Analysis
-
max time kernel
118s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 04:09
Behavioral task
behavioral1
Sample
fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe
-
Size
192KB
-
MD5
fb79ad5b11dfeede74968c02a87f6b47
-
SHA1
606d2fbf6ee5f9b27979a9554c4f90b58d779094
-
SHA256
6138734f7a7144a8abafd76b19647ef8e99e229d08799a964eed41bcc824d8a3
-
SHA512
c0a613b3d25871ad3d5d61e9364547ea10f3fa8f4fdb0cf7861b92889e78f08dc809b15086a9c9822e6822173fc1923cbf3bcdaf5a4f22f747970657afba9029
-
SSDEEP
3072:C3LXPMZ4outEh6NiryNlzxb1dZi4QRAfaTeG4U4XPSU4GBtXzbT2KPF/fgNuILEw:C37M6oS94YxbsSfDUkSU4sj32AnkA
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation npcsvc.exe -
Executes dropped EXE 64 IoCs
pid Process 2716 npcsvc.exe 916 npcsvc.exe 3264 npcsvc.exe 184 npcsvc.exe 3272 npcsvc.exe 4720 npcsvc.exe 1576 npcsvc.exe 1820 npcsvc.exe 1932 npcsvc.exe 2396 npcsvc.exe 3256 npcsvc.exe 1000 npcsvc.exe 1688 npcsvc.exe 5080 npcsvc.exe 4200 npcsvc.exe 2960 npcsvc.exe 4456 npcsvc.exe 1116 npcsvc.exe 4556 npcsvc.exe 1180 npcsvc.exe 2796 npcsvc.exe 5060 npcsvc.exe 3508 npcsvc.exe 3948 npcsvc.exe 3512 npcsvc.exe 624 npcsvc.exe 3128 npcsvc.exe 4704 npcsvc.exe 2468 npcsvc.exe 1216 npcsvc.exe 616 npcsvc.exe 880 npcsvc.exe 2596 npcsvc.exe 1684 npcsvc.exe 2716 npcsvc.exe 4368 npcsvc.exe 3492 npcsvc.exe 3220 npcsvc.exe 2636 npcsvc.exe 4236 npcsvc.exe 3472 npcsvc.exe 2500 npcsvc.exe 2672 npcsvc.exe 408 npcsvc.exe 1164 npcsvc.exe 3016 npcsvc.exe 4508 npcsvc.exe 4548 npcsvc.exe 3212 npcsvc.exe 4868 npcsvc.exe 2436 npcsvc.exe 4532 npcsvc.exe 4480 npcsvc.exe 1224 npcsvc.exe 916 npcsvc.exe 3176 npcsvc.exe 440 npcsvc.exe 3948 npcsvc.exe 3196 npcsvc.exe 3660 npcsvc.exe 3992 npcsvc.exe 3712 npcsvc.exe 1012 npcsvc.exe 1356 npcsvc.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Panel Setup = "npcsvc.exe" npcsvc.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File opened for modification C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe File created C:\Windows\SysWOW64\npcsvc.exe fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe File created C:\Windows\SysWOW64\npcsvc.exe npcsvc.exe -
resource yara_rule behavioral2/memory/2724-0-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/files/0x0009000000023457-5.dat upx behavioral2/memory/2724-34-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4720-40-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcsvc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ npcsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2716 npcsvc.exe Token: SeIncBasePriorityPrivilege 916 npcsvc.exe Token: SeIncBasePriorityPrivilege 3264 npcsvc.exe Token: SeIncBasePriorityPrivilege 184 npcsvc.exe Token: SeIncBasePriorityPrivilege 3272 npcsvc.exe Token: SeIncBasePriorityPrivilege 4720 npcsvc.exe Token: SeIncBasePriorityPrivilege 1576 npcsvc.exe Token: SeIncBasePriorityPrivilege 1820 npcsvc.exe Token: SeIncBasePriorityPrivilege 1932 npcsvc.exe Token: SeIncBasePriorityPrivilege 2396 npcsvc.exe Token: SeIncBasePriorityPrivilege 3256 npcsvc.exe Token: SeIncBasePriorityPrivilege 1000 npcsvc.exe Token: SeIncBasePriorityPrivilege 1688 npcsvc.exe Token: SeIncBasePriorityPrivilege 5080 npcsvc.exe Token: SeIncBasePriorityPrivilege 4200 npcsvc.exe Token: SeIncBasePriorityPrivilege 2960 npcsvc.exe Token: SeIncBasePriorityPrivilege 4456 npcsvc.exe Token: SeIncBasePriorityPrivilege 1116 npcsvc.exe Token: SeIncBasePriorityPrivilege 4556 npcsvc.exe Token: SeIncBasePriorityPrivilege 1180 npcsvc.exe Token: SeIncBasePriorityPrivilege 2796 npcsvc.exe Token: SeIncBasePriorityPrivilege 5060 npcsvc.exe Token: SeIncBasePriorityPrivilege 3508 npcsvc.exe Token: SeIncBasePriorityPrivilege 3948 npcsvc.exe Token: SeIncBasePriorityPrivilege 3512 npcsvc.exe Token: SeIncBasePriorityPrivilege 624 npcsvc.exe Token: SeIncBasePriorityPrivilege 3128 npcsvc.exe Token: SeIncBasePriorityPrivilege 4704 npcsvc.exe Token: SeIncBasePriorityPrivilege 2468 npcsvc.exe Token: SeIncBasePriorityPrivilege 1216 npcsvc.exe Token: SeIncBasePriorityPrivilege 616 npcsvc.exe Token: SeIncBasePriorityPrivilege 880 npcsvc.exe Token: SeIncBasePriorityPrivilege 2596 npcsvc.exe Token: SeIncBasePriorityPrivilege 1684 npcsvc.exe Token: SeIncBasePriorityPrivilege 2716 npcsvc.exe Token: SeIncBasePriorityPrivilege 4368 npcsvc.exe Token: SeIncBasePriorityPrivilege 3492 npcsvc.exe Token: SeIncBasePriorityPrivilege 3220 npcsvc.exe Token: SeIncBasePriorityPrivilege 2636 npcsvc.exe Token: SeIncBasePriorityPrivilege 4236 npcsvc.exe Token: SeIncBasePriorityPrivilege 3472 npcsvc.exe Token: SeIncBasePriorityPrivilege 2500 npcsvc.exe Token: SeIncBasePriorityPrivilege 2672 npcsvc.exe Token: SeIncBasePriorityPrivilege 408 npcsvc.exe Token: SeIncBasePriorityPrivilege 1164 npcsvc.exe Token: SeIncBasePriorityPrivilege 3016 npcsvc.exe Token: SeIncBasePriorityPrivilege 4508 npcsvc.exe Token: SeIncBasePriorityPrivilege 4548 npcsvc.exe Token: SeIncBasePriorityPrivilege 3212 npcsvc.exe Token: SeIncBasePriorityPrivilege 4868 npcsvc.exe Token: SeIncBasePriorityPrivilege 2436 npcsvc.exe Token: SeIncBasePriorityPrivilege 4532 npcsvc.exe Token: SeIncBasePriorityPrivilege 4480 npcsvc.exe Token: SeIncBasePriorityPrivilege 1224 npcsvc.exe Token: SeIncBasePriorityPrivilege 916 npcsvc.exe Token: SeIncBasePriorityPrivilege 3176 npcsvc.exe Token: SeIncBasePriorityPrivilege 440 npcsvc.exe Token: SeIncBasePriorityPrivilege 3948 npcsvc.exe Token: SeIncBasePriorityPrivilege 3196 npcsvc.exe Token: SeIncBasePriorityPrivilege 3660 npcsvc.exe Token: SeIncBasePriorityPrivilege 3992 npcsvc.exe Token: SeIncBasePriorityPrivilege 3712 npcsvc.exe Token: SeIncBasePriorityPrivilege 1012 npcsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2716 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 82 PID 2724 wrote to memory of 2716 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 82 PID 2724 wrote to memory of 2716 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 82 PID 2724 wrote to memory of 2896 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 83 PID 2724 wrote to memory of 2896 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 83 PID 2724 wrote to memory of 2896 2724 fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe 83 PID 2716 wrote to memory of 916 2716 npcsvc.exe 85 PID 2716 wrote to memory of 916 2716 npcsvc.exe 85 PID 2716 wrote to memory of 916 2716 npcsvc.exe 85 PID 2716 wrote to memory of 428 2716 npcsvc.exe 86 PID 2716 wrote to memory of 428 2716 npcsvc.exe 86 PID 2716 wrote to memory of 428 2716 npcsvc.exe 86 PID 916 wrote to memory of 3264 916 npcsvc.exe 88 PID 916 wrote to memory of 3264 916 npcsvc.exe 88 PID 916 wrote to memory of 3264 916 npcsvc.exe 88 PID 916 wrote to memory of 2012 916 npcsvc.exe 89 PID 916 wrote to memory of 2012 916 npcsvc.exe 89 PID 916 wrote to memory of 2012 916 npcsvc.exe 89 PID 3264 wrote to memory of 184 3264 npcsvc.exe 91 PID 3264 wrote to memory of 184 3264 npcsvc.exe 91 PID 3264 wrote to memory of 184 3264 npcsvc.exe 91 PID 3264 wrote to memory of 4368 3264 npcsvc.exe 92 PID 3264 wrote to memory of 4368 3264 npcsvc.exe 92 PID 3264 wrote to memory of 4368 3264 npcsvc.exe 92 PID 184 wrote to memory of 3272 184 npcsvc.exe 94 PID 184 wrote to memory of 3272 184 npcsvc.exe 94 PID 184 wrote to memory of 3272 184 npcsvc.exe 94 PID 184 wrote to memory of 3000 184 npcsvc.exe 95 PID 184 wrote to memory of 3000 184 npcsvc.exe 95 PID 184 wrote to memory of 3000 184 npcsvc.exe 95 PID 3272 wrote to memory of 4720 3272 npcsvc.exe 97 PID 3272 wrote to memory of 4720 3272 npcsvc.exe 97 PID 3272 wrote to memory of 4720 3272 npcsvc.exe 97 PID 3272 wrote to memory of 3356 3272 npcsvc.exe 98 PID 3272 wrote to memory of 3356 3272 npcsvc.exe 98 PID 3272 wrote to memory of 3356 3272 npcsvc.exe 98 PID 4720 wrote to memory of 1576 4720 npcsvc.exe 100 PID 4720 wrote to memory of 1576 4720 npcsvc.exe 100 PID 4720 wrote to memory of 1576 4720 npcsvc.exe 100 PID 4720 wrote to memory of 1440 4720 npcsvc.exe 101 PID 4720 wrote to memory of 1440 4720 npcsvc.exe 101 PID 4720 wrote to memory of 1440 4720 npcsvc.exe 101 PID 1576 wrote to memory of 1820 1576 npcsvc.exe 103 PID 1576 wrote to memory of 1820 1576 npcsvc.exe 103 PID 1576 wrote to memory of 1820 1576 npcsvc.exe 103 PID 1576 wrote to memory of 1776 1576 npcsvc.exe 104 PID 1576 wrote to memory of 1776 1576 npcsvc.exe 104 PID 1576 wrote to memory of 1776 1576 npcsvc.exe 104 PID 1820 wrote to memory of 1932 1820 npcsvc.exe 106 PID 1820 wrote to memory of 1932 1820 npcsvc.exe 106 PID 1820 wrote to memory of 1932 1820 npcsvc.exe 106 PID 1820 wrote to memory of 3704 1820 npcsvc.exe 107 PID 1820 wrote to memory of 3704 1820 npcsvc.exe 107 PID 1820 wrote to memory of 3704 1820 npcsvc.exe 107 PID 1932 wrote to memory of 2396 1932 npcsvc.exe 109 PID 1932 wrote to memory of 2396 1932 npcsvc.exe 109 PID 1932 wrote to memory of 2396 1932 npcsvc.exe 109 PID 1932 wrote to memory of 3420 1932 npcsvc.exe 110 PID 1932 wrote to memory of 3420 1932 npcsvc.exe 110 PID 1932 wrote to memory of 3420 1932 npcsvc.exe 110 PID 2396 wrote to memory of 3256 2396 npcsvc.exe 112 PID 2396 wrote to memory of 3256 2396 npcsvc.exe 112 PID 2396 wrote to memory of 3256 2396 npcsvc.exe 112 PID 2396 wrote to memory of 4396 2396 npcsvc.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb79ad5b11dfeede74968c02a87f6b47_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"18⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"30⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:616 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3492 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"42⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"52⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4532 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"55⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"66⤵
