Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe
-
Size
13KB
-
MD5
f57ba037a62c2fd6a1c73f5c194a9731
-
SHA1
fa37049eb0660b2c8db929cd65cb0a0b3336a12e
-
SHA256
e9d5044749a22ab054458df8b4b904732e2b839440844e43c7795ae234124813
-
SHA512
eeb008c72b94cc60748a0fef93997dc85d4b9d2d02d0b8e4e9cb8c5ee91c86229efb109d3032fd7ff96ffe25a4c0813fd0f8ea0ab142bcb7c94decf2d61c873a
-
SSDEEP
384:IS7vcUIUb969kc3yC+bFVVdrl6G6qLR4/sfdGDLLwmMgVWST6Ws:IS/bwzyJbFV7rl7F95fk3kglA
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2920 icf.exe 2076 icf.exe 2420 icf.exe 1748 icf.exe 1216 icf.exe 2556 icf.exe 2304 icf.exe 2452 icf.exe 2752 icf.exe 2812 icf.exe 2836 icf.exe 2856 icf.exe 2828 icf.exe 2760 icf.exe 2232 icf.exe 2772 icf.exe 2640 icf.exe 1744 icf.exe 2668 icf.exe 2608 icf.exe 2656 icf.exe 1752 icf.exe 2176 icf.exe 2348 icf.exe 2104 icf.exe 2996 icf.exe 2020 icf.exe 380 icf.exe 1952 icf.exe 976 icf.exe 1496 icf.exe 484 icf.exe 804 icf.exe 2700 icf.exe 2864 icf.exe 1652 icf.exe 2880 icf.exe 2936 icf.exe 2952 icf.exe 1332 icf.exe 320 icf.exe 2940 icf.exe 2924 icf.exe 536 icf.exe 1668 icf.exe 1092 icf.exe 2000 icf.exe 1188 icf.exe 1984 icf.exe 1996 icf.exe 1372 icf.exe 2016 icf.exe 1988 icf.exe 3000 icf.exe 2652 icf.exe 2096 icf.exe 3016 icf.exe 1244 icf.exe 2188 icf.exe 2992 icf.exe 2364 icf.exe 2052 icf.exe 2092 icf.exe 2164 icf.exe -
Loads dropped DLL 64 IoCs
pid Process 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 2920 icf.exe 2920 icf.exe 2076 icf.exe 2076 icf.exe 2420 icf.exe 2420 icf.exe 1748 icf.exe 1748 icf.exe 1216 icf.exe 1216 icf.exe 2556 icf.exe 2556 icf.exe 2304 icf.exe 2304 icf.exe 2452 icf.exe 2452 icf.exe 2752 icf.exe 2752 icf.exe 2812 icf.exe 2812 icf.exe 2836 icf.exe 2836 icf.exe 2856 icf.exe 2856 icf.exe 2828 icf.exe 2828 icf.exe 2760 icf.exe 2760 icf.exe 2232 icf.exe 2232 icf.exe 2772 icf.exe 2772 icf.exe 2640 icf.exe 2640 icf.exe 1744 icf.exe 1744 icf.exe 2668 icf.exe 2668 icf.exe 2608 icf.exe 2608 icf.exe 2656 icf.exe 2656 icf.exe 1752 icf.exe 1752 icf.exe 2176 icf.exe 2176 icf.exe 2348 icf.exe 2348 icf.exe 2104 icf.exe 2104 icf.exe 2996 icf.exe 2996 icf.exe 2020 icf.exe 2020 icf.exe 380 icf.exe 380 icf.exe 1952 icf.exe 1952 icf.exe 976 icf.exe 976 icf.exe 1496 icf.exe 1496 icf.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "C:\\Windows\\system32\\icf.exe" icf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe icf.exe File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found File created C:\Windows\SysWOW64\icf.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2920 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2920 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2920 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2920 1924 f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe 30 PID 2920 wrote to memory of 2076 2920 icf.exe 31 PID 2920 wrote to memory of 2076 2920 icf.exe 31 PID 2920 wrote to memory of 2076 2920 icf.exe 31 PID 2920 wrote to memory of 2076 2920 icf.exe 31 PID 2076 wrote to memory of 2420 2076 icf.exe 32 PID 2076 wrote to memory of 2420 2076 icf.exe 32 PID 2076 wrote to memory of 2420 2076 icf.exe 32 PID 2076 wrote to memory of 2420 2076 icf.exe 32 PID 2420 wrote to memory of 1748 2420 icf.exe 33 PID 2420 wrote to memory of 1748 2420 icf.exe 33 PID 2420 wrote to memory of 1748 2420 icf.exe 33 PID 2420 wrote to memory of 1748 2420 icf.exe 33 PID 1748 wrote to memory of 1216 1748 icf.exe 34 PID 1748 wrote to memory of 1216 1748 icf.exe 34 PID 1748 wrote to memory of 1216 1748 icf.exe 34 PID 1748 wrote to memory of 1216 1748 icf.exe 34 PID 1216 wrote to memory of 2556 1216 icf.exe 35 PID 1216 wrote to memory of 2556 1216 icf.exe 35 PID 1216 wrote to memory of 2556 1216 icf.exe 35 PID 1216 wrote to memory of 2556 1216 icf.exe 35 PID 2556 wrote to memory of 2304 2556 icf.exe 36 PID 2556 wrote to memory of 2304 2556 icf.exe 36 PID 2556 wrote to memory of 2304 2556 icf.exe 36 PID 2556 wrote to memory of 2304 2556 icf.exe 36 PID 2304 wrote to memory of 2452 2304 icf.exe 37 PID 2304 wrote to memory of 2452 2304 icf.exe 37 PID 2304 wrote to memory of 2452 2304 icf.exe 37 PID 2304 wrote to memory of 2452 2304 icf.exe 37 PID 2452 wrote to memory of 2752 2452 icf.exe 38 PID 2452 wrote to memory of 2752 2452 icf.exe 38 PID 2452 wrote to memory of 2752 2452 icf.exe 38 PID 2452 wrote to memory of 2752 2452 icf.exe 38 PID 2752 wrote to memory of 2812 2752 icf.exe 39 PID 2752 wrote to memory of 2812 2752 icf.exe 39 PID 2752 wrote to memory of 2812 2752 icf.exe 39 PID 2752 wrote to memory of 2812 2752 icf.exe 39 PID 2812 wrote to memory of 2836 2812 icf.exe 40 PID 2812 wrote to memory of 2836 2812 icf.exe 40 PID 2812 wrote to memory of 2836 2812 icf.exe 40 PID 2812 wrote to memory of 2836 2812 icf.exe 40 PID 2836 wrote to memory of 