Analysis
-
max time kernel
31s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 11:16
Behavioral task
behavioral1
Sample
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe
-
Size
51KB
-
MD5
cf6cc2e9d77817411e7be7c4db7ca6e7
-
SHA1
0ba8d0d6bd167c136dc41984e100f049a9b3d421
-
SHA256
f7681ab4cba48b6c9411b5c49c1373308bbeb7fdc4734058484b86c151628820
-
SHA512
062f444f9dcdd46e1238aee3e565bed32ed601384dc21124df3fe663313e5c8bc9af27cb0b3cf3ea3e128b33ea779a8c5456883d3517524f25d88aa7ad2f3120
-
SSDEEP
768:8+rd4JkyOisJevc3DxvOgNMqx1+xUbDQZHgtvKp/uCvXckXE2jrbDPWGK4SEd+Yx:nrQLsJev6DYgP1uGvKYCv9XXjDPNlXV
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2360 icf.exe 3828 icf.exe 724 icf.exe 5024 icf.exe 4768 icf.exe 2756 icf.exe 1616 icf.exe 2808 icf.exe 4912 icf.exe 1656 icf.exe 2836 icf.exe 4520 icf.exe 436 icf.exe 1168 icf.exe 2660 icf.exe 2932 icf.exe 5004 icf.exe 2392 icf.exe 4288 icf.exe 2164 icf.exe 2652 icf.exe 1972 icf.exe 2356 icf.exe 2712 icf.exe 3488 icf.exe 2620 icf.exe 4488 icf.exe 3908 icf.exe 4248 icf.exe 3692 icf.exe 1564 icf.exe 4140 icf.exe 3376 icf.exe 2940 icf.exe 1456 icf.exe 4108 icf.exe 4504 icf.exe 2032 icf.exe 4668 icf.exe 4292 icf.exe 3988 icf.exe 2800 icf.exe 3868 icf.exe 2648 icf.exe 4112 icf.exe 4864 icf.exe 1968 icf.exe 2316 icf.exe 3108 icf.exe 1236 icf.exe 4528 icf.exe 1372 icf.exe 3324 icf.exe 2952 icf.exe 876 icf.exe 4908 icf.exe 980 icf.exe 456 icf.exe 4040 icf.exe 3284 icf.exe 2640 icf.exe 1068 icf.exe 3332 icf.exe 4580 icf.exe -
resource yara_rule behavioral2/memory/2368-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x000900000002348e-3.dat upx behavioral2/memory/2368-14-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/2360-16-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/2512-69-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/2368-142-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/2360-147-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
Program crash 8 IoCs
pid pid_target Process procid_target 8324 9908 Process not Found 464 9280 9680 Process not Found 450 9848 11744 Process not Found 568 12960 14472 Process not Found 723 13340 14992 Process not Found 752 27476 14456 Process not Found 722 9820 15008 Process not Found 753 2360 10824 Process not Found 508 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2360 2368 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 83 PID 2368 wrote to memory of 2360 2368 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 83 PID 2368 wrote to memory of 2360 2368 cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe 83 PID 2360 wrote to memory of 3828 2360 icf.exe 84 PID 2360 wrote to memory of 3828 2360 icf.exe 84 PID 2360 wrote to memory of 3828 2360 icf.exe 84 PID 3828 wrote to memory of 724 3828 icf.exe 85 PID 3828 wrote to memory of 724 3828 icf.exe 85 PID 3828 wrote to memory of 724 3828 icf.exe 85 PID 724 wrote to memory of 5024 724 icf.exe 86 PID 724 wrote to memory of 5024 724 icf.exe 86 PID 724 wrote to memory of 5024 724 icf.exe 86 PID 5024 wrote to memory of 4768 5024 icf.exe 87 PID 5024 wrote to memory of 4768 5024 icf.exe 87 PID 5024 wrote to memory of 4768 5024 icf.exe 87 PID 4768 wrote to memory of 2756 4768 icf.exe 88 PID 4768 wrote to memory of 2756 4768 icf.exe 88 PID 4768 wrote to memory of 2756 4768 icf.exe 88 PID 2756 wrote to memory of 1616 2756 icf.exe 89 PID 2756 wrote to memory of 1616 2756 icf.exe 89 PID 2756 wrote to memory of 1616 2756 icf.exe 89 PID 1616 wrote to memory of 2808 1616 icf.exe 90 PID 1616 wrote to memory of 2808 1616 icf.exe 90 PID 1616 wrote to memory of 2808 1616 icf.exe 90 PID 2808 wrote to memory of 4912 2808 icf.exe 91 PID 2808 wrote to memory of 4912 2808 icf.exe 91 PID 2808 wrote to memory of 4912 2808 icf.exe 91 PID 4912 wrote to memory of 1656 4912 icf.exe 92 PID 4912 wrote to memory of 1656 4912 icf.exe 92 PID 4912 wrote to memory of 1656 4912 icf.exe 92 PID 1656 wrote to memory of 2836 1656 icf.exe 93 PID 1656 wrote to memory of 2836 1656 icf.exe 93 PID 1656 wrote to memory of 2836 1656 icf.exe 93 PID 2836 wrote to memory of 4520 2836 icf.exe 94 PID 2836 wrote to memory of 4520 2836 icf.exe 94 PID 2836 wrote to memory of 4520 2836 icf.exe 94 PID 4520 wrote to memory of 436 4520 icf.exe 95 PID 4520 wrote to memory of 436 4520 icf.exe 95 PID 4520 wrote to memory of 436 4520 icf.exe 95 PID 436 wrote to memory of 1168 436 icf.exe 96 PID 436 wrote to memory of 1168 436 icf.exe 96 PID 436 wrote to memory of 1168 436 icf.exe 96 PID 1168 wrote to memory of 2660 1168 icf.exe 97 PID 1168 wrote to memory of 2660 1168 icf.exe 97 PID 1168 wrote to memory of 2660 1168 icf.exe 97 PID 2660 wrote to memory of 2932 2660 icf.exe 98 PID 2660 wrote to memory of 2932 2660 icf.exe 98 PID 2660 wrote to memory of 2932 2660 icf.exe 98 PID 2932 wrote to memory of 5004 2932 icf.exe 99 PID 2932 wrote to memory of 5004 2932 icf.exe 99 PID 2932 wrote to memory of 5004 2932 icf.exe 99 PID 5004 wrote to memory of 2392 5004 icf.exe 100 PID 5004 wrote to memory of 2392 5004 icf.exe 100 PID 5004 wrote to memory of 2392 5004 icf.exe 100 PID 2392 wrote to memory of 4288 2392 icf.exe 101 PID 2392 wrote to memory of 4288 2392 icf.exe 101 PID 2392 wrote to memory of 4288 2392 icf.exe 101 PID 4288 wrote to memory of 2164 4288 icf.exe 102 PID 4288 wrote to memory of 2164 4288 icf.exe 102 PID 4288 wrote to memory of 2164 4288 icf.exe 102 PID 2164 wrote to memory of 2652 2164 icf.exe 103 PID 2164 wrote to memory of 2652 2164 icf.exe 103 PID 2164 wrote to memory of 2652 2164 icf.exe 103 PID 2652 wrote to memory of 1972 2652 icf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cf6cc2e9d77817411e7be7c4db7ca6e7_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
