xworm | b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

Analysis

max time kernel
107s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Release V1.5.exe
Size

5.1MB
MD5

ac80f970a7ae1c07663abdd11d752d34
SHA1

5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
SHA512

7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
SSDEEP

98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score

10^/10

xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\dllhost.exe	family_xworm
behavioral2/memory/4492-33-0x00000000004C0000-0x00000000004DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3220	powershell.exe
4088	powershell.exe
4336	powershell.exe
4276	powershell.exe
436	powershell.exe
3528	powershell.exe
2756	powershell.exe
4336	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Prism Release V1.5.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Prism Release V1.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dllhost.exe

Drops startup file 2 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe

Executes dropped EXE 8 IoCs

Processes:

dllhost.exePrism Executor.exenexusloader.exeWindows Runtime.execffckp.exesvchost.exeWindows Runtime.exesvchost.exe

pid	process
4492	dllhost.exe
3116	Prism Executor.exe
2564	nexusloader.exe
2900	Windows Runtime.exe
1220	cffckp.exe
800	svchost.exe
4696	Windows Runtime.exe
5040	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

nexusloader.exesvchost.exesvchost.exe

pid	process
2564	nexusloader.exe
2564	nexusloader.exe
2564	nexusloader.exe
2564	nexusloader.exe
2564	nexusloader.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
5040	svchost.exe
5040	svchost.exe
5040	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe"	dllhost.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

61 ipinfo.io
7 ip-api.com
58 api.ipify.org
59 api.ipify.org
60 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1188 schtasks.exe

flow	ioc
61	ipinfo.io
7	ip-api.com
58	api.ipify.org
59	api.ipify.org
60	ipinfo.io

pid	process
1188	schtasks.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3560	taskkill.exe
1112	taskkill.exe
3392	taskkill.exe
2088	taskkill.exe
4404	taskkill.exe
4976	taskkill.exe
4828	taskkill.exe
1080	taskkill.exe
684	taskkill.exe
4916	taskkill.exe
4408	taskkill.exe
3648	taskkill.exe
3508	taskkill.exe
1568	taskkill.exe
4428	taskkill.exe
4824	taskkill.exe
5108	taskkill.exe
4860	taskkill.exe
1648	taskkill.exe
2936	taskkill.exe
2536	taskkill.exe
1068	taskkill.exe
1860	taskkill.exe
2036	taskkill.exe
2720	taskkill.exe
2016	taskkill.exe
4252	taskkill.exe
3400	taskkill.exe
4608	taskkill.exe
2232	taskkill.exe
4952	taskkill.exe
3200	taskkill.exe
4856	taskkill.exe
3672	taskkill.exe
3380	taskkill.exe
3420	taskkill.exe
676	taskkill.exe
4016	taskkill.exe
2400	taskkill.exe
1708	taskkill.exe
4192	taskkill.exe
2432	taskkill.exe
2680	taskkill.exe
1820	taskkill.exe
1800	taskkill.exe
1428	taskkill.exe
1648	taskkill.exe
1936	taskkill.exe
5068	taskkill.exe
1932	taskkill.exe
636	taskkill.exe
1900	taskkill.exe
3392	taskkill.exe
3520	taskkill.exe
3952	taskkill.exe
3908	taskkill.exe
544	taskkill.exe
3216	taskkill.exe
1196	taskkill.exe
4896	taskkill.exe
2832	taskkill.exe
3636	taskkill.exe
2296	taskkill.exe
2116	taskkill.exe

Modifies registry class 33 IoCs

Processes:

nexusloader.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	nexusloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	nexusloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	nexusloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	nexusloader.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

dllhost.exe

pid process

4492 dllhost.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exesvchost.exepowershell.exe

pid	process
4088	powershell.exe
3220	powershell.exe
3220	powershell.exe
4088	powershell.exe
3220	powershell.exe
4088	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
4492	dllhost.exe
4492	dllhost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

dllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindows Runtime.exesvchost.exeWindows Runtime.exepowershell.exesvchost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4492	dllhost.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4492	dllhost.exe
Token: SeDebugPrivilege	2900	Windows Runtime.exe
Token: SeDebugPrivilege	800	svchost.exe
Token: SeDebugPrivilege	4696	Windows Runtime.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	5040	svchost.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

