hxxp://185[.]215[.]113[.]66/npp[.]exe

Resubmissions

31-05-2024 02:35

240531-c2575sdc55 10

28-04-2024 02:14

28-04-2024 02:13

28-04-2024 02:12

26-04-2024 00:04

26-04-2024 00:01

25-04-2024 23:58

25-04-2024 23:54

Analysis

max time kernel
95s
max time network
94s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.215.113.66/npp.exe

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

1093913900.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" 1093913900.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	1093913900.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

67669848.exe1093913900.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	67669848.exe

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

npp.exe1093913900.exe1949718020.exenpp.exe67669848.exe2136316124.exenpp.exe999215091.exe3735219039.exenpp.exe111013193.exe3735722092.exenpp.exe17203134.exe3554213306.exenpp.exe2981328584.exenpp.exe1091817440.exenpp.exe1305331319.exe

pid	process
4172	npp.exe
4616	1093913900.exe
4196	1949718020.exe
4668	npp.exe
3568	67669848.exe
376	2136316124.exe
1316	npp.exe
2232	999215091.exe
2136	3735219039.exe
1564	npp.exe
2056	111013193.exe
4688	3735722092.exe
4280	npp.exe
5116	17203134.exe
2832	3554213306.exe
4628	npp.exe
3860	2981328584.exe
4504	npp.exe
4280	1091817440.exe
3304	npp.exe
5092	1305331319.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1093913900.exe67669848.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	67669848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1093913900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1093913900.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

67669848.exe1093913900.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winploravr.exe"	67669848.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	1093913900.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	1093913900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winploravr.exe"	67669848.exe

Drops file in Windows directory 4 IoCs

Processes:

1093913900.exe67669848.exe

description	ioc	process
File created	C:\Windows\sysvratrel.exe	1093913900.exe
File opened for modification	C:\Windows\sysvratrel.exe	1093913900.exe
File created	C:\Windows\winploravr.exe	67669848.exe
File opened for modification	C:\Windows\winploravr.exe	67669848.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\npp.exe:Zone.Identifier firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1184 firefox.exe
Token: SeDebugPrivilege 1184 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1184 firefox.exe
1184 firefox.exe
1184 firefox.exe
1184 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1184 firefox.exe
1184 firefox.exe
1184 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

1184 firefox.exe
1184 firefox.exe
1184 firefox.exe
1184 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\npp.exe:Zone.Identifier	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1184	firefox.exe
Token: SeDebugPrivilege	1184	firefox.exe

pid	process
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe

pid	process
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe

pid	process
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 1184	2960	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2704	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2704	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 4136	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 3572	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 3572	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 3572	1184	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://185.215.113.66/npp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://185.215.113.66/npp.exe
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.0.194748700\2090124814" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a269e12-af81-4d49-9809-dcd8889d8b1c} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 1796 278a49da858 gpu
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.1.1957183093\1466636803" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3ac747d-801a-4b19-ae80-2c002b10aa86} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 2172 27892671c58 socket
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.2.264260440\1031301377" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 2832 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c29b95d-198f-4b7b-b705-ed1d604f8f11} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 2844 278a495f458 tab
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.3.1234248108\2127329253" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb011f5-0daa-44de-ba1b-549f8a446b97} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 3568 27892661358 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.4.1198415912\1051257148" -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 5004 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21391a0c-6262-4117-8097-f4f5a40aa221} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 4968 278a6e11758 tab
    3⤵
    PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.5.801409119\74983424" -childID 4 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69c76a25-683d-4929-8b6e-b0ca4ee3040f} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 5136 278ab82a058 tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1184.6.1900268515\1953309779" -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07d382d4-77f1-4fe9-8f1e-8ab7268037d7} 1184 "\\.\pipe\gecko-crash-server-pipe.1184" 5324 278ab82b858 tab
    3⤵
    PID:2616
- - C:\Users\Admin\Downloads\npp.exe
    "C:\Users\Admin\Downloads\npp.exe"
    3⤵
    - Executes dropped EXE
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\1093913900.exe
      C:\Users\Admin\AppData\Local\Temp\1093913900.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Drops file in Windows directory
      PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\1949718020.exe
        
        C:\Users\Admin\AppData\Local\Temp\1949718020.exe
        5⤵
        Executes dropped EXE
        
        PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\67669848.exe
        
        C:\Users\Admin\AppData\Local\Temp\67669848.exe
        5⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\3735219039.exe
        
        C:\Users\Admin\AppData\Local\Temp\3735219039.exe
        6⤵
        Executes dropped EXE
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\3735722092.exe
        
        C:\Users\Admin\AppData\Local\Temp\3735722092.exe
        6⤵
        Executes dropped EXE
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\3554213306.exe
        
        C:\Users\Admin\AppData\Local\Temp\3554213306.exe
        6⤵
        Executes dropped EXE
        