2856 2836 icf.exe 41 PID 2836 wrote to memory of 2856 2836 icf.exe 41 PID 2836 wrote to memory of 2856 2836 icf.exe 41 PID 2836 wrote to memory of 2856 2836 icf.exe 41 PID 2856 wrote to memory of 2828 2856 icf.exe 42 PID 2856 wrote to memory of 2828 2856 icf.exe 42 PID 2856 wrote to memory of 2828 2856 icf.exe 42 PID 2856 wrote to memory of 2828 2856 icf.exe 42 PID 2828 wrote to memory of 2760 2828 icf.exe 43 PID 2828 wrote to memory of 2760 2828 icf.exe 43 PID 2828 wrote to memory of 2760 2828 icf.exe 43 PID 2828 wrote to memory of 2760 2828 icf.exe 43 PID 2760 wrote to memory of 2232 2760 icf.exe 44 PID 2760 wrote to memory of 2232 2760 icf.exe 44 PID 2760 wrote to memory of 2232 2760 icf.exe 44 PID 2760 wrote to memory of 2232 2760 icf.exe 44 PID 2232 wrote to memory of 2772 2232 icf.exe 45 PID 2232 wrote to memory of 2772 2232 icf.exe 45 PID 2232 wrote to memory of 2772 2232 icf.exe 45 PID 2232 wrote to memory of 2772 2232 icf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f57ba037a62c2fd6a1c73f5c194a9731_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe66⤵PID:1828
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe67⤵PID:1636
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe68⤵PID:1976
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe69⤵PID:2384
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe70⤵PID:2148
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe71⤵PID:2152
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe72⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe73⤵PID:1200
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe74⤵PID:2012
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe75⤵PID:1868
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe76⤵PID:1208
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe77⤵PID:2284
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe78⤵PID:1020
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe79⤵PID:560
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe80⤵PID:448
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe81⤵PID:2972
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe82⤵PID:2592
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe83⤵PID:2136
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe84⤵PID:1172
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe85⤵PID:1060
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe86⤵PID:344
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe87⤵PID:1028
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe88⤵PID:1796
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe89⤵PID:960
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe90⤵PID:1324
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe91⤵PID:1620
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe92⤵PID:1000
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe93⤵PID:768
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe94⤵PID:1344
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe95⤵PID:1764
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe96⤵PID:1708
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe97⤵PID:1380
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe98⤵PID:1644
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe99⤵PID:3052
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe100⤵PID:2308
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe101⤵PID:1688
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe102⤵PID:316
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe103⤵PID:1792
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe104⤵PID:1400
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe105⤵PID:1544
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe106⤵PID:908
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe107⤵PID:964
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe108⤵PID:780
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe109⤵PID:944
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe110⤵PID:2240
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe111⤵PID:2472
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe112⤵PID:2484
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe113⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe114⤵PID:2448
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe115⤵PID:1084
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe116⤵PID:2360
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe117⤵PID:1700
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe118⤵PID:2512
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe119⤵PID:1660
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe120⤵PID:1756
-
C:\Windows\SysWOW64\icf.exeC:\Windows\system32\icf.exe121⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-