Analysis
-
max time kernel
112s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 11:16
Behavioral task
behavioral1
Sample
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
-
Size
51KB
-
MD5
cf6cc2e9d77817411e7be7c4db7ca6e7
-
SHA1
0ba8d0d6bd167c136dc41984e100f049a9b3d421
-
SHA256
f7681ab4cba48b6c9411b5c49c1373308bbeb7fdc4734058484b86c151628820
-
SHA512
062f444f9dcdd46e1238aee3e565bed32ed601384dc21124df3fe663313e5c8bc9af27cb0b3cf3ea3e128b33ea779a8c5456883d3517524f25d88aa7ad2f3120
-
SSDEEP
768:8+rd4JkyOisJevc3DxvOgNMqx1+xUbDQZHgtvKp/uCvXckXE2jrbDPWGK4SEd+Yx:nrQLsJev6DYgP1uGvKYCv9XXjDPNlXV
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 14316 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2184 icf.exe 2912 icf.exe 2968 icf.exe 540 icf.exe 1980 icf.exe 2784 icf.exe 2596 icf.exe 2680 icf.exe 2720 icf.exe 2612 icf.exe 1656 icf.exe 2520 icf.exe 2964 icf.exe 2676 icf.exe 2656 icf.exe 2488 icf.exe 2528 icf.exe 2608 icf.exe 2984 icf.exe 2944 icf.exe 1416 icf.exe 1636 icf.exe 1400 icf.exe 324 icf.exe 2272 icf.exe 380 icf.exe 1984 icf.exe 2244 icf.exe 1736 icf.exe 1960 icf.exe 1740 icf.exe 1720 icf.exe 1908 icf.exe 872 icf.exe 1528 icf.exe 2296 icf.exe 1496 icf.exe 1956 icf.exe 2760 icf.exe 1788 icf.exe 2808 icf.exe 2672 icf.exe 2736 icf.exe 1040 icf.exe 2224 icf.exe 2816 icf.exe 2320 icf.exe 2588 icf.exe 1232 icf.exe 1532 icf.exe 448 icf.exe 1560 icf.exe 2952 icf.exe 2832 icf.exe 1728 icf.exe 856 icf.exe 1316 icf.exe 1180 icf.exe 1284 icf.exe 1520 icf.exe 2988 icf.exe 1644 icf.exe 2556 icf.exe 1632 icf.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 2184 icf.exe 2184 icf.exe 2912 icf.exe 2912 icf.exe 2968 icf.exe 2968 icf.exe 540 icf.exe 540 icf.exe 1980 icf.exe 1980 icf.exe 2784 icf.exe 2784 icf.exe 2596 icf.exe 2596 icf.exe 2680 icf.exe 2680 icf.exe 2720 icf.exe 2720 icf.exe 2612 icf.exe 2612 icf.exe 1656 icf.exe 1656 icf.exe 2520 icf.exe 2520 icf.exe 2964 icf.exe 2964 icf.exe 2676 icf.exe 2676 icf.exe 2656 icf.exe 2656 icf.exe 2488 icf.exe 2488 icf.exe 2528 icf.exe 2528 icf.exe 2608 icf.exe 2608 icf.exe 2984 icf.exe 2984 icf.exe 2944 icf.exe 2944 icf.exe 1416 icf.exe 1416 icf.exe 1636 icf.exe 1636 icf.exe 1400 icf.exe 1400 icf.exe 324 icf.exe 324 icf.exe 2272 icf.exe 2272 icf.exe 380 icf.exe 380 icf.exe 1984 icf.exe 1984 icf.exe 2244 icf.exe 2244 icf.exe 1736 icf.exe 1736 icf.exe 1960 icf.exe 1960 icf.exe 1740 icf.exe 1740 icf.exe -
resource yara_rule behavioral1/memory/2236-1-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x000b00000001227f-10.dat upx behavioral1/memory/1980-25-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2184-17-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2784-31-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1980-30-0x00000000002D0000-0x00000000002F2000-memory.dmp upx behavioral1/memory/1980-29-0x00000000002D0000-0x00000000002F2000-memory.dmp upx behavioral1/memory/2596-36-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2784-35-0x0000000000270000-0x0000000000292000-memory.dmp upx behavioral1/memory/2596-40-0x0000000000310000-0x0000000000332000-memory.dmp upx behavioral1/memory/2520-60-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2656-70-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2488-88-0x00000000002C0000-0x00000000002E2000-memory.dmp upx behavioral1/memory/1416-92-0x0000000000250000-0x0000000000272000-memory.dmp upx behavioral1/memory/1988-145-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2184-249-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2818051.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\2359299.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\3866627.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2359299.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2184 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2184 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2184 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2184 2236 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 31 PID 2184 wrote to memory of 2912 2184 icf.exe 32 PID 2184 wrote to memory of 2912 2184 icf.exe 32 PID 2184 wrote to memory of 2912 2184 icf.exe 32 PID 2184 wrote to memory of 2912 2184 icf.exe 32 PID 2912 wrote to memory of 2968 2912 icf.exe 33 PID 2912 wrote to memory of 2968 2912 icf.exe 33 PID 2912 wrote to memory of 2968 2912 icf.exe 33 PID 2912 wrote to memory of 2968 2912 icf.exe 33 PID 2968 wrote to memory of 540 2968 icf.exe 34 PID 2968 wrote to memory of 540 2968 icf.exe 34 PID 2968 wrote to memory of 540 2968 icf.exe 34 PID 2968 wrote to memory of 540 2968 icf.exe 34 PID 540 wrote to memory of 1980 540 icf.exe 35 PID 540 wrote to memory of 1980 540 icf.exe 35 PID 540 wrote to memory of 1980 540 icf.exe 35 PID 540 wrote to memory of 1980 540 icf.exe 35 PID 1980 wrote to memory of 2784 1980 icf.exe 36 PID 1980 wrote to memory of 2784 1980 icf.exe 36 PID 1980 wrote to memory of 2784 1980 icf.exe 36 PID 1980 wrote to memory of 2784 1980 icf.exe 36 PID 2784 wrote to memory of 2596 2784 icf.exe 37 PID 2784 wrote to memory of 2596 2784 icf.exe 37 PID 2784 wrote to memory of 2596 2784 icf.exe 37 PID 2784 wrote to memory of 2596 2784 icf.exe 37 PID 2596 wrote to memory of 2680 2596 icf.exe 38 PID 2596 wrote to memory of 2680 2596 icf.exe 38 PID 2596 wrote to memory of 2680 2596 icf.exe 38 PID 2596 wrote to memory of 2680 2596 icf.exe 38 PID 2680 wrote to memory of 2720 2680 icf.exe 39 PID 2680 wrote to memory of 2720 2680 icf.exe 39 PID 2680 wrote to memory of 2720 2680 icf.exe 39 PID 2680 wrote to memory of 2720 2680 icf.exe 39 PID 2720 wrote to memory of 2612 2720 icf.exe 40 PID 2720 wrote to memory of 2612 2720 icf.exe 40 PID 2720 wrote to memory of 2612 2720 icf.exe 40 PID 2720 wrote to memory of 2612 2720 icf.exe 40 PID 2612 wrote to memory of 1656 2612 icf.exe 41 