Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe
-
Size
406KB
-
MD5
ee97c2e552e4143f9936400df4e558d4
-
SHA1
9b124a43f12a9b5fb53a57edc6325f42e3de145d
-
SHA256
acade0ec0613259db602c15bc0e2c0f861319de70f8a9d30246d1094fee745d8
-
SHA512
9075a07b32f1d89687be51064933cc7e91ec03ced8f9d08c1c71d8ad0ef820c5803901c945575e2d90a218d150c417d5821416312962c0868c7b766b6209480b
-
SSDEEP
12288:gxTvDiv/wQTVKNFNvmuvJUxkG4A3FY+sPDKM:gVvD/QRyaccFgPP
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4452 fservice.exe 4920 fservice.exe 1112 services.exe 3664 services.exe 1412 services.exe 1908 services.exe 320 services.exe 264 services.exe 224 services.exe 3460 services.exe 2188 services.exe 4996 services.exe 3704 services.exe 3044 services.exe 4816 services.exe 4600 services.exe 4784 services.exe 4520 services.exe 1788 services.exe 4596 services.exe 3332 services.exe 3604 services.exe 4804 services.exe 4764 services.exe 2044 services.exe 1436 services.exe 1120 services.exe 2068 services.exe 4568 services.exe 4944 services.exe 4496 services.exe 2992 services.exe 2132 services.exe 3416 services.exe 2672 services.exe 3504 services.exe 3708 services.exe 4924 services.exe 3936 services.exe 2524 services.exe 4768 services.exe 380 services.exe 2756 services.exe 3276 services.exe 3980 services.exe 4532 services.exe 4912 services.exe 1592 services.exe 4356 services.exe 1876 services.exe 2140 services.exe 4976 services.exe 2104 services.exe 3552 services.exe 2052 services.exe 3332 services.exe 3796 services.exe 1192 services.exe 752 services.exe 3576 services.exe 4132 services.exe 4732 services.exe 2344 services.exe 3684 services.exe -
resource yara_rule behavioral2/memory/4056-2-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4056-3-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4056-4-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4056-5-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4056-6-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4920-20-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4920-21-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4056-36-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3664-41-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4920-50-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3664-61-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/264-68-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1908-70-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/264-93-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3460-109-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3044-113-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4996-125-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4600-129-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3044-141-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4520-145-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4600-157-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4520-169-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4596-180-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4764-190-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3604-202-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4764-214-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2068-221-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1436-230-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4944-236-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2068-248-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2992-252-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4944-261-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3416-266-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2992-275-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3504-278-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3416-285-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4924-290-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3504-297-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2524-302-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4924-309-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2524-320-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/380-331-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3276-342-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4532-354-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1592-364-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4976-369-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1876-378-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4976-387-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3552-400-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3332-409-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1192-420-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4732-425-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3576-434-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4732-443-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3684-454-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/3904-465-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/432-470-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4796-479-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/432-490-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1484-499-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1640-510-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4084-515-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/740-523-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/4084-534-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File created C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe services.exe File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found File opened for modification C:\Windows\SysWOW64\fservice.exe Process not Found -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3904 set thread context of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 4452 set thread context of 4920 4452 fservice.exe 84 PID 1112 set thread context of 3664 1112 services.exe 88 PID 1412 set thread context of 1908 1412 services.exe 90 PID 320 set thread context of 