- Checks computer location settings
PID:4508 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"67⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"68⤵PID:1412
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"70⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"71⤵
- Adds Run key to start application
PID:2680 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"72⤵PID:1828
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"73⤵
- Adds Run key to start application
PID:5060 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"74⤵PID:2636
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"75⤵PID:5072
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"76⤵PID:3464
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"77⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"78⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"79⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"80⤵
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"81⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"82⤵PID:1000
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"83⤵
- Checks computer location settings
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"84⤵
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"85⤵
- Checks computer location settings
PID:1116 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"86⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"87⤵
- Adds Run key to start application
PID:4872 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"88⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"89⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"90⤵
- Adds Run key to start application
PID:3468 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"91⤵
- Checks computer location settings
PID:3304 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"92⤵PID:3508
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"93⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"94⤵
- Checks computer location settings
- Adds Run key to start application
PID:4904 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"95⤵
- Adds Run key to start application
PID:1104 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"96⤵PID:4944
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"97⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"98⤵PID:4044
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"99⤵
- Checks computer location settings
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"100⤵PID:4180
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"101⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"102⤵
- Checks computer location settings
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"103⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"104⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"105⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"106⤵PID:3264
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"107⤵
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"108⤵PID:3744
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"109⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"110⤵PID:5072
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"111⤵PID:4324
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"112⤵
- Adds Run key to start application
PID:3128 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"113⤵
- Drops file in System32 directory
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"114⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"115⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"116⤵PID:2388
-
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"117⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"118⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"119⤵
- Adds Run key to start application
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"120⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Windows\SysWOW64\npcsvc.exe"C:\Windows\system32\npcsvc.exe"121⤵
- Modifies registry class
PID:348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-