Analysis
-
max time kernel
106s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:35
Behavioral task
behavioral1
Sample
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
-
Size
50KB
-
MD5
eaae732c58bd1d4814bfad83bc9c3db9
-
SHA1
097cac399c07c20db6d97a086bffe2905edecd5f
-
SHA256
9573c74fd326f3259bcf668d5e2baf44b4eb7a92b8772734dc98001a0cb30ad6
-
SHA512
7fdd616f75d6edcb82ba404f6a2c8e7cec2f3aa051da34e00fde4e24bd86e43c470638307462be57a48b04cd16f435296b506847187d4cc3d7770afac2f38635
-
SSDEEP
768:5B7aqbzJXS9C2t8KoQrzSiWDqtWpT8kUZMzKiNr7k2OAd/W0eTzrLyulaGto3:5YMJACWR3LqnuUf7Osb0zvZEV
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 12044 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1700 icf.exe 2540 icf.exe 1268 icf.exe 1224 icf.exe 2528 icf.exe 2696 icf.exe 2744 icf.exe 2804 icf.exe 2880 icf.exe 2760 icf.exe 2608 icf.exe 3020 icf.exe 2636 icf.exe 2280 icf.exe 2656 icf.exe 2604 icf.exe 2632 icf.exe 2772 icf.exe 2652 icf.exe 1932 icf.exe 1316 icf.exe 1480 icf.exe 588 icf.exe 2932 icf.exe 2860 icf.exe 596 icf.exe 1752 icf.exe 1800 icf.exe 2364 icf.exe 1312 icf.exe 556 icf.exe 236 icf.exe 2704 icf.exe 1308 icf.exe 1240 icf.exe 1788 icf.exe 2996 icf.exe 2340 icf.exe 2948 icf.exe 2936 icf.exe 2084 icf.exe 2232 icf.exe 2028 icf.exe 2560 icf.exe 2640 icf.exe 2400 icf.exe 528 icf.exe 2152 icf.exe 2324 icf.exe 2496 icf.exe 1396 icf.exe 1996 icf.exe 604 icf.exe 2292 icf.exe 2156 icf.exe 1136 icf.exe 1908 icf.exe 3032 icf.exe 2580 icf.exe 2984 icf.exe 2040 icf.exe 1504 icf.exe 1344 icf.exe 1596 icf.exe -
Loads dropped DLL 64 IoCs
pid Process 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 1700 icf.exe 1700 icf.exe 2540 icf.exe 2540 icf.exe 1268 icf.exe 1268 icf.exe 1224 icf.exe 1224 icf.exe 2528 icf.exe 2528 icf.exe 2696 icf.exe 2696 icf.exe 2744 icf.exe 2744 icf.exe 2804 icf.exe 2804 icf.exe 2880 icf.exe 2880 icf.exe 2760 icf.exe 2760 icf.exe 2608 icf.exe 2608 icf.exe 3020 icf.exe 3020 icf.exe 2636 icf.exe 2636 icf.exe 2280 icf.exe 2280 icf.exe 2656 icf.exe 2656 icf.exe 2604 icf.exe 2604 icf.exe 2632 icf.exe 2632 icf.exe 2772 icf.exe 2772 icf.exe 2652 icf.exe 2652 icf.exe 1932 icf.exe 1932 icf.exe 1316 icf.exe 1316 icf.exe 1480 icf.exe 1480 icf.exe 588 icf.exe 588 icf.exe 2932 icf.exe 2932 icf.exe 2860 icf.exe 2860 icf.exe 596 icf.exe 596 icf.exe 1752 icf.exe 1752 icf.exe 1800 icf.exe 1800 icf.exe 2364 icf.exe 2364 icf.exe 1312 icf.exe 1312 icf.exe 556 icf.exe 556 icf.exe -
resource yara_rule behavioral1/memory/1676-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/files/0x000700000001211b-2.dat upx behavioral1/memory/2540-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2540-19-0x0000000000250000-0x0000000000271000-memory.dmp upx behavioral1/memory/2696-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1268-36-0x00000000003D0000-0x00000000003F1000-memory.dmp upx behavioral1/memory/2804-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2760-48-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2744-53-0x00000000002E0000-0x0000000000301000-memory.dmp upx behavioral1/memory/3020-56-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2636-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2636-64-0x0000000000250000-0x0000000000271000-memory.dmp upx behavioral1/memory/2656-72-0x00000000002C0000-0x00000000002E1000-memory.dmp upx behavioral1/memory/2604-76-0x0000000000250000-0x0000000000271000-memory.dmp upx behavioral1/memory/2632-82-0x00000000001E0000-0x0000000000201000-memory.dmp upx behavioral1/memory/2604-88-0x0000000000250000-0x0000000000271000-memory.dmp upx behavioral1/memory/1932-93-0x00000000002D0000-0x00000000002F1000-memory.dmp upx behavioral1/memory/1932-99-0x00000000002D0000-0x00000000002F1000-memory.dmp upx behavioral1/memory/2936-108-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2236-128-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1040-132-0x0000000000250000-0x0000000000271000-memory.dmp upx behavioral1/memory/1676-228-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2359299.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2359299.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\3866627.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\3866627.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\2359299.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2359299.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2555907.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1700 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 30 PID 1676 wrote to memory of 1700 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 30 PID 1676 wrote to memory of 1700 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 30 PID 1676 wrote to memory of 1700 1676 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 30 PID 1700 wrote to memory of 2540 1700 icf.exe 31 PID 1700 wrote to memory of 2540 1700 icf.exe 31 PID 1700 wrote to memory of 2540 1700 icf.exe 31 PID 1700 wrote to memory of 2540 1700 icf.exe 31 PID 2540 wrote to memory of 1268 2540 icf.exe 32 PID 2540 wrote to memory of 1268 2540 icf.exe 32 PID 2540 wrote to memory of 1268 2540 icf.exe 32 PID 2540 wrote to memory of 1268 2540 icf.exe 32 PID 1268 wrote to memory of 1224 1268 icf.exe 33 PID 1268 wrote to memory of 1224 1268 icf.exe 33 PID 1268 wrote to memory of 1224 1268 icf.exe 33 PID 1268 wrote to memory of 1224 1268 icf.exe 33 PID 1224 wrote to memory of 2528 1224 icf.exe 34 PID 1224 wrote to memory of 2528 1224 icf.exe 34 PID 1224 wrote to memory of 2528 1224 icf.exe 34 PID 1224 wrote to memory of 2528 1224 icf.exe 34 PID 2528 wrote to memory of 2696 2528 icf.exe 35 PID 2528 wrote to memory of 2696 2528 icf.exe 35 PID 2528 wrote to memory of 2696 2528 icf.exe 35 PID 2528 wrote to memory of 2696 2528 icf.exe 35 PID 2696 wrote to memory of 2744 2696 icf.exe 36 PID 2696 wrote to memory of 2744 2696 icf.exe 36 PID 2696 wrote to memory of 2744 2696 icf.exe 36 PID 2696 wrote to memory of 2744 2696 icf.exe 36 PID 2744 wrote to memory of 2804 2744 icf.exe 37 PID 2744 wrote to memory of 2804 2744 icf.exe 37 PID 2744 wrote to memory of 2804 2744 icf.exe 37 PID 2744 wrote to memory of 2804 2744 icf.exe 37 PID 2804 wrote to memory of 2880 2804 icf.exe 38 PID 2804 wrote to memory of 2880 2804 icf.exe 38 PID 2804 wrote to memory of 2880 2804 icf.exe 38 PID 2804 wrote to memory of 2880 2804 icf.exe 38 PID 2880 wrote to memory of 2760 2880 icf.exe 39 PID 2880 wrote to memory of 2760 2880 icf.exe 39 PID 2880 wrote to memory of 2760 2880 icf.exe 39 PID 2880 wrote to memory of 2760 2880 icf.exe 39 PID 2760 wrote to memory of 2608 2760 icf.exe 40 PID 2760 wrote to memory