Analysis
-
max time kernel
126s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 00:27
Behavioral task
behavioral1
Sample
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
-
Size
51KB
-
MD5
ce3df08e0c42308d7da3870635fb9f01
-
SHA1
51b2be4919fc0d30a65c3d5ef5507ccfdd7cd5bd
-
SHA256
b9ff582ac04bce1b2506b46c8ece1e5759417bbc90ea932b854591a0fc1e25b9
-
SHA512
ecd7473dae456a6acf986b95c32165c8a04cf0859c80b56a5f40f59451e0a710e0af278654c671439e869a99410cfb104d83a69d0685671d5894128280507ce7
-
SSDEEP
1536:lBTwZwHVFSBjBUDc12vjE2B/+VnlRQkdQxULRjMtw:lxwZZjSc12vjEUY7QkRRjN
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 15484 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2708 icf.exe 2824 icf.exe 2728 icf.exe 2904 icf.exe 2536 icf.exe 2980 icf.exe 1628 icf.exe 2768 icf.exe 2600 icf.exe 2648 icf.exe 2304 icf.exe 2192 icf.exe 1852 icf.exe 836 icf.exe 2076 icf.exe 2004 icf.exe 2524 icf.exe 1812 icf.exe 2328 icf.exe 2856 icf.exe 2972 icf.exe 3008 icf.exe 2296 icf.exe 1508 icf.exe 2864 icf.exe 2928 icf.exe 1504 icf.exe 1152 icf.exe 680 icf.exe 1904 icf.exe 1148 icf.exe 804 icf.exe 3052 icf.exe 3036 icf.exe 1008 icf.exe 748 icf.exe 568 icf.exe 2240 icf.exe 2444 icf.exe 2424 icf.exe 2256 icf.exe 2200 icf.exe 2092 icf.exe 2160 icf.exe 2136 icf.exe 2340 icf.exe 3048 icf.exe 1092 icf.exe 2220 icf.exe 1040 icf.exe 1620 icf.exe 1248 icf.exe 2576 icf.exe 1496 icf.exe 1208 icf.exe 2456 icf.exe 1156 icf.exe 1956 icf.exe 2068 icf.exe 2064 icf.exe 2124 icf.exe 2016 icf.exe 2556 icf.exe 700 icf.exe -
Loads dropped DLL 64 IoCs
pid Process 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 2708 icf.exe 2708 icf.exe 2824 icf.exe 2824 icf.exe 2728 icf.exe 2728 icf.exe 2904 icf.exe 2904 icf.exe 2536 icf.exe 2536 icf.exe 2980 icf.exe 2980 icf.exe 1628 icf.exe 1628 icf.exe 2768 icf.exe 2768 icf.exe 2600 icf.exe 2600 icf.exe 2648 icf.exe 2648 icf.exe 2304 icf.exe 2304 icf.exe 2192 icf.exe 2192 icf.exe 1852 icf.exe 1852 icf.exe 836 icf.exe 836 icf.exe 2076 icf.exe 2076 icf.exe 2004 icf.exe 2004 icf.exe 2524 icf.exe 2524 icf.exe 1812 icf.exe 1812 icf.exe 2328 icf.exe 2328 icf.exe 2856 icf.exe 2856 icf.exe 2972 icf.exe 2972 icf.exe 3008 icf.exe 3008 icf.exe 2296 icf.exe 2296 icf.exe 1508 icf.exe 1508 icf.exe 2864 icf.exe 2864 icf.exe 2928 icf.exe 2928 icf.exe 1504 icf.exe 1504 icf.exe 1152 icf.exe 1152 icf.exe 680 icf.exe 680 icf.exe 1904 icf.exe 1904 icf.exe 1148 icf.exe 1148 icf.exe -
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00080000000120ff-8.dat upx behavioral1/memory/2708-11-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2232-24-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2904-28-0x0000000000430000-0x0000000000453000-memory.dmp upx behavioral1/memory/2824-36-0x0000000000260000-0x0000000000283000-memory.dmp upx behavioral1/memory/2768-42-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2600-46-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2536-48-0x0000000000250000-0x0000000000273000-memory.dmp upx behavioral1/memory/2648-51-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2304-55-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1852-64-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/836-72-0x00000000002A0000-0x00000000002C3000-memory.dmp upx behavioral1/memory/2004-94-0x00000000002D0000-0x00000000002F3000-memory.dmp upx behavioral1/memory/2940-128-0x00000000002F0000-0x0000000000313000-memory.dmp upx behavioral1/memory/2232-258-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\3866627.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2555907.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\1900547.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\3932163.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2555907.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\2359299.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2359299.bat icf.exe File created \??\c:\windows\SysWOW64\3932163.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2708 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2824 2708 icf.exe 31 PID 2708 wrote to memory of 2824 2708 icf.exe 31 PID 2708 wrote to memory of 2824 2708 icf.exe 31 PID 2708 wrote to memory of 2824 2708 icf.exe 31 PID 2824 wrote to memory of 2728 2824 icf.exe 32 PID 2824 wrote to memory of 2728 2824 icf.exe 32 PID 2824 wrote to memory of 2728 2824 icf.exe 32 PID 2824 wrote to memory of 2728 2824 icf.exe 32 PID 2728 wrote to memory of 2904 2728 icf.exe 33 PID 2728 wrote to memory of 2904 2728 icf.exe 33 PID 2728 wrote to memory of 2904 2728 icf.exe 33 PID 2728 wrote to memory of 2904 2728 icf.exe 33 PID 2904 wrote to memory of 2536 2904 icf.exe 34 PID 2904 wrote to memory of 2536 2904 icf.exe 34 PID 2904 wrote to memory of 2536 2904 icf.exe 34 PID 2904 wrote to memory of 2536 2904 icf.exe 34 PID 2536 wrote to memory of 2980 2536 icf.exe 35 PID 2536 wrote to memory of 2980 2536 icf.exe 35 PID 2536 wrote to memory of 2980 2536 icf.exe 35 PID 2536 wrote to memory of 2980 2536 icf.exe 35 PID 2980 wrote to memory of 1628 2980 icf.exe 36 PID 2980 wrote to memory of 1628 2980 icf.exe 36 PID 2980 wrote to memory of 1628 2980 icf.exe 36 PID 2980 wrote to memory of 1628 2980 icf.exe 36 PID 1628 wrote to memory of 2768 1628 icf.exe 37 PID 1628 wrote to memory of 2768 1628 icf.exe 37 PID 1628 wrote to memory of 2768 1628 icf.exe 37 PID 1628 wrote to memory of 2768 1628 icf.exe 37 PID 2768 wrote to memory of 2600 2768 icf.exe 38 PID 2768 wrote to memory of 2600 2768 icf.exe 38 PID 2768 wrote to memory of 2600 2768 icf.exe 38 PID 2768 wrote to memory of 2600 2768 icf.exe 38 PID 2600 wrote to memory of 2648 2600 icf.exe 39 PID 2600 wrote to memory of 2648 2600 icf.exe 39 PID 2600 wrote to memory of 2648 2600 icf.exe 39 PID 2600 wrote to memory of 2648 2600 icf.exe 39 PID 2648 wrote to memory of 2304 2648 icf.exe 40 PID 2648 wrote to memory of 2304 2648 icf.exe 40 PID 2648 wrote to memory of 2304 2648 icf.exe 40 PID 2648 wrote to memory of 2304 2648 icf.exe 40 PID 2304 wrote to memory of 2192 2304 icf.exe 41 PID 2304 wrote to memory of 2192 2304 