264 320 services.exe 92 PID 224 set thread context of 3460 224 services.exe 94 PID 2188 set thread context of 4996 2188 services.exe 96 PID 3704 set thread context of 3044 3704 services.exe 98 PID 4816 set thread context of 4600 4816 services.exe 100 PID 4784 set thread context of 4520 4784 services.exe 102 PID 1788 set thread context of 4596 1788 services.exe 104 PID 3332 set thread context of 3604 3332 services.exe 106 PID 4804 set thread context of 4764 4804 services.exe 110 PID 2044 set thread context of 1436 2044 services.exe 112 PID 1120 set thread context of 2068 1120 services.exe 114 PID 4568 set thread context of 4944 4568 services.exe 116 PID 4496 set thread context of 2992 4496 services.exe 119 PID 2132 set thread context of 3416 2132 services.exe 122 PID 2672 set thread context of 3504 2672 services.exe 124 PID 3708 set thread context of 4924 3708 services.exe 126 PID 3936 set thread context of 2524 3936 services.exe 128 PID 4768 set thread context of 380 4768 services.exe 130 PID 2756 set thread context of 3276 2756 services.exe 132 PID 3980 set thread context of 4532 3980 services.exe 134 PID 4912 set thread context of 1592 4912 services.exe 136 PID 4356 set thread context of 1876 4356 services.exe 138 PID 2140 set thread context of 4976 2140 services.exe 140 PID 2104 set thread context of 3552 2104 services.exe 142 PID 2052 set thread context of 3332 2052 services.exe 145 PID 3796 set thread context of 1192 3796 services.exe 147 PID 752 set thread context of 3576 752 services.exe 149 PID 4132 set thread context of 4732 4132 services.exe 151 PID 2344 set thread context of 3684 2344 services.exe 153 PID 3932 set thread context of 3904 3932 services.exe 155 PID 2476 set thread context of 4796 2476 services.exe 157 PID 2164 set thread context of 432 2164 services.exe 159 PID 2796 set thread context of 1484 2796 services.exe 161 PID 2128 set thread context of 1640 2128 services.exe 163 PID 100 set thread context of 740 100 services.exe 165 PID 512 set thread context of 4084 512 services.exe 167 PID 868 set thread context of 2420 868 services.exe 169 PID 2940 set thread context of 2384 2940 services.exe 173 PID 836 set thread context of 2552 836 services.exe 175 PID 2904 set thread context of 1488 2904 services.exe 177 PID 844 set thread context of 4164 844 services.exe 179 PID 4748 set thread context of 3208 4748 services.exe 181 PID 1180 set thread context of 4212 1180 services.exe 183 PID 2744 set thread context of 4132 2744 services.exe 185 PID 4588 set thread context of 5096 4588 services.exe 187 PID 4300 set thread context of 2040 4300 services.exe 189 PID 3068 set thread context of 2180 3068 services.exe 191 PID 2164 set thread context of 4824 2164 services.exe 193 PID 972 set thread context of 208 972 services.exe 195 PID 1328 set thread context of 3852 1328 services.exe 197 PID 1432 set thread context of 3972 1432 services.exe 199 PID 2188 set thread context of 4328 2188 services.exe 201 PID 5000 set thread context of 2620 5000 services.exe 203 PID 4412 set thread context of 2488 4412 services.exe 205 PID 3896 set thread context of 4980 3896 services.exe 207 PID 1076 set thread context of 1584 1076 services.exe 209 PID 2364 set thread context of 1656 2364 services.exe 211 PID 448 set thread context of 4104 448 services.exe 213 PID 4936 set thread context of 4020 4936 services.exe 215 PID 4848 set thread context of 3900 4848 services.exe 217 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File created C:\Windows\services.exe Process not Found File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe Process not Found File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\services.exe Process not Found File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe Process not Found File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe Process not Found File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\services.exe services.exe File created C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File opened for modification C:\Windows\services.exe services.exe File created C:\Windows\system\sservice.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 4452 fservice.exe 1112 services.exe 1412 services.exe 320 services.exe 224 services.exe 2188 services.exe 3704 services.exe 4816 services.exe 4784 services.exe 1788 services.exe 3332 services.exe 4804 services.exe 2044 services.exe 1120 services.exe 4568 services.exe 4496 services.exe 2132 services.exe 2672 services.exe 3708 services.exe 3936 services.exe 4768 services.exe 2756 services.exe 3980 services.exe 4912 services.exe 4356 services.exe 2140 services.exe 2104 services.exe 2052 services.exe 3796 services.exe 752 services.exe 4132 services.exe 2344 services.exe 3932 services.exe 2476 services.exe 2164 services.exe 2796 services.exe 2128 services.exe 100 services.exe 512 services.exe 868 services.exe 2940 services.exe 836 services.exe 2904 services.exe 844 services.exe 4748 services.exe 1180 services.exe 2744 services.exe 4588 services.exe 4300 services.exe 3068 services.exe 2164 services.exe 972 services.exe 1328 services.exe 1432 services.exe 2188 services.exe 5000 services.exe 4412 services.exe 3896 services.exe 1076 services.exe 2364 services.exe 448 services.exe 4936 services.exe 4848 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 3904 wrote to memory of 4056 3904 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 82 PID 4056 wrote to memory of 4452 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 83 PID 4056 wrote to memory of 4452 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 83 PID 4056 wrote to memory of 4452 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 83 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4452 wrote to memory of 4920 4452 fservice.exe 84 PID 4056 wrote to memory of 4556 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 85 PID 4056 wrote to memory of 4556 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 85 PID 4056 wrote to memory of 4556 4056 ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe 85 PID 4920 wrote to memory of 1112 4920 fservice.exe 87 PID 4920 wrote to memory of 1112 4920 fservice.exe 87 PID 4920 