PID:2356 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
PID:2712 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
PID:2620 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
PID:4488 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
PID:3908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
PID:4248 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3692 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
PID:1564 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:4140 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:2940 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:1456 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:4108 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:4504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:2032 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:4292 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2800 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:3868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4112 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:4864 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:2316 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:3108 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:1236 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:4528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1372 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:876 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:4908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:456 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:4040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:3284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:1068 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:3332 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:4580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:2020
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:3260
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:4156
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:1824
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:1600
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:2872
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵
- Drops file in System32 directory
PID:1812 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:1996
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:2512
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:3036
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:216
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:3508
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:452
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:4372
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:4684
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:3544
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:3628
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:4344
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:1444
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵
- Drops file in System32 directory
PID:4616 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:2044
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵PID:4584
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵
- Adds Run key to start application
PID:872 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:1940
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵
- Adds Run key to start application
PID:3496 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:2068
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:3832
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:5000
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:3356
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:1164
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:4092
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:2448
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2184
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:2736
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵
- System Location Discovery: System Language Discovery
PID:3836 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:1128
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:4148
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:5132
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:5148
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵
- System Location Discovery: System Language Discovery
PID:5164 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:5180
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:5196
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:5212
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:5228
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:5244
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:5264
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:5280
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:5296
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:5312
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:5328
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:5352
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:5368
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵
- Adds Run key to start application
PID:5388 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:5404
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵
- System Location Discovery: System Language Discovery
PID:5420 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:5432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-