icf.exe 41 PID 2304 wrote to memory of 2192 2304 icf.exe 41 PID 2304 wrote to memory of 2192 2304 icf.exe 41 PID 2192 wrote to memory of 1852 2192 icf.exe 42 PID 2192 wrote to memory of 1852 2192 icf.exe 42 PID 2192 wrote to memory of 1852 2192 icf.exe 42 PID 2192 wrote to memory of 1852 2192 icf.exe 42 PID 1852 wrote to memory of 836 1852 icf.exe 43 PID 1852 wrote to memory of 836 1852 icf.exe 43 PID 1852 wrote to memory of 836 1852 icf.exe 43 PID 1852 wrote to memory of 836 1852 icf.exe 43 PID 836 wrote to memory of 2076 836 icf.exe 44 PID 836 wrote to memory of 2076 836 icf.exe 44 PID 836 wrote to memory of 2076 836 icf.exe 44 PID 836 wrote to memory of 2076 836 icf.exe 44 PID 2076 wrote to memory of 2004 2076 icf.exe 45 PID 2076 wrote to memory of 2004 2076 icf.exe 45 PID 2076 wrote to memory of 2004 2076 icf.exe 45 PID 2076 wrote to memory of 2004 2076 icf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:3052 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:3036 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:1008 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:748 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:568 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:2240 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2444 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:2424 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:2256 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2200 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2092 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2160 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:2136 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:2340 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:3048 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:1092 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:2220 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:1040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:1620 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1248 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:2576 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:1496 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:1208 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:2456 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:1156 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:1956 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:2064 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:2124 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:2016 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:700 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:956
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:1396
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:668
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:296
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:2452
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:1252
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:2224
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:840
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:1768
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:1640
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:1764
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:1340
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:1760
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:756
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:1124
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:1664
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:1592
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:896
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:2288
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:600
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:952
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵PID:1288
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:1520
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:2360
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵
- Drops file in System32 directory
PID:1960 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵
- Adds Run key to start application
PID:1996 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:2336
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:2392
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:1492
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:2384
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:684
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:348
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2044
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:1676
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:2916
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:536
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:984
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:1296
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:1032
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:1012
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:1744
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:1312
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:876
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:2428
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:1692
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:2472
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:2496
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:2532
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:2792
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:2744
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:2808
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:3028
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵
- Adds Run key to start application
PID:1556 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:1684
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:1992
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-