dllhost.exenexusloader.exe

pid process

4492 dllhost.exe
2564 nexusloader.exe
2564 nexusloader.exe
2564 nexusloader.exe
2564 nexusloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Prism Release V1.5.exePrism Executor.exedllhost.execffckp.exesvchost.exesvchost.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 3220	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 3220	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 3220	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 4088	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 4088	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 4088	948	Prism Release V1.5.exe	powershell.exe
PID 948 wrote to memory of 4492	948	Prism Release V1.5.exe	dllhost.exe
PID 948 wrote to memory of 4492	948	Prism Release V1.5.exe	dllhost.exe
PID 948 wrote to memory of 3116	948	Prism Release V1.5.exe	Prism Executor.exe
PID 948 wrote to memory of 3116	948	Prism Release V1.5.exe	Prism Executor.exe
PID 3116 wrote to memory of 2564	3116	Prism Executor.exe	nexusloader.exe
PID 3116 wrote to memory of 2564	3116	Prism Executor.exe	nexusloader.exe
PID 4492 wrote to memory of 4276	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 4276	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 436	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 436	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 3528	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 3528	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 2756	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 2756	4492	dllhost.exe	powershell.exe
PID 4492 wrote to memory of 1188	4492	dllhost.exe	schtasks.exe
PID 4492 wrote to memory of 1188	4492	dllhost.exe	schtasks.exe
PID 4492 wrote to memory of 1220	4492	dllhost.exe	cffckp.exe
PID 4492 wrote to memory of 1220	4492	dllhost.exe	cffckp.exe
PID 1220 wrote to memory of 800	1220	cffckp.exe	svchost.exe
PID 1220 wrote to memory of 800	1220	cffckp.exe	svchost.exe
PID 800 wrote to memory of 1788	800	svchost.exe	cmd.exe
PID 800 wrote to memory of 1788	800	svchost.exe	cmd.exe
PID 800 wrote to memory of 5040	800	svchost.exe	svchost.exe
PID 800 wrote to memory of 5040	800	svchost.exe	svchost.exe
PID 800 wrote to memory of 4336	800	svchost.exe	powershell.exe
PID 800 wrote to memory of 4336	800	svchost.exe	powershell.exe
PID 5040 wrote to memory of 1936	5040	svchost.exe	cmd.exe
PID 5040 wrote to memory of 1936	5040	svchost.exe	cmd.exe
PID 5040 wrote to memory of 2760	5040	svchost.exe	cmd.exe
PID 5040 wrote to memory of 2760	5040	svchost.exe	cmd.exe
PID 2760 wrote to memory of 1436	2760	cmd.exe	taskkill.exe
PID 2760 wrote to memory of 1436	2760	cmd.exe	taskkill.exe
PID 5040 wrote to memory of 464	5040	svchost.exe	cmd.exe
PID 5040 wrote to memory of 464	5040	svchost.exe	cmd.exe
PID 464 wrote to memory of 4284	464	cmd.exe	taskkill.exe
PID 464 wrote to memory of 4284	464	cmd.exe	taskkill.exe
PID 5040 wrote to memory of 4380	5040	svchost.exe	cmd.exe
PID 5040 wrote to memory of 4380	5040	svchost.exe	cmd.exe
PID 4380 wrote to memory of 3380	4380	cmd.exe	taskkill.exe
PID 4380 wrote to memory of 3380	4380	cmd.exe	taskkill.exe
PID 5040 wrote to memory of 2196	5040	svchost.exe	Conhost.exe
PID 5040 wrote to memory of 2196	5040	svchost.exe	Conhost.exe
PID 2196 wrote to memory of 4896	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4896	2196	cmd.exe	cmd.exe
PID 800 wrote to memory of 932	800	svchost.exe	cmd.exe
PID 800 wrote to memory of 932	800	svchost.exe	cmd.exe
PID 5040 wrote to memory of 1788	5040	svchost.exe	Conhost.exe
PID 5040 wrote to memory of 1788	5040	svchost.exe	Conhost.exe
PID 932 wrote to memory of 3924	932	cmd.exe	taskkill.exe
PID 932 wrote to memory of 3924	932	cmd.exe	taskkill.exe
PID 1788 wrote to memory of 2832	1788	cmd.exe	taskkill.exe
PID 1788 wrote to memory of 2832	1788	cmd.exe	taskkill.exe
PID 800 wrote to memory of 2560	800	svchost.exe	cmd.exe
PID 800 wrote to memory of 2560	800	svchost.exe	cmd.exe
PID 5040 wrote to memory of 2452	5040	svchost.exe	Conhost.exe
PID 5040 wrote to memory of 2452	5040	svchost.exe	Conhost.exe
PID 2560 wrote to memory of 4860	2560	cmd.exe	taskkill.exe
PID 2560 wrote to memory of 4860	2560	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Users\Admin\dllhost.exe
"C:\Users\Admin\dllhost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
3⤵
- Creates scheduled task(s)
PID:1188

