Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 05:35
Behavioral task
behavioral1
Sample
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe
-
Size
50KB
-
MD5
eaae732c58bd1d4814bfad83bc9c3db9
-
SHA1
097cac399c07c20db6d97a086bffe2905edecd5f
-
SHA256
9573c74fd326f3259bcf668d5e2baf44b4eb7a92b8772734dc98001a0cb30ad6
-
SHA512
7fdd616f75d6edcb82ba404f6a2c8e7cec2f3aa051da34e00fde4e24bd86e43c470638307462be57a48b04cd16f435296b506847187d4cc3d7770afac2f38635
-
SSDEEP
768:5B7aqbzJXS9C2t8KoQrzSiWDqtWpT8kUZMzKiNr7k2OAd/W0eTzrLyulaGto3:5YMJACWR3LqnuUf7Osb0zvZEV
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1396 icf.exe 4620 icf.exe 1464 icf.exe 3912 icf.exe 1840 icf.exe 4404 icf.exe 3668 icf.exe 1008 icf.exe 4780 icf.exe 2584 icf.exe 1392 icf.exe 376 icf.exe 4352 icf.exe 2076 icf.exe 4056 icf.exe 1268 icf.exe 1192 icf.exe 4468 icf.exe 4544 icf.exe 3988 icf.exe 2848 icf.exe 3200 icf.exe 4900 icf.exe 3228 icf.exe 3660 icf.exe 3484 icf.exe 3984 icf.exe 4840 icf.exe 2164 icf.exe 4968 icf.exe 1948 icf.exe 5088 icf.exe 2244 icf.exe 4936 icf.exe 2524 icf.exe 3040 icf.exe 3488 icf.exe 452 icf.exe 2212 icf.exe 4796 icf.exe 3580 icf.exe 4360 icf.exe 1632 icf.exe 4756 icf.exe 3068 icf.exe 2800 icf.exe 1304 icf.exe 880 icf.exe 1284 icf.exe 3412 icf.exe 4224 icf.exe 3664 icf.exe 1828 icf.exe 3868 icf.exe 1308 icf.exe 3864 icf.exe 5100 icf.exe 4776 icf.exe 3436 icf.exe 4292 icf.exe 3492 icf.exe 3372 icf.exe 4320 icf.exe 4240 icf.exe -
resource yara_rule behavioral2/memory/3388-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/files/0x000800000002359b-3.dat upx behavioral2/memory/3388-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1396-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1304-53-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/11596-102-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3388-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1396-147-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\6946819.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\6422531.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\9371651.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\5636099.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\4718595.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\5570563.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\5570563.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\5046275.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\4718595.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
Program crash 7 IoCs
pid pid_target Process procid_target 23944 7888 Process not Found 324 24072 7904 Process not Found 325 6376 9856 Process not Found 432 3932 9816 Process not Found 2131 5912 14144 Process not Found 691 8072 7660 Process not Found 312 5636 16480 Process not Found 826 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3388 wrote to memory of 1396 3388 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 89 PID 3388 wrote to memory of 1396 3388 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 89 PID 3388 wrote to memory of 1396 3388 eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe 89 PID 1396 wrote to memory of 4620 1396 icf.exe 90 PID 1396 wrote to memory of 4620 1396 icf.exe 90 PID 1396 wrote to memory of 4620 1396 icf.exe 90 PID 4620 wrote to memory of 1464 4620 icf.exe 91 PID 4620 wrote to memory of 1464 4620 icf.exe 91 PID 4620 wrote to memory of 1464 4620 icf.exe 91 PID 1464 wrote to memory of 3912 1464 icf.exe 92 PID 1464 wrote to memory of 3912 1464 icf.exe 92 PID 1464 wrote to memory of 3912 1464 icf.exe 92 PID 3912 wrote to memory of 1840 3912 icf.exe 93 PID 3912 wrote to memory of 1840 3912 icf.exe 93 PID 3912 wrote to memory of 1840 3912 icf.exe 93 PID 1840 wrote to memory of 4404 1840 icf.exe 94 PID 1840 wrote to memory of 4404 1840 icf.exe 94 PID 1840 wrote to memory of 4404 1840 icf.exe 94 PID 4404 wrote to memory of 3668 4404 icf.exe 95 PID 4404 wrote to memory of 3668 4404 icf.exe 95 PID 4404 wrote to memory of 3668 4404 icf.exe 95 PID 3668 wrote to memory of 1008 3668 icf.exe 96 PID 3668 wrote to memory of 1008 3668 icf.exe 96 PID 3668 wrote to memory of 1008 3668 icf.exe 96 PID 1008 wrote to memory of 4780 1008 icf.exe 97 PID 1008 wrote to memory of 4780 1008 icf.exe 97 PID 1008 wrote to memory of 4780 1008 icf.exe 97 PID 4780 wrote to memory of 2584 4780 icf.exe 98 PID 4780 wrote to memory of 2584 4780 icf.exe 98 PID 4780 wrote to memory of 2584 4780 icf.exe 98 PID 2584 wrote to memory of 1392 2584 icf.exe 99 PID 2584 wrote to memory of 1392 2584 icf.exe 99 PID 2584 wrote to memory of 1392 2584 icf.exe 99 PID 1392 wrote to memory of 376 1392 icf.exe 100 PID 1392 wrote to memory of 376 1392 icf.exe 100 PID 1392 wrote to memory of 376 1392 icf.exe 100 PID 376 wrote to memory of 4352 376 icf.exe 101 PID 376 wrote to memory of 4352 376 icf.exe 101 PID 376 wrote to memory of 4352 376 icf.exe 101 PID 4352 wrote to memory of 2076 4352 icf.exe 102 PID 4352 wrote to memory of 2076 4352 icf.exe 102 PID 4352 wrote to memory of 2076 4352 icf.exe 102 PID 2076 wrote to memory of 4056 2076 icf.exe 103 PID 2076 wrote to memory of 4056 2076 icf.exe 103 PID 2076 wrote to memory of 4056 2076 icf.exe 103 PID 4056 wrote to memory of 1268 4056 icf.exe 104 PID 4056 wrote to memory of 1268 4056 icf.exe 104 PID 4056 wrote to memory of 1268 4056 icf.exe 104 PID 1268 wrote to memory of 1192 1268 icf.exe 105 PID 1268 wrote to memory of 1192 1268 icf.exe 105 PID 1268 wrote to memory of 1192 1268 icf.exe 105 PID 1192 wrote to memory of 4468 1192 icf.exe 106 PID 1192 wrote to memory of 4468 1192 icf.exe 106 PID 1192 wrote to memory of 4468 1192 icf.exe 106 PID 4468 wrote to memory of 4544 4468 icf.exe 107 PID 4468 wrote to memory of 4544 4468 icf.exe 107 PID 4468 wrote to memory of 4544 4468 icf.exe 107 PID 4544 wrote to memory of 3988 4544 icf.exe 108 PID 4544 wrote to memory of 3988 4544 icf.exe 108 PID 4544 wrote to memory of 3988 4544 icf.exe 108 PID 3988 wrote to memory of 2848 3988 icf.exe 109 PID 3988 wrote to memory of 2848 3988 icf.exe 109 PID 3988 wrote to memory of 2848 3988 icf.exe 109 PID 2848 wrote to memory of 3200 2848 icf.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaae732c58bd1d4814bfad83bc9c3db9_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
