PID 2468 set thread context of 1728 2468 services.exe 137 PID 2232 set thread context of 1936 2232 services.exe 139 PID 2324 set thread context of 2928 2324 services.exe 141 PID 2296 set thread context of 2824 2296 services.exe 143 PID 1800 set thread context of 3012 1800 services.exe 145 PID 1108 set thread context of 1132 1108 services.exe 147 PID 2464 set thread context of 1296 2464 services.exe 149 PID 1976 set thread context of 896 1976 services.exe 151 PID 1720 set thread context of 1724 1720 services.exe 153 PID 1704 set thread context of 716 1704 services.exe 155 PID 2052 set thread context of 2332 2052 services.exe 157 PID 348 set thread context of 2384 348 services.exe 159 PID 1136 set thread context of 2172 1136 services.exe 161 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe services.exe File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File created C:\Windows\system\sservice.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File created C:\Windows\services.exe Process not Found File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\services.exe services.exe File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 3024 fservice.exe 2844 services.exe 2752 services.exe 1124 services.exe 3064 services.exe 868 services.exe 1548 services.exe 1728 services.exe 1608 services.exe 2960 services.exe 2212 services.exe 276 services.exe 3000 services.exe 1544 services.exe 2856 services.exe 2128 services.exe 3004 services.exe 1684 services.exe 2088 services.exe 2132 services.exe 2084 services.exe 2860 services.exe 2848 services.exe 2980 services.exe 2772 services.exe 3068 services.exe 1672 services.exe 1948 services.exe 328 services.exe 1540 services.exe 2952 services.exe 352 services.exe 2040 services.exe 1132 services.exe 904 services.exe 1904 services.exe 1464 services.exe 876 services.exe 588 services.exe 1592 services.exe 280 services.exe 1896 services.exe 2120 services.exe 2540 services.exe 2348 services.exe 1620 services.exe 2640 services.exe 2652 services.exe 2376 services.exe 1840 services.exe 2468 services.exe 2232 services.exe 2324 services.exe 2296 services.exe 1800 services.exe 1108 services.exe 2464 services.exe 1976 services.exe 1720 services.exe 1704 services.exe 2052 services.exe 348 services.exe 1136 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2028 1900 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 30 PID 2028 wrote to memory of 3024 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 31 PID 2028 wrote to memory of 3024 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 31 PID 2028 wrote to memory of 3024 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 31 PID 2028 wrote to memory of 3024 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 31 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 3024 wrote to memory of 3032 3024 fservice.exe 32 PID 2028 wrote to memory of 2348 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 33 PID 2028 wrote to memory of 2348 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 33 PID 2028 wrote to memory of 2348 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 33 PID 2028 wrote to memory of 2348 2028 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2844 3032 fservice.exe 35 PID 3032 wrote to memory of 2844 3032 fservice.exe 35 PID 3032 wrote to memory of 2844 3032 fservice.exe 35 PID 3032 wrote to memory of 2844 3032 fservice.exe 35 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2844 wrote to memory of 2744 2844 services.exe 36 PID 2744 wrote to memory of 2752 2744 services.exe 37 PID 2744 wrote to memory of 2752 2744 services.exe 37 PID 2744 wrote to memory of 2752 2744 services.exe 37 PID 2744 wrote to memory of 2752 2744 services.exe 37 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2752 wrote to memory of 2664 2752 services.exe 38 PID 2664 wrote to memory of 1124 2664 services.exe 39 PID 2664 wrote to memory of 1124 2664 services.exe 39 PID 2664 wrote to memory of 1124 2664 services.exe 39 PID 2664 wrote to memory of 1124 2664 services.exe 39 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40 PID 1124 wrote to memory of 2656 1124 services.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\fservice.exe"C:\Windows\SysWOW64\fservice.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\services.exeC:\Windows\services.exe -XP5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\services.exe"C:\Windows\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\services.exeC:\Windows\services.exe -XP7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\services.exe"C:\Windows\services.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\services.exeC:\Windows\services.exe -XP9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\services.exe"C:\Windows\services.exe"10⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\services.exeC:\Windows\services.exe -XP11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\services.exe"C:\Windows\services.exe"12⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\services.exeC:\Windows\services.exe -XP13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:868 -