C:\Users\Admin\AppData\Local\Temp\cffckp.exe
"C:\Users\Admin\AppData\Local\Temp\cffckp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\cffckp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe" "--multiprocessing-fork" "parent_pid=800" "pipe_handle=824"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4900

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1076

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1188

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
- Kills process with taskkill
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2872

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
- Kills process with taskkill
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2196

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4152

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2400

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
- Kills process with taskkill
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2300

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2904

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
- Kills process with taskkill
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1788

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:396

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3876

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:220

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2564

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3624

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
- Kills process with taskkill
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3680

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1080

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4880

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3028

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3536

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3684

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2308

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4284

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:1812

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3520

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2400

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3920

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:416

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4400

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
- Kills process with taskkill
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2440

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Kills process with taskkill
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4796

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4320

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:740

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4396

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2636

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3808

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3648

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Kills process with taskkill
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4828

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4876

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2564

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4284

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4160

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
- Kills process with taskkill
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath \"C:\\\""
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3636

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3196

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:3568

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:3808

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
- Kills process with taskkill
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:508

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
- Kills process with taskkill
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3036

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
- Kills process with taskkill
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
- Kills process with taskkill
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:3908

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3852

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
- Kills process with taskkill
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:2808

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
- Kills process with taskkill
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3820

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:3280

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Kills process with taskkill
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:3728

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
- Kills process with taskkill
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4352

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
- Kills process with taskkill
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3568

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:4756

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
- Kills process with taskkill
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:5088

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Kills process with taskkill
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:2300

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:4632

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:1280

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4796

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:440

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Kills process with taskkill
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4628

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
- Kills process with taskkill
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:4828

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:2564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
- Kills process with taskkill
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:2872

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
- Kills process with taskkill
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3220

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Kills process with taskkill
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1188

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
- Kills process with taskkill
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:5016

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:5012

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
- Kills process with taskkill
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:684

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:3116

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
- Kills process with taskkill
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
- Kills process with taskkill
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:4612

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:876

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
- Kills process with taskkill
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:3192

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
- Kills process with taskkill
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:3200

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
- Kills process with taskkill
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
5⤵
PID:1056

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
6⤵
PID:4272

C:\Users\Admin\Prism Executor.exe
"C:\Users\Admin\Prism Executor.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe
"C:\Users\Admin\Prism Executor.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2564

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4636

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fe9b96bc4e29457b2d225a5412322a52

SHA1
551e29903e926b5d6c52a8f57cf10475ba790bd0

SHA256
e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

SHA512
ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll
Filesize
1.8MB

MD5
ad03d1e9f0121330694415f901af8f49

SHA1
ad8d3eee5274fef8bb300e2d1f4a11e27d3940df

SHA256
224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9

SHA512
19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll
Filesize
1.5MB

MD5
e3c7ed5f9d601970921523be5e6fce2c

SHA1
a7ee921e126c3c1ae8d0e274a896a33552a4bd40

SHA256
bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77

SHA512
bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieynfblg.esp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cffckp.exe
Filesize
32.9MB