        PID:2832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1004

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:4668
- C:\Users\Admin\AppData\Local\Temp\2136316124.exe
  C:\Users\Admin\AppData\Local\Temp\2136316124.exe
  2⤵
  - Executes dropped EXE
  PID:376

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:1316
- C:\Users\Admin\AppData\Local\Temp\999215091.exe
  C:\Users\Admin\AppData\Local\Temp\999215091.exe
  2⤵
  - Executes dropped EXE
  PID:2232

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:1564
- C:\Users\Admin\AppData\Local\Temp\111013193.exe
  C:\Users\Admin\AppData\Local\Temp\111013193.exe
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:4280
- C:\Users\Admin\AppData\Local\Temp\17203134.exe
  C:\Users\Admin\AppData\Local\Temp\17203134.exe
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:4628
- C:\Users\Admin\AppData\Local\Temp\2981328584.exe
  C:\Users\Admin\AppData\Local\Temp\2981328584.exe
  2⤵
  - Executes dropped EXE
  PID:3860

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:4504
- C:\Users\Admin\AppData\Local\Temp\1091817440.exe
  C:\Users\Admin\AppData\Local\Temp\1091817440.exe
  2⤵
  - Executes dropped EXE
  PID:4280

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
PID:3304
- C:\Users\Admin\AppData\Local\Temp\1305331319.exe
  C:\Users\Admin\AppData\Local\Temp\1305331319.exe
  2⤵
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1093913900.exe

Filesize
84KB

MD5
36010b83bccfcd1032971df9fc5082a1

SHA1
9967b83065e3ad82cd6c0c3b02cf08ab707fde3e

SHA256
99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

SHA512
c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def

Download Submit
C:\Users\Admin\AppData\Local\Temp\1949718020.exe

Filesize
84KB

MD5
cd1d9c0ed8763e6bb3ee7efb133dc60e

SHA1
f6f3bea085ba7c13a2956fc0810c2034792f2ddf

SHA256
19ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100

SHA512
77b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591

Download Submit
C:\Users\Admin\AppData\Local\Temp\3735219039.exe

Filesize
7KB

MD5
5a3abf2d99e1d6ebace7ae59d286ec17

SHA1
4fafd267a828ba66bb8ba0ec620b2bfff93f77d1

SHA256
3775c7888a3571a039b1415779a915e6dc806eaf0459eb551cbfb9b78c68f9f6

SHA512
1775cc5e2f5c8ad36437b086523e191fe31c441c99c39cf21af672e2beaa7987808b24a99960720731749dc33f8cb976e9ef6de5840a7f4e92c02b3c4b073bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\67669848.exe

Filesize
14KB

MD5
d085f41fe497a63dc2a4882b485a2caf

SHA1
9dc111412129833495f19d7b8a5500cf7284ad68

SHA256
fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0

SHA512
ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
8KB

MD5
a806340ee372260457434089ec07644a

SHA1
63406b8960fce70077151407819e23c849624e52

SHA256
73f908a2ab963171f6028d5c7cd883ad58e770b3580bf5db3c4c625b82b241de

SHA512
e3e646b37fb4071193c5f89405505f33a1adcc959112d37c7565c58233136740f19d27d25da2271601e8e02c5d8ff9b53a25a5efec5c4b64dd2eaf4691c263ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\3d3636cc-bf24-4025-aa30-e4dbe155b0e5

Filesize
734B

MD5
2f60b0a41a22366821efde7715a4f44b

SHA1
50dc9d2c35064b94a3f3f29bc74100975f94ab5c

SHA256
dabb74b0e5e635960d64ec8d674849d6ad82acd6534104cc5a2ec72b3e2a6897

SHA512
53f13a493782818b90ed4427dfa62fda936abbd50f30814a94991f884d8dfed89da4278991216b473013aa47547de453805ccf891740ac83bdd751c6d672ea1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
efda5605710fd2c49320494c189a52a7

SHA1
e0fbbbe56541937a75203f921377eab41c7718bc

SHA256
b9d8eb69f59b9fc96a91f428834476801d97d7c3795f0406bea33592978ead30

SHA512
987e37f013b5d11c00b1e512bd13168b0180b96880258f83c5e08ee06f6bc191258286ec5392c8aeabfd652265f991de66010611de915de4328b107f9252a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1009B

MD5
ecbe4138e5695d98fc9e56b9d6f805fd

SHA1
fa0ca9c5d0a7ce7d74e44080bc143e7b3a45fb1c

SHA256
873f167d3fab692b627a37dbe21fbebcabe7986e1ed167549b5fb8fcb409da85

SHA512
c05db33e67feb3c7f2111df9ab5c650e0c2e3f9168ea007a1f1c9ec11904e80461f5eac1b1a1a6116f70a68ef9330803e1ea7c371df7953629e396ba0bc5cfe2

Download Submit
C:\Users\Admin\Downloads\npp.exe

Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit