Analysis
-
max time kernel
57s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 00:27 UTC
Behavioral task
behavioral1
Sample
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe
-
Size
51KB
-
MD5
ce3df08e0c42308d7da3870635fb9f01
-
SHA1
51b2be4919fc0d30a65c3d5ef5507ccfdd7cd5bd
-
SHA256
b9ff582ac04bce1b2506b46c8ece1e5759417bbc90ea932b854591a0fc1e25b9
-
SHA512
ecd7473dae456a6acf986b95c32165c8a04cf0859c80b56a5f40f59451e0a710e0af278654c671439e869a99410cfb104d83a69d0685671d5894128280507ce7
-
SSDEEP
1536:lBTwZwHVFSBjBUDc12vjE2B/+VnlRQkdQxULRjMtw:lxwZZjSc12vjEUY7QkRRjN
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 22 23348 Process not Found 25 23348 Process not Found 29 23348 Process not Found 30 23348 Process not Found 32 23348 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2468 icf.exe 2608 icf.exe 2872 icf.exe 4756 icf.exe 4248 icf.exe 3672 icf.exe 3584 icf.exe 4192 icf.exe 4124 icf.exe 380 icf.exe 3644 icf.exe 4332 icf.exe 4656 icf.exe 2912 icf.exe 4088 icf.exe 116 icf.exe 4300 icf.exe 2248 icf.exe 3896 icf.exe 2136 icf.exe 3664 icf.exe 2236 icf.exe 800 icf.exe 4220 icf.exe 5032 icf.exe 384 icf.exe 672 icf.exe 2580 icf.exe 4700 icf.exe 1300 icf.exe 2304 icf.exe 1536 icf.exe 3408 icf.exe 4900 icf.exe 4040 icf.exe 2540 icf.exe 4992 icf.exe 1856 icf.exe 900 icf.exe 852 icf.exe 3716 icf.exe 2284 icf.exe 3248 icf.exe 4884 icf.exe 3684 icf.exe 3108 icf.exe 1420 icf.exe 872 icf.exe 696 icf.exe 408 icf.exe 1392 icf.exe 1256 icf.exe 4496 icf.exe 4584 icf.exe 3056 icf.exe 1192 icf.exe 1124 icf.exe 3724 icf.exe 3940 icf.exe 3748 icf.exe 2108 icf.exe 1728 icf.exe 4260 icf.exe 4932 icf.exe -
resource yara_rule behavioral2/memory/2624-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0009000000023484-5.dat upx behavioral2/memory/2580-34-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2468-16-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2624-14-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2468-173-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2624-178-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\4718595.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\10354691.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\4390915.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\5242883.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\5242883.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\5242883.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 10964 9860 Process not Found 452 7744 9540 Process not Found 435 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID Process not Found -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeCreateGlobalPrivilege 7836 Process not Found Token: SeChangeNotifyPrivilege 7836 Process not Found Token: 33 7836 Process not Found Token: SeIncBasePriorityPrivilege 7836 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2468 2624 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 83 PID 2624 wrote to memory of 2468 2624 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 83 PID 2624 wrote to memory of 2468 2624 ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe 83 PID 2468 wrote to memory of 2608 2468 icf.exe 84 PID 2468 wrote to memory of 2608 2468 icf.exe 84 PID 2468 wrote to memory of 2608 2468 icf.exe 84 PID 2608 wrote to memory of 2872 2608 icf.exe 85 PID 2608 wrote to memory of 2872 2608 icf.exe 85 PID 2608 wrote to memory of 2872 2608 icf.exe 85 PID 2872 wrote to memory of 4756 2872 icf.exe 86 PID 2872 wrote to memory of 4756 2872 icf.exe 86 PID 2872 wrote to memory of 4756 2872 icf.exe 86 PID 4756 wrote to memory of 4248 4756 icf.exe 87 PID 4756 wrote to memory of 4248 4756 icf.exe 87 PID 4756 wrote to memory of 4248 4756 icf.exe 87 PID 4248 wrote to memory of 3672 4248 icf.exe 88 PID 4248 wrote to memory of 3672 4248 icf.exe 88 PID 4248 wrote to memory of 3672 4248 icf.exe 88 PID 3672 wrote to memory of 3584 3672 icf.exe 89 PID 3672 wrote to memory of 3584 3672 icf.exe 89 PID 3672 wrote to memory of 3584 3672 icf.exe 89 PID 3584 wrote to memory of 4192 3584 icf.exe 90 PID 3584 wrote to memory of 4192 3584 icf.exe 90 PID 3584 wrote to memory of 4192 3584 icf.exe 90 PID 4192 wrote to memory of 4124 4192 icf.exe 92 PID 4192 wrote to memory of 4124 4192 icf.exe 92 PID 4192 wrote to memory of 4124 4192 icf.exe 92 PID 4124 wrote to memory of 380 4124 icf.exe 93 PID 4124 wrote to memory of 380 4124 icf.exe 93 PID 4124 wrote to memory of 380 4124 icf.exe 93 PID 380 wrote to memory of 3644 380 icf.exe 94 PID 380 wrote to memory of 3644 380 icf.exe 94 PID 380 wrote to memory of 3644 380 icf.exe 94 PID 3644 wrote to memory of 4332 3644 icf.exe 95 PID 3644 wrote to memory of 4332 3644 icf.exe 95 PID 3644 wrote to memory of 4332 3644 icf.exe 95 PID 4332 wrote to memory of 4656 4332 icf.exe 96 PID 4332 wrote to memory of 4656 4332 icf.exe 96 PID 4332 wrote to memory of 4656 4332 icf.exe 96 PID 4656 wrote to memory of 2912 4656 icf.exe 98 PID 4656 wrote to memory of 2912 4656 icf.exe 98 PID 4656 wrote to memory of 2912 4656 icf.exe 98 PID 2912 wrote to memory of 4088 2912 icf.exe 99 PID 2912 wrote to memory of 4088 2912 icf.exe 99 PID 2912 wrote to memory of 4088 2912 icf.exe 99 PID 4088 wrote to memory of 116 4088 icf.exe 100 PID 4088 wrote to memory of 116 4088 icf.exe 100 PID 4088 wrote to memory of 116 4088 icf.exe 100 PID 116 wrote to memory of 4300 116 icf.exe 101 PID 116 wrote to memory of 4300 116 icf.exe 101 PID 116 wrote to memory of 4300 116 icf.exe 101 PID 4300 wrote to memory of 2248 4300 icf.exe 102 PID 4300 wrote to memory of 2248 4300 icf.exe 102 PID 4300 wrote to memory of 2248 4300 icf.exe 102 PID 2248 wrote to memory of 3896 2248 icf.exe 103 PID 2248 wrote to memory of 3896 2248 icf.exe 103 PID 2248 wrote to memory of 3896 2248 icf.exe 103 PID 3896 wrote to memory of 2136 3896 icf.exe 104 PID 3896 wrote to memory of 2136 3896 icf.exe 104 PID 3896 wrote to memory of 2136 3896 icf.exe 104 PID 2136 wrote to memory of 3664 2136 icf.exe 105 PID 2136 wrote to memory of 3664 2136 icf.exe 105 PID 2136 wrote to memory of 3664 2136 icf.exe 105 PID 3664 wrote to memory of 2236 3664 icf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce3df08e0c42308d7da3870635fb9f01_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