MD5
32004d8a59efe46298e06798a1a96cb9

SHA1
da3c34b6d7d4f692e673e45dacc825b3ef17a2ed

SHA256
03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f

SHA512
34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\VCRUNTIME140.dll
Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\_tkinter.pyd
Filesize
60KB

MD5
0f1aa5b9a82b75b607b4ead6bb6b8be6

SHA1
5d58fd899018a106d55433ea4fcb22faf96b4b3d

SHA256
336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190

SHA512
b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe
Filesize
3.5MB

MD5
58545dc488990ac11872079d119f8284

SHA1
dade5c16834d582a5187041697cc5a7c2eae2f88

SHA256
6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

SHA512
93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl8\8.5\msgcat-1.6.1.tm
Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\auto.tcl
Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\encoding\cp1252.enc
Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\encoding\symbol.enc
Filesize
1KB

MD5
1b612907f31c11858983af8c009976d6

SHA1
f0c014b6d67fc0dc1d1bbc5f052f0c8b1c63d8bf

SHA256
73fd2b5e14309d8c036d334f137b9edf1f7b32dbd45491cf93184818582d0671

SHA512
82d4a8f9c63f50e5d77dad979d3a59729cd2a504e7159ae3a908b7d66dc02090dabd79b6a6dc7b998c32c383f804aacabc564a5617085e02204adf0b13b13e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\http1.0\pkgIndex.tcl
Filesize
735B

MD5
10ec7cd64ca949099c818646b6fae31c

SHA1
6001a58a0701dff225e2510a4aaee6489a537657

SHA256
420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c

SHA512
34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\init.tcl
Filesize
23KB

MD5
e10e428598b2d5f2054cfae4a7029709

SHA1
f8e7490e977c3c675e76297638238e08c1a5e72e

SHA256
61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939

SHA512
88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\opt0.4\pkgIndex.tcl
Filesize
607B

MD5
92ff1e42cfc5fecce95068fc38d995b3

SHA1
b2e71842f14d5422a9093115d52f19bcca1bf881

SHA256
eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718

SHA512
608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\package.tcl
Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\tclIndex
Filesize
5KB

MD5
996f74f323ea95c03670734814b7887f

SHA1
49f4b9be5ab77e6ccab8091f315d424d7ac183f3

SHA256
962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13

SHA512
c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\tm.tcl
Filesize
11KB

MD5
52db1cd97ceab81675e86fa0264ea539

SHA1
b31693b5408a847f97ee8004fed48e5891df6e65

SHA256
6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669

SHA512
5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\button.tcl
Filesize
20KB

MD5
cf6e5b2eb7681567c119040939dd6e2c

SHA1
3e0b905428c293f21074145fe43281f22e699eb4

SHA256
2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53

SHA512
be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\entry.tcl
Filesize
17KB

MD5
1d9ff9bb7fedb472910776361510c610

SHA1
c190dd07bcc55741b9bdfc210f82df7b7c2fac81

SHA256
dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04

SHA512
85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\icons.tcl
Filesize
10KB

MD5
2652aad862e8fe06a4eedfb521e42b75

SHA1
ed22459ad3d192ab05a01a25af07247b89dc6440

SHA256
a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161

SHA512
6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\listbox.tcl
Filesize
14KB

MD5
b3b6a3bd19ddde4a97ea7cf95d7a8322

SHA1
2f11d97c091de9202f238778c89f13a94a10d3be

SHA256
b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4

SHA512
f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\menu.tcl
Filesize
37KB

MD5
12ec5260eb7435c7170002e011fe8f17

SHA1
e88f5423a7133784a1a2d097c4e602e5de564034

SHA256
588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e

SHA512
5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\panedwindow.tcl
Filesize
5KB

MD5
2da0a23cc9d6fd970fe00915ea39d8a2

SHA1
dfe3dc663c19e9a50526a513043d2393869d8f90

SHA256
4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29

SHA512
b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\pkgIndex.tcl
Filesize
372B

MD5
d942ff6f65bba8eb6d264db7d876a488

SHA1
74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb

SHA256
e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3

SHA512
3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\scale.tcl
Filesize
7KB

MD5
1ce32cdaeb04c75bfceea5fb94b8a9f0

SHA1
cc7614c9eade999963ee78b422157b7b0739894c

SHA256
58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365

SHA512
1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\scrlbar.tcl
Filesize
12KB

MD5
b44265f793563ad2ad66865dec63b2c2

SHA1
23e6f7095066ed3b65998324021d665d810e6a93

SHA256
189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81

SHA512
3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\spinbox.tcl
Filesize
15KB

MD5
9971530f110ac2fb7d7ec91789ea2364

SHA1
ab553213c092ef077524ed56fc37da29404c79a7

SHA256
5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a

SHA512
81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\text.tcl
Filesize
32KB

MD5
33230f852aac8a5368aeba1834dcec77

SHA1
beba97c48a110f4a9fe86f60e5fd4ca6ac55e964

SHA256
f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441

SHA512
caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\tk.tcl
Filesize
23KB

MD5
25094462d2ea6b43133275bf4db31a60

SHA1
6bb76294e8fdf4d40027c9d1b994f1ab0014b81b

SHA256
3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1

SHA512
8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\altTheme.tcl
Filesize
3KB

MD5
ae1b9c4dc2de8e899749fb4e1fcb4df6

SHA1
2a09d325ca56c930b3afb1ee43c944fd4416b8e1

SHA256
92b8be9d8934850b6d240b970603b0ad7c6dd4a45134545694fb52966d742861

SHA512
2803f96729805c90143e0c4c9bf25398bac7d6e4402cb09be354c35566fc3c3bd9522372147c0e956bdbbc2943b9aecb0f5c96b527a26fd790b8fdb5b99efe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\button.tcl
Filesize
2KB

MD5
ea7cf40852afd55ffda9db29a0e11322

SHA1
b7b42fac93e250b54eb76d95048ac3132b10e6d8

SHA256
391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d

SHA512
123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\clamTheme.tcl
Filesize
4KB

MD5
beced087eeb3d5c9b2eabdb19c030d52

SHA1
be285e65905d335be442606afa3a88e408d5ec5b

SHA256
93c29536262c582104bf1804d7b06c7565b7d621f2e3605ff8b6c981a3b4ab01

SHA512
84b733c3fbe63c32b5b1e6cd132bd1b55f07b47612b70455c17c4d6d239682672c838cc3d739283079d0d2d8567fca9b763465d8d2148d25b5952282ed521a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\classicTheme.tcl
Filesize
3KB

MD5
70f3edfbfd4c16febdd8311290a0effe

SHA1
4b1d63d59c72c357931a8cbbf071654492a9b371

SHA256
c7b1f40d77820fbaf2195f2bb3f334b38fec653fe47653f9e30a01ad4ca63ba5

SHA512
a58c584ada6d271316266d58641be260f98e6fa0ae867ee9e343807a2955ddd3544b864cca80dc7f164ed4be5331575b696650ff0bb469c3647c5cb122f2a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\combobox.tcl
Filesize
11KB

MD5
06b885722c8555668bcbe8d7d9aa4c75

SHA1
8172c8886884de462549aa94fca440b99da90583

SHA256
057f8f447de3a753714b8f82b96054e1849a2424749f3482492eae192baacdcf

SHA512
d81ab53d48ed1d79da57fc2d2b599199ee985e237046244a2f820daacd2e8565c65d63e9b6f80175c30fd48290226a547d6d603293a4b7e4a455795f7fce7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\cursors.tcl
Filesize
3KB

MD5
74596004dfdbf2ecf6af9c851156415d

SHA1
933318c992b705bf9f8511621b4458ecb8772788

SHA256
7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6

SHA512
0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\defaults.tcl
Filesize
4KB

MD5
16843ecd9e716a87d865a6539ef44751

SHA1
3df76af0d6e4c386d63dd061100702dbb0f72a42

SHA256
d83248b535a9417ce0ca598bbe245f24252adc90e3611c1191a045d9c0a9c99f

SHA512
7f5e7a200fd6b012a9336035211d9d89f0504f61156629ebcc1a03bcf8462ba8d219de376b6bb3ebb9e6a9507f0ac6f7d658eed5b953110df553b3c0c44ebc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\entry.tcl
Filesize
16KB

