Analysis
-
max time kernel
32s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 08:02
Behavioral task
behavioral1
Sample
a6007ec38a30834942c544af376b426b_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a6007ec38a30834942c544af376b426b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a6007ec38a30834942c544af376b426b_JaffaCakes118.exe
-
Size
50KB
-
MD5
a6007ec38a30834942c544af376b426b
-
SHA1
846889ba1f2590e734643849dfbbc362585a385f
-
SHA256
7bc2c25c4ed780634240f71336b2fb669b550121a8c5128217ebba7061e736c8
-
SHA512
8d17786f160a99c5212c5606bc0f545389734cc23bf15e28a77d23e64de6bc9db5f8c070a159ad6020689fa6dfbe90fd725f425968a55068151a4361cab9306a
-
SSDEEP
768:opTqsZIVZpzeV7oh8aMlcMES7gM8/+PZAPD6HxopPldi+pAltp1d06Gfa1ODbrKH:oT9kZlGK8Nl7gsPCr6Hu3d1p45GfRI
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 30 23788 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2896 icf.exe 3284 icf.exe 3100 icf.exe 3168 icf.exe 976 icf.exe 3592 icf.exe 1920 icf.exe 4796 icf.exe 2568 icf.exe 4360 icf.exe 2708 icf.exe 3960 icf.exe 516 icf.exe 2008 icf.exe 468 icf.exe 2480 icf.exe 2900 icf.exe 2500 icf.exe 4456 icf.exe 3440 icf.exe 3116 icf.exe 1172 icf.exe 2120 icf.exe 4592 icf.exe 924 icf.exe 3964 icf.exe 3208 icf.exe 4020 icf.exe 2484 icf.exe 1908 icf.exe 1620 icf.exe 3652 icf.exe 4564 icf.exe 3868 icf.exe 2640 icf.exe 764 icf.exe 3504 icf.exe 4868 icf.exe 1712 icf.exe 1312 icf.exe 4512 icf.exe 3976 icf.exe 2680 icf.exe 2000 icf.exe 4736 icf.exe 2948 icf.exe 1740 icf.exe 4712 icf.exe 1752 icf.exe 4804 icf.exe 4760 icf.exe 4500 icf.exe 2764 icf.exe 868 icf.exe 2624 icf.exe 1760 icf.exe 4272 icf.exe 4356 icf.exe 4424 icf.exe 4756 icf.exe 1076 icf.exe 2620 icf.exe 2024 icf.exe 1372 icf.exe -
resource yara_rule behavioral2/memory/5064-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/files/0x0009000000023461-3.dat upx behavioral2/memory/5064-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2896-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1908-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/6180-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/11544-79-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/5064-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2896-145-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 5184 7516 Process not Found 308 13336 7648 Process not Found 316 13400 15696 Process not Found 798 5840 16772 Process not Found 858 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 2896 5064 a6007ec38a30834942c544af376b426b_JaffaCakes118.exe 84 PID 5064 wrote to memory of 2896 5064 a6007ec38a30834942c544af376b426b_JaffaCakes118.exe 84 PID 5064 wrote to memory of 2896 5064 a6007ec38a30834942c544af376b426b_JaffaCakes118.exe 84 PID 2896 wrote to memory of 3284 2896 icf.exe 85 PID 2896 wrote to memory of 3284 2896 icf.exe 85 PID 2896 wrote to memory of 3284 2896 icf.exe 85 PID 3284 wrote to memory of 3100 3284 icf.exe 86 PID 3284 wrote to memory of 3100 3284 icf.exe 86 PID 3284 wrote to memory of 3100 3284 icf.exe 86 PID 3100 wrote to memory of 3168 3100 icf.exe 87 PID 3100 wrote to memory of 3168 3100 icf.exe 87 PID 3100 wrote to memory of 3168 3100 icf.exe 87 PID 3168 wrote to memory of 976 3168 icf.exe 88 PID 3168 wrote to memory of 976 3168 icf.exe 88 PID 3168 wrote to memory of 976 3168 icf.exe 88 PID 976 wrote to memory of 3592 976 icf.exe 89 PID 976 wrote to memory of 3592 976 icf.exe 89 PID 976 wrote to memory of 3592 976 icf.exe 89 PID 3592 wrote to memory of 1920 3592 icf.exe 90 PID 3592 wrote to memory of 1920 3592 icf.exe 90 PID 3592 wrote to memory of 1920 3592 icf.exe 90 PID 1920 wrote to memory of 4796 1920 icf.exe 91 PID 1920 wrote to memory of 4796 1920 icf.exe 91 PID 1920 wrote to memory of 4796 1920 icf.exe 91 PID 4796 wrote to memory of 2568 4796 icf.exe 92 PID 4796 wrote to memory of 2568 4796 icf.exe 92 PID 4796 wrote to memory of 2568 4796 icf.exe 92 PID 2568 wrote to memory of 4360 2568 icf.exe 93 PID 2568 wrote to memory of 4360 2568 icf.exe 93 PID 2568 wrote to memory of 4360 2568 icf.exe 93 PID 4360 wrote to memory of 2708 4360 icf.exe 94 PID 4360 wrote to memory of 2708 4360 icf.exe 94 PID 4360 wrote to memory of 2708 4360 icf.exe 94 PID 2708 wrote to memory of 3960 2708 icf.exe 95 PID 2708 wrote to memory of 3960 2708 icf.exe 95 PID 2708 wrote to memory of 3960 2708 icf.exe 95 PID 3960 wrote to memory of 516 3960 icf.exe 96 PID 3960 wrote to memory of 516 3960 icf.exe 96 PID 3960 wrote to memory of 516 3960 icf.exe 96 PID 516 wrote to memory of 2008 516 icf.exe 97 PID 516 wrote to memory of 2008 516 icf.exe 97 PID 516 wrote to memory of 2008 516 icf.exe 97 PID 2008 wrote to memory of 468 2008 icf.exe 98 PID 2008 wrote to memory of 468 2008 icf.exe 98 PID 2008 wrote to memory of 468 2008 icf.exe 98 PID 468 wrote to memory of 2480 468 icf.exe 99 PID 468 wrote to memory of 2480 468 icf.exe 99 PID 468 wrote to memory of 2480 468 icf.exe 99 PID 2480 wrote to memory of 2900 2480 icf.exe 100 PID 2480 wrote to memory of 2900 2480 icf.exe 100 PID 2480 wrote to memory of 2900 2480 icf.exe 100 PID 2900 wrote to memory of 2500 2900 icf.exe 101 PID 2900 wrote to memory of 2500 2900 icf.exe 101 PID 2900 wrote to memory of 2500 2900 icf.exe 101 PID 2500 wrote to memory of 4456 2500 icf.exe 102 PID 2500 wrote to memory of 4456 2500 icf.exe 102 PID 2500 wrote to memory of 4456 2500 icf.exe 102 PID 4456 wrote to memory of 3440 4456 icf.exe 103 PID 4456 wrote to memory of 3440 4456 icf.exe 103 PID 4456 wrote to memory of 3440 4456 icf.exe 103 PID 3440 wrote to memory of 3116 3440 icf.exe 104 PID 3440 wrote to memory of 3116 3440 icf.exe 104 PID 3440 wrote to memory of 3116 3440 icf.exe 104 PID 3116 wrote to memory of 1172 3116 icf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6007ec38a30834942c544af376b426b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6007ec38a30834942c544af376b426b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