wrote to memory of 1112 4920 fservice.exe 87 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 1112 wrote to memory of 3664 1112 services.exe 88 PID 3664 wrote to memory of 1412 3664 services.exe 89 PID 3664 wrote to memory of 1412 3664 services.exe 89 PID 3664 wrote to memory of 1412 3664 services.exe 89 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1412 wrote to memory of 1908 1412 services.exe 90 PID 1908 wrote to memory of 320 1908 services.exe 91 PID 1908 wrote to memory of 320 1908 services.exe 91 PID 1908 wrote to memory of 320 1908 services.exe 91 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 320 wrote to memory of 264 320 services.exe 92 PID 264 wrote to memory of 224 264 services.exe 93 PID 264 wrote to memory of 224 264 services.exe 93 PID 264 wrote to memory of 224 264 services.exe 93 PID 224 wrote to memory of 3460 224 services.exe 94 PID 224 wrote to memory of 3460 224 services.exe 94 PID 224 wrote to memory of 3460 224 services.exe 94 PID 224 wrote to memory of 3460 224 services.exe 94 PID 224 wrote to memory of 3460 224 services.exe 94 PID 224 wrote to memory of 3460 224 services.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee97c2e552e4143f9936400df4e558d4_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\fservice.exe"C:\Windows\SysWOW64\fservice.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\services.exeC:\Windows\services.exe -XP5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\services.exe"C:\Windows\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\services.exeC:\Windows\services.exe -XP7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\services.exe"C:\Windows\services.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\services.exeC:\Windows\services.exe -XP9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\services.exe"C:\Windows\services.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\services.exeC:\Windows\services.exe -XP11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\services.exe"C:\Windows\services.exe"12⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\services.exeC:\Windows\services.exe -XP13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Windows\services.exe"C:\Windows\services.exe"14⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\services.exeC:\Windows\services.exe -XP15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Windows\services.exe"C:\Windows\services.exe"16⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\services.exeC:\Windows\services.exe -XP17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Windows\services.exe"C:\Windows\services.exe"18⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\services.exeC:\Windows\services.exe -XP19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4784 -
C:\Windows\services.exe"C:\Windows\services.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4520 -
C:\Windows\services.exeC:\Windows\services.exe -XP21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1788 -
C:\Windows\services.exe"C:\Windows\services.exe"22⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\services.exeC:\Windows\services.exe -XP23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3332 -
C:\Windows\services.exe"C:\Windows\services.exe"24⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\services.exeC:\Windows\services.exe -XP25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4804 -
C:\Windows\services.exe"C:\Windows\services.exe"26⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\services.exeC:\Windows\services.exe -XP27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\services.exe"C:\Windows\services.exe"28⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\services.exeC:\Windows\services.exe -XP29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1120 -
C:\Windows\services.exe"C:\Windows\services.exe"30⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\services.exeC:\Windows\services.exe -XP31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4568 -
C:\Windows\services.exe"C:\Windows\services.exe"32⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\services.exeC:\Windows\services.exe -XP33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4496 -
C:\Windows\services.exe"C:\Windows\services.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\services.exeC:\Windows\services.exe -XP35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\services.exe"C:\Windows\services.exe"36⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\services.exeC:\Windows\services.exe -XP37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Windows\services.exe"C:\Windows\services.exe"38⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\services.exeC:\Windows\services.exe -XP39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3708 -
C:\Windows\services.exe"C:\Windows\services.exe"40⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\services.exeC:\Windows\services.exe -XP41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Windows\services.exe"C:\Windows\services.exe"42⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\services.exeC:\Windows\services.exe -XP43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Windows\services.exe"C:\Windows\services.exe"44⤵
- Executes dropped EXE
PID:380 -
C:\Windows\services.exeC:\Windows\services.exe -XP45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Windows\services.exe"C:\Windows\services.exe"46⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\services.exeC:\Windows\services.exe -XP47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3980 -
C:\Windows\services.exe"C:\Windows\services.exe"48⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\services.exeC:\Windows\services.exe -XP49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Windows\services.exe"C:\Windows\services.exe"50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\services.exeC:\Windows\services.exe -XP51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4356 -
C:\Windows\services.exe"C:\Windows\services.exe"52⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\services.exeC:\Windows\services.exe -XP53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2140 -