MD5
3dea98c515f6f731e666656da9708f12

SHA1
212865fc5c635eeca380efc1b3fbb85554714c47

SHA256
fe32f8b154893218acaba93ac4b8e1170d9b3e3ab66df63df85c0a31c17592be

SHA512
2901b5f92df95cbd1ec71acf86646af2f1d6058232eef1b5779192bad6df0bbbbc5902e363f809671f06d13270b1581d55f611556d48b1a843194477a113aeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\fonts.tcl
Filesize
5KB

MD5
7017b5c1d53f341f703322a40c76c925

SHA1
57540c56c92cc86f94b47830a00c29f826def28e

SHA256
0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0

SHA512
fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\menubutton.tcl
Filesize
6KB

MD5
fe89894d8cbf415541a60d77192f0f94

SHA1
c0716b2d8e24592757b62d24eeed57121b60e00f

SHA256
d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c

SHA512
66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\notebook.tcl
Filesize
5KB

MD5
82c9dfc512e143dda78f91436937d4dd

SHA1
26abc23c1e0c201a217e3cea7a164171418973b0

SHA256
d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80

SHA512
a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\panedwindow.tcl
Filesize
1KB

MD5
a12915fa5caf93e23518e9011200f5a4

SHA1
a61f665a408c10419fb81001578d99b43d048720

SHA256
ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273

SHA512
669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\progress.tcl
Filesize
1KB

MD5
b0074341a4bda36bcdff3ebcae39eb73

SHA1
d070a01cc5a787249bc6dad184b249c4dd37396a

SHA256
a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8

SHA512
af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\scale.tcl
Filesize
2KB

MD5
b41a9df31924dea36d69cb62891e8472

SHA1
4c2877fbb210fdbbde52ea8b5617f68ad2df7b93

SHA256
25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479

SHA512
a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\scrollbar.tcl
Filesize
2KB

MD5
cf7bc1ffbf3efee2ca7369215a3b1473

SHA1
e2632241089f9dc47fa76cd0c57615d70753008c

SHA256
b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a

SHA512
01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\sizegrip.tcl
Filesize
2KB

MD5
3c8916a58c6ee1d61836e500a54c9321

SHA1
54f3f709698fad020a048668749cb5a09ede35ab

SHA256
717d2edd71076ea059903c7144588f8bbd8b0afe69a55cbf23953149d6694d33

SHA512
2b71569a5a96cac1b708e894a2466b1054c3fae5405e10799b182012141634bd2a7e9e9f516658e1a6d6e9e776e397608b581501a6cfe2eb4ec54459e9ecb267

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\spinbox.tcl
Filesize
4KB

MD5
ebce661f8125f54c7dff9f076fb2bfe2

SHA1
966603a85eadba4e003e8307a7e581cd6839716f

SHA256
7c2ffd7308bdea852851335d5b5eb5dcca0e4d4a0cea16f786b40009ffd58b71

SHA512
35f518e20986ab951ff33091f405ea1647534ccb77c8c36a94b1ab4a973df3ed52355864702b6526888830af8c912105e542027b5d68f81ac2a9f40ad2ba2632

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\treeview.tcl
Filesize
9KB

MD5
5bec78db1a86b4bc17a5108806c5371e

SHA1
4b2b08240f778864c5045f546a620702ae126ccb

SHA256
0e05adf29b616989cb4724e57a26f1044598781f0cc10d5eb5ac4af7d705ddca

SHA512
29dff439bb5caa23f8f38ea136406fa2db68be021068f80bad2e2ec811ae5c5b08f4f287719db946db780122af05654392ea771fb523bdc1569b364689d3ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\ttk.tcl
Filesize
4KB

MD5
e38b399865c45e49419c01ff2addce75

SHA1
f8a79cbc97a32622922d4a3a5694bccb3f19decb

SHA256
61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6

SHA512
285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\utils.tcl
Filesize
8KB

MD5
f868a26a299885824b14ca28f68039ce

SHA1
e37a1889e6cc215102ec078d0455622415ed8486

SHA256
6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34

SHA512
14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\vistaTheme.tcl
Filesize
9KB