C:\Windows\services.exe"C:\Windows\services.exe"14⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\services.exeC:\Windows\services.exe -XP15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Windows\services.exe"C:\Windows\services.exe"16⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\services.exeC:\Windows\services.exe -XP17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\services.exe"C:\Windows\services.exe"18⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\services.exeC:\Windows\services.exe -XP19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\services.exe"C:\Windows\services.exe"20⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\services.exeC:\Windows\services.exe -XP21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\services.exe"C:\Windows\services.exe"22⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\services.exeC:\Windows\services.exe -XP23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Windows\services.exe"C:\Windows\services.exe"24⤵
- Executes dropped EXE
PID:476 -
C:\Windows\services.exeC:\Windows\services.exe -XP25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:276 -
C:\Windows\services.exe"C:\Windows\services.exe"26⤵
- Executes dropped EXE
PID:920 -
C:\Windows\services.exeC:\Windows\services.exe -XP27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\services.exe"C:\Windows\services.exe"28⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\services.exeC:\Windows\services.exe -XP29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\services.exe"C:\Windows\services.exe"30⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\services.exeC:\Windows\services.exe -XP31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2856 -
C:\Windows\services.exe"C:\Windows\services.exe"32⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\services.exeC:\Windows\services.exe -XP33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2128 -
C:\Windows\services.exe"C:\Windows\services.exe"34⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\services.exeC:\Windows\services.exe -XP35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\services.exe"C:\Windows\services.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1408 -
C:\Windows\services.exeC:\Windows\services.exe -XP37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1684 -
C:\Windows\services.exe"C:\Windows\services.exe"38⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\services.exeC:\Windows\services.exe -XP39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2088 -
C:\Windows\services.exe"C:\Windows\services.exe"40⤵
- Executes dropped EXE
PID:884 -
C:\Windows\services.exeC:\Windows\services.exe -XP41⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\services.exe"C:\Windows\services.exe"42⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\services.exeC:\Windows\services.exe -XP43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\services.exe"C:\Windows\services.exe"44⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\services.exeC:\Windows\services.exe -XP45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2084 -
C:\Windows\services.exe"C:\Windows\services.exe"46⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\services.exeC:\Windows\services.exe -XP47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2860 -
C:\Windows\services.exe"C:\Windows\services.exe"48⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\services.exeC:\Windows\services.exe -XP49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Windows\services.exe"C:\Windows\services.exe"50⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\services.exeC:\Windows\services.exe -XP51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Windows\services.exe"C:\Windows\services.exe"52⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\services.exeC:\Windows\services.exe -XP53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Windows\services.exe"C:\Windows\services.exe"54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\services.exeC:\Windows\services.exe -XP55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\services.exe"C:\Windows\services.exe"56⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\services.exeC:\Windows\services.exe -XP57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Windows\services.exe"C:\Windows\services.exe"58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\services.exeC:\Windows\services.exe -XP59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\services.exe"C:\Windows\services.exe"60⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\services.exeC:\Windows\services.exe -XP61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:328 -
C:\Windows\services.exe"C:\Windows\services.exe"62⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\services.exeC:\Windows\services.exe -XP63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\services.exe"C:\Windows\services.exe"64⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\services.exeC:\Windows\services.exe -XP65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2952 -