PID 2612 wrote to memory of 1656 2612 icf.exe 41 PID 2612 wrote to memory of 1656 2612 icf.exe 41 PID 2612 wrote to memory of 1656 2612 icf.exe 41 PID 1656 wrote to memory of 2520 1656 icf.exe 42 PID 1656 wrote to memory of 2520 1656 icf.exe 42 PID 1656 wrote to memory of 2520 1656 icf.exe 42 PID 1656 wrote to memory of 2520 1656 icf.exe 42 PID 2520 wrote to memory of 2964 2520 icf.exe 43 PID 2520 wrote to memory of 2964 2520 icf.exe 43 PID 2520 wrote to memory of 2964 2520 icf.exe 43 PID 2520 wrote to memory of 2964 2520 icf.exe 43 PID 2964 wrote to memory of 2676 2964 icf.exe 44 PID 2964 wrote to memory of 2676 2964 icf.exe 44 PID 2964 wrote to memory of 2676 2964 icf.exe 44 PID 2964 wrote to memory of 2676 2964 icf.exe 44 PID 2676 wrote to memory of 2656 2676 icf.exe 45 PID 2676 wrote to memory of 2656 2676 icf.exe 45 PID 2676 wrote to memory of 2656 2676 icf.exe 45 PID 2676 wrote to memory of 2656 2676 icf.exe 45 PID 2656 wrote to memory of 2488 2656 icf.exe 46 PID 2656 wrote to memory of 2488 2656 icf.exe 46 PID 2656 wrote to memory of 2488 2656 icf.exe 46 PID 2656 wrote to memory of 2488 2656 icf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:380 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:1908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:872 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:1528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:2296 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2760 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:1788 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:1040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:2320 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:2588 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:1232 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
- Adds Run key to start application
PID:448 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1560 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:2952 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:2832 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:1728 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:856 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:1316 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:2988 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:1632 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:1624
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:1756
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵
- Drops file in System32 directory
PID:1408 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:912
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:920
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:2288
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:1708
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:2728
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:1216
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:1464
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:1060
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:1220
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:1704
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:788
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:884
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:300
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:708
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:2204
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:1976
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:3012
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:2996
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵
- Adds Run key to start application
PID:2980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:2072
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵
- System Location Discovery: System Language Discovery
PID:3064 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:1612
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵
- Adds Run key to start application
PID:3052 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:2144
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:1888
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:756
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:2156
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:1700
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:1724
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2360
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:2160
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:892
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:584
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:2152
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:2328
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:2132
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:2364
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2960 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:1504
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:2308
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:1508
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:2776
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:1000
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:592
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:2084
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:2896
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:2904
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:2076
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:2840
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:996
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:2668
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:3004
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-