MD5
ad2d78020875529834dd0ea74251e2d3

SHA1
80cc99972a056396dd55e9505ccb02e16462b115

SHA256
ce1a53a769de9e230f586efafd2fb455980b45941e5db553bd3a2f0062b50f3e

SHA512
59ec21a44769fec0b462f0675217882ecf5cbc64056024e4259d91233a1397b4b89957bd474387c992a8753dc9c350fda7e6e5c6e9d29c655d62362a018e2194

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\winTheme.tcl
Filesize
2KB

MD5
8b4813a1c6915fd35b52ac854230bcc1

SHA1
db981087f2a311361446014fadbd8b199d856716

SHA256
05fad058280e7a8947a9f71122b442b92d7d578b4618b08bf0b71b6dac5aa22f

SHA512
e0a69e94aabd725b441d6c4920f1cd54451bcc00090d9319cb55286a46a7f35066d1959de149d900198f777671004f6d8a64e7d31e42f8a76e89ed122a79a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\xpTheme.tcl
Filesize
2KB

MD5
1026799ffe26aaa8661f64d6f2cbe4dd

SHA1
5cd337feb3130d146134e06c4a1826ba29157e7a

SHA256
ff421674388da5d3a0c687f342f8d1e3c7f247f3cb59d5512b31f91a54a4c318

SHA512
90f1062caa87c0d65aede1d71370ebe35ad90f4033e6077169b7168b4754c0ff46a9f6348f4d907dcf20ab8f63bb6e0d106a05f068c5abeb86d26f5ea00f503c

Download Submit
C:\Users\Admin\Prism Executor.exe
Filesize
5.0MB

MD5
fa819e23d8fee4ea89aaaea55e0b28f5

SHA1
18335d4e0d140dcab66c7197c57f669251898ce5

SHA256
bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

SHA512
e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

Download Submit
C:\Users\Admin\dllhost.exe
Filesize
78KB

MD5
4a7f75343aaa5a4d8d18add50ccf3139

SHA1
110c62eee6d7deb4aa9d601c942eae43482d2125

SHA256
34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

SHA512
1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

Download Submit
memory/3220-1102-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/3220-979-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3220-893-0x0000000005E90000-0x0000000005EB2000-memory.dmp

Filesize
136KB

Download
memory/3220-1055-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3220-1119-0x0000000007B30000-0x0000000007BC2000-memory.dmp

Filesize
584KB

Download
memory/3220-1064-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/3220-1118-0x0000000008BC0000-0x0000000009164000-memory.dmp

Filesize
5.6MB

Download
memory/3220-425-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/3220-1001-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/3220-1103-0x0000000006C80000-0x0000000006C9A000-memory.dmp

Filesize
104KB

Download
memory/4088-1115-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

Filesize
120KB

Download
memory/4088-1125-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/4088-1104-0x0000000006CF0000-0x0000000006D22000-memory.dmp

Filesize
200KB

Download
memory/4088-1105-0x0000000074890000-0x00000000748DC000-memory.dmp

Filesize
304KB

Download
memory/4088-980-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4088-1116-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/4088-518-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/4088-1130-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

Filesize
32KB

Download
memory/4088-1121-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/4088-1129-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/4088-1126-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/4088-1127-0x0000000006B00000-0x0000000006B0E000-memory.dmp

Filesize
56KB

Download
memory/4088-1128-0x0000000007C90000-0x0000000007CA4000-memory.dmp

Filesize
80KB

Download
memory/4276-1056-0x000001D4243E0000-0x000001D424402000-memory.dmp

Filesize
136KB

Download
memory/4336-1267-0x0000021530140000-0x000002153015C000-memory.dmp

Filesize
112KB

Download
memory/4336-1268-0x0000021530130000-0x000002153013A000-memory.dmp

Filesize
40KB

Download
memory/4336-1269-0x00000215302A0000-0x00000215302A8000-memory.dmp

Filesize
32KB

Download
memory/4336-1270-0x00000215302B0000-0x00000215302BA000-memory.dmp

Filesize
40KB

Download
memory/4492-33-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/4492-31-0x00007FFAE3683000-0x00007FFAE3685000-memory.dmp

Filesize
8KB

Download