of 2608 2760 icf.exe 40 PID 2760 wrote to memory of 2608 2760 icf.exe 40 PID 2760 wrote to memory of 2608 2760 icf.exe 40 PID 2608 wrote to memory of 3020 2608 icf.exe 41 PID 2608 wrote to memory of 3020 2608 icf.exe 41 PID 2608 wrote to memory of 3020 2608 icf.exe 41 PID 2608 wrote to memory of 3020 2608 icf.exe 41 PID 3020 wrote to memory of 2636 3020 icf.exe 42 PID 3020 wrote to memory of 2636 3020 icf.exe 42 PID 3020 wrote to memory of 2636 3020 icf.exe 42 PID 3020 wrote to memory of 2636 3020 icf.exe 42 PID 2636 wrote to memory of 2280 2636 icf.exe 43 PID 2636 wrote to memory of 2280 2636 icf.exe 43 PID 2636 wrote to memory of 2280 2636 icf.exe 43 PID 2636 wrote to memory of 2280 2636 icf.exe 43 PID 2280 wrote to memory of 2656 2280 icf.exe 44 PID 2280 wrote to memory of 2656 2280 icf.exe 44 PID 2280 wrote to memory of 2656 2280 icf.exe 44 PID 2280 wrote to memory of 2656 2280 icf.exe 44 PID 2656 wrote to memory of 2604 2656 icf.exe 45 PID 2656 wrote to memory of 2604 2656 icf.exe 45 PID 2656 wrote to memory of 2604 2656 icf.exe 45 PID 2656 wrote to memory of 2604 2656 icf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:236 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:2704 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:1308 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1240 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:1788 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:2996 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:2340 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2948 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:2936 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:2084 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2232 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2028 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2560 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:2640 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:2400 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:2152 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2496 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:1396 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1996 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:604 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:2292 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:2156 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:1136 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:1908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:3032 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:2580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:2984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:2040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:1504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:1344 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:1596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:2836
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:1624
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵
- System Location Discovery: System Language Discovery
PID:1052 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:2336
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵
- System Location Discovery: System Language Discovery
PID:288 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:628
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:764
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:716
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:1864
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:2412
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:1732
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:1692
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:1736
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵
- Drops file in System32 directory
PID:1724 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:1372
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:1520
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵
- Drops file in System32 directory
PID:1648 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:1860
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:868
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:2104
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵
- Drops file in System32 directory
PID:2204 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵
- Adds Run key to start application
PID:3052 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:1856
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:2236
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:1452
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:2168
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:2552
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:2416
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:2108
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:700
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵PID:1040
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:988
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2176
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:2508
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:108
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:1900
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵
- Adds Run key to start application
PID:268 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:1672
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:1772
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:904
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:2180
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵
- Drops file in System32 directory
PID:2352 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:2476
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:1852
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:1044
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:2576
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:1576
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:1588
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:1580
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:1524
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:2384
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:1868
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵
- Adds Run key to start application
PID:1892 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:1840
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:2404
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-