PID:2236 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
PID:4220 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
PID:5032 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
- Adds Run key to start application
PID:384 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
PID:672 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
PID:2580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
PID:4700 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
PID:1300 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
PID:2304 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:1536 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:3408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:4900 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:2540 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:1856 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:900 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:852 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:3716 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:3248 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:3684 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:3108 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:1420 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:872 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:696 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:1392 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1256 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:4496 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:4584 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:3056 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:1124 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:3724 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:3940 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:3748 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:2108 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:1728 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:4260 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:4932 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:1912
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:1540
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:2916
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:4328
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵
- Drops file in System32 directory
PID:1660 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:4516
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:1152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵
- Drops file in System32 directory
PID:3260 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:3224
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:2484
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵
- Adds Run key to start application
PID:656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:4296
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:1900
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:952
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:3368
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:3200
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:3872
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:4176
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:1832
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:4532
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵PID:3412
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:4436
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:4888
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:3760
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:3508
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:2096
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:4448
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:2860
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:4976
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:3792
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:2252
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵
- Drops file in System32 directory
PID:1920 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:2928
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:4940
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:4152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:5132
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:5168
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:5196
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:5216
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:5232
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:5248
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:5264
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵
- Drops file in System32 directory
PID:5288 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:5304
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:5320
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:5336
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:5352
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:5368
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:5388
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵
- System Location Discovery: System Language Discovery
PID:5408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:5424
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:5444
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵
- Drops file in System32 directory
PID:5460 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:5476
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵
- Adds Run key to start application
PID:5492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-