PID:3200 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
PID:4900 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
PID:3228 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
PID:3484 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
PID:4840 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
PID:2164 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
PID:4968 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
PID:1948 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:2244 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4936 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:2524 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:3040 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:3488 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:452 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2212 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:4796 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:3580 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:4360 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:1632 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4756 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:1304 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:880 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:1284 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:3412 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4224 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:3664 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:1828 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:3868 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:1308 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:3864 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5100 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:4776 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:3436 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:4292 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:3492 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:3372 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:4320 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:4240 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:2784
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵PID:2724
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:4044
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:2884
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:1564
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:3536
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:1760
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:4280
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:5052
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:4416
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:4560
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:5000
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵
- Adds Run key to start application
PID:2548 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:3508
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵
- Adds Run key to start application
PID:2808 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:5060
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:1352
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:4452
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:4788
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:5132
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:5148
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵
- System Location Discovery: System Language Discovery
PID:5164 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:5184
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:5200
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:5216
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:5236
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:5252
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵PID:5272
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵PID:5288
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:5304
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵
- Drops file in System32 directory
PID:5316 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:5332
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵
- System Location Discovery: System Language Discovery
PID:5348 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵
- System Location Discovery: System Language Discovery
PID:5364 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:5384
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:5396
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:5412
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵PID:5432
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:5444
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:5464
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:5484
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:5500
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:5516
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:5532
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:5548
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:5608
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:5624
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:5640
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:5656
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:5672
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:5688
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:5704
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:5724
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:5740
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:5756
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-