PID:1172 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4592 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
PID:3964 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
PID:3208 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
PID:4020 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
PID:2484 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
PID:1620 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:3652 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:4564 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:3868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:2640 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:3504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:4868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:1712 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:1312 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:4512 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2000 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:4736 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:2948 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:1740 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:4712 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:1752 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:4804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:4760 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:4500 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:2624 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:1760 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4272 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:4356 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:4424 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:1076 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:2620 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:1372 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵
- Drops file in System32 directory
PID:2796 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:4068
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:4336
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:3956
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:2452
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:4816
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:2092
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:3092
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:3008
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:2152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:784
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:3196
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵
- Drops file in System32 directory
PID:3636 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:4944
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:2356
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵
- System Location Discovery: System Language Discovery
PID:2820 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:5092
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:3204
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:3740
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:1880
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵
- System Location Discovery: System Language Discovery
PID:4384 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵PID:5124
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:5136
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:5152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵
- Adds Run key to start application
PID:5176 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:5192
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:5208
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:5228
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:5244
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:5260
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:5276
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:5300
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵
- System Location Discovery: System Language Discovery
PID:5316 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:5332
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:5348
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:5360
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:5380
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:5396
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5412 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:5428
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:5448
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:5464
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:5480
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:5492
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵
- System Location Discovery: System Language Discovery
PID:5512 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:5532
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:5544
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:5564
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵
- Drops file in System32 directory
PID:5580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:5616
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵
- Drops file in System32 directory
PID:5632 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:5648
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:5684
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:5708
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-