Analysis
-
max time kernel
35s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 11:37
Behavioral task
behavioral1
Sample
bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe
-
Size
51KB
-
MD5
bb920147234d7c9982a5f12046d3b36e
-
SHA1
623d992b3c18ef9ce8d38131e9e69b3f3d2bd12d
-
SHA256
975495c6965ceca4c9f4116f971e81ddfd7bb1f10336caa4de028cb5d27eefb2
-
SHA512
441c4dedbe3074235530b25272a28c72dc1ab7e80318542e355b97ff36aef03b76ad7820e24e4d981932f38722d80bb52d9232dab6d020955a95d66634949d93
-
SSDEEP
1536:ijdbbq4JTgfPfIi84lQOeMiYDoIWrwMtca//NZy6Tum3:ihriItOxeRYDpcwMtcKlZ7X3
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4624 icf.exe 984 icf.exe 408 icf.exe 4284 icf.exe 3740 icf.exe 1800 icf.exe 952 icf.exe 864 icf.exe 5040 icf.exe 3776 icf.exe 2368 icf.exe 4644 icf.exe 3832 icf.exe 4804 icf.exe 1236 icf.exe 4504 icf.exe 5020 icf.exe 5024 icf.exe 1036 icf.exe 3552 icf.exe 1956 icf.exe 4928 icf.exe 1580 icf.exe 2900 icf.exe 4792 icf.exe 3028 icf.exe 1768 icf.exe 4432 icf.exe 3984 icf.exe 3968 icf.exe 4328 icf.exe 4164 icf.exe 4204 icf.exe 2104 icf.exe 2904 icf.exe 2704 icf.exe 1408 icf.exe 3880 icf.exe 4988 icf.exe 4728 icf.exe 2784 icf.exe 2880 icf.exe 3488 icf.exe 2308 icf.exe 4004 icf.exe 4116 icf.exe 2228 icf.exe 1984 icf.exe 740 icf.exe 468 icf.exe 2980 icf.exe 4640 icf.exe 860 icf.exe 4732 icf.exe 3324 icf.exe 216 icf.exe 944 icf.exe 448 icf.exe 5100 icf.exe 464 icf.exe 4048 icf.exe 2240 icf.exe 2276 icf.exe 2388 icf.exe -
resource yara_rule behavioral2/memory/2264-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0009000000023411-3.dat upx behavioral2/memory/2264-14-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4624-16-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/944-63-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/5416-70-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/8104-71-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4624-167-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2264-170-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\5242883.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\6356995.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 25316 7252 Process not Found 302 22708 9288 Process not Found 424 9472 9304 Process not Found 425 8740 8880 Process not Found 399 20980 17824 Process not Found 923 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 4624 2264 bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe 84 PID 2264 wrote to memory of 4624 2264 bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe 84 PID 2264 wrote to memory of 4624 2264 bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe 84 PID 4624 wrote to memory of 984 4624 icf.exe 85 PID 4624 wrote to memory of 984 4624 icf.exe 85 PID 4624 wrote to memory of 984 4624 icf.exe 85 PID 984 wrote to memory of 408 984 icf.exe 86 PID 984 wrote to memory of 408 984 icf.exe 86 PID 984 wrote to memory of 408 984 icf.exe 86 PID 408 wrote to memory of 4284 408 icf.exe 87 PID 408 wrote to memory of 4284 408 icf.exe 87 PID 408 wrote to memory of 4284 408 icf.exe 87 PID 4284 wrote to memory of 3740 4284 icf.exe 88 PID 4284 wrote to memory of 3740 4284 icf.exe 88 PID 4284 wrote to memory of 3740 4284 icf.exe 88 PID 3740 wrote to memory of 1800 3740 icf.exe 89 PID 3740 wrote to memory of 1800 3740 icf.exe 89 PID 3740 wrote to memory of 1800 3740 icf.exe 89 PID 1800 wrote to memory of 952 1800 icf.exe 90 PID 1800 wrote to memory of 952 1800 icf.exe 90 PID 1800 wrote to memory of 952 1800 icf.exe 90 PID 952 wrote to memory of 864 952 icf.exe 91 PID 952 wrote to memory of 864 952 icf.exe 91 PID 952 wrote to memory of 864 952 icf.exe 91 PID 864 wrote to memory of 5040 864 icf.exe 92 PID 864 wrote to memory of 5040 864 icf.exe 92 PID 864 wrote to memory of 5040 864 icf.exe 92 PID 5040 wrote to memory of 3776 5040 icf.exe 93 PID 5040 wrote to memory of 3776 5040 icf.exe 93 PID 5040 wrote to memory of 3776 5040 icf.exe 93 PID 3776 wrote to memory of 2368 3776 icf.exe 94 PID 3776 wrote to memory of 2368 3776 icf.exe 94 PID 3776 wrote to memory of 2368 3776 icf.exe 94 PID 2368 wrote to memory of 4644 2368 icf.exe 95 PID 2368 wrote to memory of 4644 2368 icf.exe 95 PID 2368 wrote to memory of 4644 2368 icf.exe 95 PID 4644 wrote to memory of 3832 4644 icf.exe 96 PID 4644 wrote to memory of 3832 4644 icf.exe 96 PID 4644 wrote to memory of 3832 4644 icf.exe 96 PID 3832 wrote to memory of 4804 3832 icf.exe 97 PID 3832 wrote to memory of 4804 3832 icf.exe 97 PID 3832 wrote to memory of 4804 3832 icf.exe 97 PID 4804 wrote to memory of 1236 4804 icf.exe 98 PID 4804 wrote to memory of 1236 4804 icf.exe 98 PID 4804 wrote to memory of 1236 4804 icf.exe 98 PID 1236 wrote to memory of 4504 1236 icf.exe 99 PID 1236 wrote to memory of 4504 1236 icf.exe 99 PID 1236 wrote to memory of 4504 1236 icf.exe 99 PID 4504 wrote to memory of 5020 4504 icf.exe 100 PID 4504 wrote to memory of 5020 4504 icf.exe 100 PID 4504 wrote to memory of 5020 4504 icf.exe 100 PID 5020 wrote to memory of 5024 5020 icf.exe 101 PID 5020 wrote to memory of 5024 5020 icf.exe 101 PID 5020 wrote to memory of 5024 5020 icf.exe 101 PID 5024 wrote to memory of 1036 5024 icf.exe 102 PID 5024 wrote to memory of 1036 5024 icf.exe 102 PID 5024 wrote to memory of 1036 5024 icf.exe 102 PID 1036 wrote to memory of 3552 1036 icf.exe 103 PID 1036 wrote to memory of 3552 1036 icf.exe 103 PID 1036 wrote to memory of 3552 1036 icf.exe 103 PID 3552 wrote to memory of 1956 3552 icf.exe 104 PID 3552 wrote to memory of 1956 3552 icf.exe 104 PID 3552 wrote to memory of 1956 3552 icf.exe 104 PID 1956 wrote to memory of 4928 1956 icf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb920147234d7c9982a5f12046d3b36e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
PID:4928 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
PID:2900 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
PID:4792 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
PID:3028 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
PID:1768 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
PID:4432 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
PID:3984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3968 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
PID:4328 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:4164 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:4204 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:2104 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:2904 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:3880 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4988 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:4728 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2880 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:3488 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2308 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:4004 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:2228 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:740 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:468 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:4640 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:860 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4732 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:3324 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:216 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:944 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:5100 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:464 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4048 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:2240 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:2276 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2388 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:1556
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:4160
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:3120
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:4372
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵
- Drops file in System32 directory
PID:4384 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:1540
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:1544
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:2420
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:4904
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:4052
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:4980
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:1652
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:716
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:4876
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:4932
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:1032
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:4072
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵
- Drops file in System32 directory
PID:1528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:3988
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵
- Adds Run key to start application
PID:4724 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:4952
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵
- Adds Run key to start application
PID:4652 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵
- Drops file in System32 directory
PID:3360 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:2124
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:2152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:2532
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵
- Drops file in System32 directory
PID:868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:4908
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵
- System Location Discovery: System Language Discovery
PID:812 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:924
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:2836
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵
- Drops file in System32 directory
PID:3596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2392
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:1988
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:5128
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:5144
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:5164
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:5180
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:5196
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:5212
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:5232
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:5256
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:5276
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:5292
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:5312
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:5328
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:5344
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:5364
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5384 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:5404
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵
- Adds Run key to start application
PID:5416 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:5440
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:5460
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:5480
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:5496
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:5516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-