C:\Windows\services.exe"C:\Windows\services.exe"54⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\services.exeC:\Windows\services.exe -XP55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\Windows\services.exe"C:\Windows\services.exe"56⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\services.exeC:\Windows\services.exe -XP57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2052 -
C:\Windows\services.exe"C:\Windows\services.exe"58⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\services.exeC:\Windows\services.exe -XP59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3796 -
C:\Windows\services.exe"C:\Windows\services.exe"60⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\services.exeC:\Windows\services.exe -XP61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:752 -
C:\Windows\services.exe"C:\Windows\services.exe"62⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\services.exeC:\Windows\services.exe -XP63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4132 -
C:\Windows\services.exe"C:\Windows\services.exe"64⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\services.exeC:\Windows\services.exe -XP65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Windows\services.exe"C:\Windows\services.exe"66⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\services.exeC:\Windows\services.exe -XP67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3932 -
C:\Windows\services.exe"C:\Windows\services.exe"68⤵PID:3904
-
C:\Windows\services.exeC:\Windows\services.exe -XP69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Windows\services.exe"C:\Windows\services.exe"70⤵PID:4796
-
C:\Windows\services.exeC:\Windows\services.exe -XP71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2164 -
C:\Windows\services.exe"C:\Windows\services.exe"72⤵PID:432
-
C:\Windows\services.exeC:\Windows\services.exe -XP73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2796 -
C:\Windows\services.exe"C:\Windows\services.exe"74⤵PID:1484
-
C:\Windows\services.exeC:\Windows\services.exe -XP75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2128 -
C:\Windows\services.exe"C:\Windows\services.exe"76⤵PID:1640
-
C:\Windows\services.exeC:\Windows\services.exe -XP77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:100 -
C:\Windows\services.exe"C:\Windows\services.exe"78⤵
- Drops file in System32 directory
PID:740 -
C:\Windows\services.exeC:\Windows\services.exe -XP79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:512 -
C:\Windows\services.exe"C:\Windows\services.exe"80⤵PID:4084
-
C:\Windows\services.exeC:\Windows\services.exe -XP81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:868 -
C:\Windows\services.exe"C:\Windows\services.exe"82⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\services.exeC:\Windows\services.exe -XP83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Windows\services.exe"C:\Windows\services.exe"84⤵PID:2384
-
C:\Windows\services.exeC:\Windows\services.exe -XP85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Windows\services.exe"C:\Windows\services.exe"86⤵
- Drops file in Windows directory
PID:2552 -
C:\Windows\services.exeC:\Windows\services.exe -XP87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2904 -
C:\Windows\services.exe"C:\Windows\services.exe"88⤵PID:1488
-
C:\Windows\services.exeC:\Windows\services.exe -XP89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:844 -
C:\Windows\services.exe"C:\Windows\services.exe"90⤵PID:4164
-
C:\Windows\services.exeC:\Windows\services.exe -XP91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4748 -
C:\Windows\services.exe"C:\Windows\services.exe"92⤵
- Drops file in System32 directory
PID:3208 -
C:\Windows\services.exeC:\Windows\services.exe -XP93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1180 -
C:\Windows\services.exe"C:\Windows\services.exe"94⤵PID:4212
-
C:\Windows\services.exeC:\Windows\services.exe -XP95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Windows\services.exe"C:\Windows\services.exe"96⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\services.exeC:\Windows\services.exe -XP97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4588 -
C:\Windows\services.exe"C:\Windows\services.exe"98⤵PID:5096
-
C:\Windows\services.exeC:\Windows\services.exe -XP99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4300 -
C:\Windows\services.exe"C:\Windows\services.exe"100⤵PID:2040
-
C:\Windows\services.exeC:\Windows\services.exe -XP101⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\services.exe"C:\Windows\services.exe"102⤵PID:2180
-
C:\Windows\services.exeC:\Windows\services.exe -XP103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2164 -
C:\Windows\services.exe"C:\Windows\services.exe"104⤵PID:4824
-
C:\Windows\services.exeC:\Windows\services.exe -XP105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:972 -
C:\Windows\services.exe"C:\Windows\services.exe"106⤵PID:208
-
C:\Windows\services.exeC:\Windows\services.exe -XP107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Windows\services.exe"C:\Windows\services.exe"108⤵PID:3852
-
C:\Windows\services.exeC:\Windows\services.exe -XP109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\services.exe"C:\Windows\services.exe"110⤵PID:3972
-
C:\Windows\services.exeC:\Windows\services.exe -XP111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Windows\services.exe"C:\Windows\services.exe"112⤵PID:4328
-
C:\Windows\services.exeC:\Windows\services.exe -XP113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\services.exe"C:\Windows\services.exe"114⤵PID:2620
-
C:\Windows\services.exeC:\Windows\services.exe -XP115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\services.exe"C:\Windows\services.exe"116⤵PID:2488
-
C:\Windows\services.exeC:\Windows\services.exe -XP117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3896 -
C:\Windows\services.exe"C:\Windows\services.exe"118⤵PID:4980
-
C:\Windows\services.exeC:\Windows\services.exe -XP119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1076 -
C:\Windows\services.exe"C:\Windows\services.exe"120⤵PID:1584
-
C:\Windows\services.exeC:\Windows\services.exe -XP121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-