C:\Windows\services.exe"C:\Windows\services.exe"66⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\services.exeC:\Windows\services.exe -XP67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:352 -
C:\Windows\services.exe"C:\Windows\services.exe"68⤵PID:2228
-
C:\Windows\services.exeC:\Windows\services.exe -XP69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\services.exe"C:\Windows\services.exe"70⤵PID:1580
-
C:\Windows\services.exeC:\Windows\services.exe -XP71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1132 -
C:\Windows\services.exe"C:\Windows\services.exe"72⤵PID:3052
-
C:\Windows\services.exeC:\Windows\services.exe -XP73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:904 -
C:\Windows\services.exe"C:\Windows\services.exe"74⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\services.exeC:\Windows\services.exe -XP75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1904 -
C:\Windows\services.exe"C:\Windows\services.exe"76⤵PID:2068
-
C:\Windows\services.exeC:\Windows\services.exe -XP77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Windows\services.exe"C:\Windows\services.exe"78⤵PID:568
-
C:\Windows\services.exeC:\Windows\services.exe -XP79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\services.exe"C:\Windows\services.exe"80⤵PID:2992
-
C:\Windows\services.exeC:\Windows\services.exe -XP81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:588 -
C:\Windows\services.exe"C:\Windows\services.exe"82⤵PID:784
-
C:\Windows\services.exeC:\Windows\services.exe -XP83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Windows\services.exe"C:\Windows\services.exe"84⤵PID:988
-
C:\Windows\services.exeC:\Windows\services.exe -XP85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:280 -
C:\Windows\services.exe"C:\Windows\services.exe"86⤵PID:1528
-
C:\Windows\services.exeC:\Windows\services.exe -XP87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1896 -
C:\Windows\services.exe"C:\Windows\services.exe"88⤵PID:2368
-
C:\Windows\services.exeC:\Windows\services.exe -XP89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\services.exe"C:\Windows\services.exe"90⤵PID:2328
-
C:\Windows\services.exeC:\Windows\services.exe -XP91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Windows\services.exe"C:\Windows\services.exe"92⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\services.exeC:\Windows\services.exe -XP93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348 -
C:\Windows\services.exe"C:\Windows\services.exe"94⤵PID:2056
-
C:\Windows\services.exeC:\Windows\services.exe -XP95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\services.exe"C:\Windows\services.exe"96⤵PID:2872
-
C:\Windows\services.exeC:\Windows\services.exe -XP97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2640 -
C:\Windows\services.exe"C:\Windows\services.exe"98⤵PID:2708
-
C:\Windows\services.exeC:\Windows\services.exe -XP99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\services.exe"C:\Windows\services.exe"100⤵PID:3068
-
C:\Windows\services.exeC:\Windows\services.exe -XP101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Windows\services.exe"C:\Windows\services.exe"102⤵PID:1752
-
C:\Windows\services.exeC:\Windows\services.exe -XP103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\Windows\services.exe"C:\Windows\services.exe"104⤵PID:1948
-
C:\Windows\services.exeC:\Windows\services.exe -XP105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2468 -
C:\Windows\services.exe"C:\Windows\services.exe"106⤵PID:1728
-
C:\Windows\services.exeC:\Windows\services.exe -XP107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Windows\services.exe"C:\Windows\services.exe"108⤵PID:1936
-
C:\Windows\services.exeC:\Windows\services.exe -XP109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Windows\services.exe"C:\Windows\services.exe"110⤵PID:2928
-
C:\Windows\services.exeC:\Windows\services.exe -XP111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2296 -
C:\Windows\services.exe"C:\Windows\services.exe"112⤵PID:2824
-
C:\Windows\services.exeC:\Windows\services.exe -XP113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1800 -
C:\Windows\services.exe"C:\Windows\services.exe"114⤵PID:3012
-
C:\Windows\services.exeC:\Windows\services.exe -XP115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\services.exe"C:\Windows\services.exe"116⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\services.exeC:\Windows\services.exe -XP117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\services.exe"C:\Windows\services.exe"118⤵PID:1296
-
C:\Windows\services.exeC:\Windows\services.exe -XP119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1976 -
C:\Windows\services.exe"C:\Windows\services.exe"120⤵PID:896
-
C:\Windows\services.exeC:\Windows\services.exe -XP121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-